HIPAA Compliance News

HIPAA Continuity of Care

Under HIPAA, continuity of care is not always as straightforward as it could be due to seemingly contradictory guidance issued by HHS’ Office of Civil Rights. Whereas the Privacy Rule would appear to allow disclosures of PHI for continuity of care and care coordination, the HHS’ guidance states disclosures of PHI between Covered Entities must be kept to the minimum necessary amount.  

The term “continuity of care” has various definitions. Some definitions imply care is continuous within the same healthcare organization (or Organized Health Care Arrangement), while others extend the definition to multiple healthcare settings. An example of this is a patient’s journey from a physician’s office to a hospital, then to a care home, then to a home health service.

With regards to HIPAA and continuity of care in a single healthcare setting – or within an Organized Health Care Arrangement – the Privacy Rule allows disclosures of Protected Health Information (PHI) for healthcare operations without patient consent or authorization. One of the permissible disclosures of PHI in this category is for “case management and care coordination”.

However, when continuity of care involves multiple providers in a linear process, some transfers of information can be incomplete due to the complicated language of the Privacy Rule and seemingly conflicting guidance issued by HHS’ Office for Civil Rights in 2019 with regard to HIPAA care coordination and HIPAA continuity of care.

Continuation of Care, HIPAA, and What the Privacy Rule Says

In the context of continuation of care, HIPAA §164.506(c)(4) states a Covered Entity may disclose PHI to another Covered Entity for health care operations if either Covered Entity has or had a relationship with the individual who is the subject of the PHI being disclosed, if the PHI being disclosed pertains to such relationship, and if it is for a purpose allowed by the definition of health care operations.

The Privacy Rule (HIPAA §164.502(b)(2)) also states the minimum necessary standard does not apply to disclosures to or requests by a health care provider for treatment. Therefore, in the example given above of a patient’s journey from a physician’s office to a home health service, there should be no problem with the home health service obtaining PHI from the physician to provide treatment.

However, in guidance issued by HHS’ Office for Civil Rights, several examples are given in which it is permissible to transfer PHI between Covered Entities to support care coordination and continuity of care under HIPAA. However, the HHS guidance concludes with a reminder that “although such disclosures are permitted, they are subject to the minimum necessary standard”.

Office for Civil Rights Guidance for HIPAA Coordination of Care

The conclusion to the guidance can appear to contradict the Privacy Rule – particularly the clause stating the minimum necessary standard does not apply to disclosures for treatment. However, when the examples in the guidance are more closely examined, they relate to disclosures of PHI between health plans – rather than healthcare providers – which are not for treatment purposes.

Nonetheless, because the term Covered Entity is used in the guidance, some providers have applied the guidance to their healthcare operations and only provide the minimum necessary PHI to the next provider “up the continuity line”.  Provider B then has an incomplete medical history to transfer to Provider C, who also limits disclosures to the minimum necessary when handing off to Provider D.

Provider D (in our example, the home health service) can acquire the PHI they need from Provider A (the physician) to ensure continuity of care under HIPAA; but, because Provider A believes they have to obtain an authorization from the patient before disclosing more than the minimum necessary PHI, there is an avoidable delay in Provider D receiving potentially vital healthcare data – which can impact patient care.

Proposed Changes to Clarify HIPAA Care Coordination Rules

To clarify the position between HIPAA and care coordination, several Rule changes have been proposed. The proposed changes – if finalized – will not only impact HIPAA compliance, but other federal Rules that govern uses and disclosures of PHI (i.e., 42 CFR Part 2). The key Notices of Proposed Rule Making (NPRMs) that will clarify the care coordination HIPAA rules are:

The Office of Civil Rights’ Proposed Modifications to the Privacy Rule

This NPRM published in January 2021 proposes multiple HIPAA updates to “support, and remove barriers to, coordinated care and individual engagement”. Among the proposed changes to the Privacy Rule:

  • Disclosures of PHI will be permitted without the need to obtain consent or authorization to help individuals with a substance use disorder in emergency circumstances.
  • Disclosures of PHI for continuity of care and individual-level care coordination will be specifically permitted to avoid misunderstanding about when consent is required.
  • An exception to the Minimum Necessary Standard will be created for disclosures of PHI relating to individual-level HIPAA care coordination and case management.

Update to CMS Interoperability and Patient Access Final Rule

In 2020, the Centers for Medicare and Medicaid Services (CMS) published the Interoperability and Patient Access Final Rule. As the title suggests, the Rule has the primary objectives of improving interoperability between Medicare Covered Entities and enabling better patient access to PHI. Among other measures, a proposed update to the Rule published in December 2022 seeks stakeholder comments on how best to enable data exchanges via a Trusted Exchange Framework.

Closer Alignment of 42 CFR Part 2 and  the HIPAA Privacy Rule

Also at the end of 2022, the Office for Civil Rights and the Substance Abuse and Mental Health Services Administration (SAMHSA) jointly published an NPRM that more closely aligns the Confidentiality of Substance Use Disorder Patient Records (42 CFR Part 2) with the uses and disclosures of PHI permitted by the HIPAA Privacy Rule. If finalized in its current format, the NPRM will better support compliance with HIPAA and care coordination for SUD and mental health patients.

The post HIPAA Continuity of Care appeared first on HIPAA Journal.

HIPAA Continuity of Care

Under HIPAA, continuity of care is not always as straightforward as it could be due to seemingly contradictory guidance issued by HHS’ Office of Civil Rights. Whereas the Privacy Rule would appear to allow disclosures of PHI for continuity of care and care coordination, the HHS’ guidance states disclosures of PHI between Covered Entities must be kept to the minimum necessary amount.  

The term “continuity of care” has various definitions. Some definitions imply care is continuous within the same healthcare organization (or Organized Health Care Arrangement), while others extend the definition to multiple healthcare settings. An example of this is a patient’s journey from a physician’s office to a hospital, then to a care home, then to a home health service.

With regards to HIPAA and continuity of care in a single healthcare setting – or within an Organized Health Care Arrangement – the Privacy Rule allows disclosures of Protected Health Information (PHI) for healthcare operations without patient consent or authorization. One of the permissible disclosures of PHI in this category is for “case management and care coordination”.

However, when continuity of care involves multiple providers in a linear process, some transfers of information can be incomplete due to the complicated language of the Privacy Rule and seemingly conflicting guidance issued by HHS’ Office for Civil Rights in 2019 with regard to HIPAA care coordination and HIPAA continuity of care.

Continuation of Care, HIPAA, and What the Privacy Rule Says

In the context of continuation of care, HIPAA §164.506(c)(4) states a Covered Entity may disclose PHI to another Covered Entity for health care operations if either Covered Entity has or had a relationship with the individual who is the subject of the PHI being disclosed, if the PHI being disclosed pertains to such relationship, and if it is for a purpose allowed by the definition of health care operations.

The Privacy Rule (HIPAA §164.502(b)(2)) also states the minimum necessary standard does not apply to disclosures to or requests by a health care provider for treatment. Therefore, in the example given above of a patient’s journey from a physician’s office to a home health service, there should be no problem with the home health service obtaining PHI from the physician to provide treatment.

However, in guidance issued by HHS’ Office for Civil Rights, several examples are given in which it is permissible to transfer PHI between Covered Entities to support care coordination and continuity of care under HIPAA. However, the HHS guidance concludes with a reminder that “although such disclosures are permitted, they are subject to the minimum necessary standard”.

Office for Civil Rights Guidance for HIPAA Coordination of Care

The conclusion to the guidance can appear to contradict the Privacy Rule – particularly the clause stating the minimum necessary standard does not apply to disclosures for treatment. However, when the examples in the guidance are more closely examined, they relate to disclosures of PHI between health plans – rather than healthcare providers – which are not for treatment purposes.

Nonetheless, because the term Covered Entity is used in the guidance, some providers have applied the guidance to their healthcare operations and only provide the minimum necessary PHI to the next provider “up the continuity line”.  Provider B then has an incomplete medical history to transfer to Provider C, who also limits disclosures to the minimum necessary when handing off to Provider D.

Provider D (in our example, the home health service) can acquire the PHI they need from Provider A (the physician) to ensure continuity of care under HIPAA; but, because Provider A believes they have to obtain an authorization from the patient before disclosing more than the minimum necessary PHI, there is an avoidable delay in Provider D receiving potentially vital healthcare data – which can impact patient care.

Proposed Changes to Clarify HIPAA Care Coordination Rules

To clarify the position between HIPAA and care coordination, several Rule changes have been proposed. The proposed changes – if finalized – will not only impact HIPAA compliance, but other federal Rules that govern uses and disclosures of PHI (i.e., 42 CFR Part 2). The key Notices of Proposed Rule Making (NPRMs) that will clarify the care coordination HIPAA rules are:

The Office of Civil Rights’ Proposed Modifications to the Privacy Rule

This NPRM published in January 2021 proposes multiple HIPAA updates to “support, and remove barriers to, coordinated care and individual engagement”. Among the proposed changes to the Privacy Rule:

  • Disclosures of PHI will be permitted without the need to obtain consent or authorization to help individuals with a substance use disorder in emergency circumstances.
  • Disclosures of PHI for continuity of care and individual-level care coordination will be specifically permitted to avoid misunderstanding about when consent is required.
  • An exception to the Minimum Necessary Standard will be created for disclosures of PHI relating to individual-level HIPAA care coordination and case management.

Update to CMS Interoperability and Patient Access Final Rule

In 2020, the Centers for Medicare and Medicaid Services (CMS) published the Interoperability and Patient Access Final Rule. As the title suggests, the Rule has the primary objectives of improving interoperability between Medicare Covered Entities and enabling better patient access to PHI. Among other measures, a proposed update to the Rule published in December 2022 seeks stakeholder comments on how best to enable data exchanges via a Trusted Exchange Framework.

Closer Alignment of 42 CFR Part 2 and  the HIPAA Privacy Rule

Also at the end of 2022, the Office for Civil Rights and the Substance Abuse and Mental Health Services Administration (SAMHSA) jointly published an NPRM that more closely aligns the Confidentiality of Substance Use Disorder Patient Records (42 CFR Part 2) with the uses and disclosures of PHI permitted by the HIPAA Privacy Rule. If finalized in its current format, the NPRM will better support compliance with HIPAA and care coordination for SUD and mental health patients.

The post HIPAA Continuity of Care appeared first on HIPAA Journal.

Pittsburgh Counselor Fined $15,000 for HIPAA Right of Access Violation

The HHS’ Office for Civil Rights has announced its 44th enforcement action under its HIPAA Right of Access initiative with a $15,000 financial penalty for David Mente, MA, LPC, a licensed counselor that provides psychotherapy services in Pittsburgh, PA.

The HIPAA Right of Access allows individuals to obtain a copy of their health information. Healthcare providers are required to respond to requests and provide the requested records within 30 days of the request being received, although a 30-day extension is possible in certain circumstances. This case stemmed from a complaint from a father of three children who requested a copy of his minor children’s medical records from Mente in December 2017. The complainant was the personal representative of his children and should have been provided with the records as requested.

After receiving the complaint, OCR contacted Mente, provided technical assistance on the HIPAA Right of Access, and closed the complaint. The father made a second request for a copy of the records in April 2018; however, Mente again failed to provide the requested records, despite having received technical assistance from OCR. That led to the father filing a second complaint with OCR.

OCR reopened the case and determined that the failure to provide the requested records was a potential violation of the HIPAA Right of Access. Mente chose not to contest the proposed penalty and settled the case with OCR.  In addition to the financial penalty, Mente agreed to adopt a corrective action plan to address the noncompliance. The corrective action plan includes the requirement to review and revise policies and procedures for individual access to PHI, to provide privacy training to the workforce on individual access to individuals’ PHI, and to make a good faith effort to provide the complainant with the requested records or to deny access, in whole or in part, consistent with 45 C.F.R. 164.524(3).

This is the third financial penalty to be imposed by OCR in 2023 to resolve potential violations of the HIPAA Rules and follows on from a $1,250,000 settlement with Banner Health and a $16,500 settlement with Life Hope Labs LLC.

“Under HIPAA, parents, as the personal representatives of their minor children, generally have a right to access their children’s medical records,” said OCR Director Melanie Fontes Rainer. “It should not take an individual or their parent representative nearly six years and multiple complaints to gain access to patient records.  HIPAA-regulated entities should be proactive and work to ensure patients and their representatives can access records.”

The post Pittsburgh Counselor Fined $15,000 for HIPAA Right of Access Violation appeared first on HIPAA Journal.

Organizations Face Increased Scrutiny of Health Data Breaches

Healthcare hacking incidents are increasing, there are new regulatory requirements and compliance initiatives due to Dobbs and Pixel use, and lawsuits against healthcare organizations over privacy violations are soaring. HIPAA-regulated entities and other organizations that operate in the healthcare space are now facing increased scrutiny of their data security practices and compliance programs, and the coming 12 months will likely see an increase in enforcement actions and lawsuits over privacy violations.

The recently published BakerHostetler Data Security Incident Response Report (DSIR) draws attention to these issues and provides insights into the threat landscape to help organizations determine how to prioritize their efforts and investments. The report, now in its 9th year, was based on 1,160 security incidents managed by BakerHostetler’s Digital Assets and Data Management Practice Group in 2022.

After a surge in ransomware attacks in 2021, 2022 saw a reduction in attacks; however, there was a surge in ransomware activity toward the end of the year and that surge has continued in 2023. That surge has coincided with increases in ransom demands, paid ransoms, and ransomware recovery times.  In 2022, the average ransom demand and payment increased in 6 out of the 8 industries tracked. In healthcare, the average ransom demand was $3,257,688 (median: $1,475,000) in 2022, and the average payment increased by 78% to $1,562,141 (median: $500,000). Across all industry sectors, paid ransoms increased by 15% to $600,688.

Network intrusions also increased and were the most common type of security incident, accounting for almost half of all data incidents covered in the report. BakerHostetler notes that companies have been getting better at detecting and containing these incidents, with dwell time decreasing from an average of 66 days in 2021 to 39 days in 2022. The time taken for containment fell from 4 days to 3 days, and investigation time decreased from 41 days in 2021 to 36 days in 2022.

The increase in hacking and ransomware attacks has prompted companies to invest more heavily in cybersecurity, and while security defenses have been enhanced, cybercriminals have found new ways of circumventing those defenses and attacking systems. Techniques that have proven successful in 2022 include MFA bombing, social engineering, SEO poisoning, and EDR-evading malware.

The cost of cyberattacks increased significantly in 2022, with forensic investigation costs increasing by 20% from last year in addition to increases in the cost of business disruption, data reviews, notification, and indemnity claims. Legal costs from data breaches have also increased significantly as it is now common for multiple lawsuits to be filed in response to data breaches.

Data breaches of 10,001 to 500,000 records see an average of 12-13 lawsuits filed and lawsuits are even being filed for smaller data breaches, with breaches of less than 1,000 records typically seeing 4 lawsuits filed. According to BakerHostetler, lawsuits have doubled since last year and we are now at a stage where legal action is almost a certainty following a data breach. There have been increases in lawsuits for violations of state privacy laws, and with a further 4 states enacting new privacy legislation in 2022 and one more due to introduce a new privacy law in 2023, the compliance landscape is becoming more complicated.

In the summer of 2022, a report was published by the Markup/STAT detailing an analysis of the use of pixels (tracking technologies) on hospital websites. These code snippets are typically added to websites to track visitor activity to improve websites and services, but the code also transmits identifiable visitor information to third parties. The extent to which these tools were being used – without the knowledge of website visitors – attracted attention from the HHS’ Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) with both issuing guidance on the use of these tools. OCR and the FTC have confirmed that Pixel-related violations of HIPAA and the FTC Act are now an enforcement priority, with the FTC having already taken action against entities over the use of these tracking tools. Law firms have been quick to sue healthcare organizations over these privacy breaches. More than 50 lawsuits have been filed against healthcare organizations in response to Pixel-related breaches since June 2022 when the report was published.

A further study of the use of Pixels by healthcare organizations suggests almost 99% of US non-federal acute care hospital websites had pixels on their websites that could transmit sensitive data, yet only a handful of healthcare organizations have disclosed Pixel-related data breaches to OCR so far. There could well be a surge in HIPAA enforcement actions by OCR and huge numbers of lawsuits filed in response to these breaches over the coming months.

There are also likely to be enforcement actions against HIPAA-regulated entities and non-HIPAA-regulated entities in the healthcare space for privacy violations involving reproductive health information, as both the FTC and OCR have stated that reproductive health information privacy will be an enforcement priority. OCR’s HIPAA Right of Access enforcement initiative is still ongoing, and compliance remains a priority for OCR.

BakerHostetler has also issued a warning about HIPAA compliance for non-healthcare entities, stressing that HIPAA applies to employer-sponsored health plans. There was an increase in data breaches at employer health plans in 2022 and these are likely to come under increased regulatory scrutiny, not just by OCR but also the Department of Labor which is increasingly conducting follow on investigations focusing on the overall cybersecurity posture of these plans. State Attorneys general have also started taking a much more active interest in the activities of healthcare entities, with investigations by state attorneys general into violations of HIPAA and state laws increasing in 2022.

BakerHostetler also identified a major increase in snooping incidents in 2022. These incidents include healthcare employees snooping on healthcare records and attempting to divert controlled substances. The increase confirms how important it is to create and monitor logs of system activity to detect malicious insider activity quickly. BakerHostetler notes that having systems in place that monitor for system activity anomalies is also key to rapidly detecting hacking and ransomware incidents.

“Securing an enterprise is a significant challenge — there are a lot of risks and just spending more money does not automatically equate to more effective security,” said Craig Hoffman, co-leader of BakerHostetler’s national Digital Risk Advisory and Cybersecurity team. “We see a lot of incidents, including what allowed them to occur and what was done to address the issue. Because enterprises do not have unlimited budgets and staff to implement and maintain new solutions, being able to share objective data about security incidents — from causes to fixes to consequences — helps clients decide where to prioritize their efforts.”

The post Organizations Face Increased Scrutiny of Health Data Breaches appeared first on HIPAA Journal.

DoE Issues New Guidance on FERPA and Student Health Records

The U.S. Department of Education has issued new guidance for schools and postsecondary educational institutions reminding them of their obligations under the Family Educational Rights and Privacy Act (FERPA) to protect student privacy, emphasizing the importance of keeping student health records private. Guidance has also been issued for parents, legal guardians, and students over 18 years of age on their rights under FERPA (Know Your Rights) with respect to student health records.

FERPA was enacted to protect the privacy of student records and give parents rights over their children’s educational records. FERPA applies to educational agencies such as school districts, educational institutions (including public elementary and secondary schools), and postsecondary educational institutions (including colleges or universities) that receive funding under any program administered by the U.S. Department of Education.

The guidance for FERPA-covered educational institutions reminds them that parents and eligible students have the right to exercise some control over the disclosure of personally identifiable information in student educational records and confirms FERPA prohibits disclosures of educational records unless a parent or eligible student provides written consent or the disclosure is covered by an exception to FERPA’s general consent requirements.

The Department of Education has reminded FERPA-covered educational institutions that FERPA’s definition of educational records includes the health records of eligible students that are maintained by FERPA-covered educational institutions or their agents unless the health records qualify as treatment records. Health records qualify as treatment records if they relate to an eligible student (over 18 years of age at a postsecondary educational institution) and are “made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional acting in his or her professional or paraprofessional capacity or assisting in that capacity; made, maintained, or used only in connection with providing treatment to the eligible student; and disclosed only to the persons providing such treatment, except that the eligible student may have those records reviewed by a physician or other appropriate professional of the student’s choice.”

If an eligible student’s treatment records are disclosed for any purposes other than those described above – providing the eligible student with treatment or for personal review by a physician or appropriate professional of the eligible student’s choice – the records are classed as educational records and are therefore covered by FERPA, and are not classed as protected health information subject to the HIPAA Rules.

The guidance stresses that eligible students’ health-related records that are created, maintained, or used for non-treatment purposes are classed as educational records. For example, when they are used for medical forms and questionnaires to screen for eligibility to participate in school-sponsored athletics. Treatment records are also classed as educational records – and are therefore subject to FERPA’s restrictions on disclosures – if they are used for the treatment of students under 18 years of age who are attending an elementary or secondary school.

The guidance confirms that disclosures of student educational records (including certain health records) are only permitted by FERPA with the prior written consent of an eligible student or the student’s parent/legal guardian (non-eligible student) or if one of the permissive exceptions to the general consent requirement applies. When an exception applies, FERPA permits – but does not require – the disclosure. If the decision is taken to disclose student information the disclosure should be restricted to the minimum necessary amount of information to satisfy the intended purpose of the disclosure.

The guidance also clarifies when health records are covered by FERPA or HIPAA. FERPA applies to student health records that are maintained by campus health clinics and other health care facilities operated by such institutions, as they qualify as educational records or treatment records under FERPA, and as such are excluded from coverage under the HIPAA Privacy Rule. If an institution of postsecondary education is a HIPAA-covered entity that provides healthcare to nonstudents, the nonstudent data is protected health information subject to the HIPAA Privacy Rule and the student health records are educational or treatment records that are subject to FERPA.

The post DoE Issues New Guidance on FERPA and Student Health Records appeared first on HIPAA Journal.

Former Methodist Hospital Employees Plead Guilty to Criminal HIPAA Violations

Five former Methodist Hospital employees have pleaded guilty to criminal violations of HIPAA for accessing and disclosing the information of patients to a third party for financial gain. The former hospital workers were contacted by Roderick Harvey, 41, of Memphis, and were paid to provide him with the names and telephone numbers of patients who had been involved in motor vehicle accidents. The data collected by Harvey was then sold to personal injury attorneys and chiropractors.

The HIPAA Privacy Rule prohibits healthcare workers from accessing patient data unless there is a valid work reason for doing so, and disclosures of patient data to third parties are not permitted unless there is a valid reason for the disclosure (treatment, payment, business operations) unless consent is obtained from the patient. Accessing and disclosing patient information for financial gain without the consent of the patients is a criminal offense.

Between November 2017 and December 2020, Kirby Dandridge, 38, Sylvia Taylor, 43, Kara Thompson, 31, Melanie Russell, 41, and Adrianna Taber, 26, violated HIPAA and provided Harvey with patient information. The former employees were terminated for the HIPAA violations, and along with Harvey, were indicted by a federal grand jury in November 2022. Harvey faced a conspiracy charge and seven counts of obtaining patient information with the intent to sell it for financial gain. The former Methodist Hospital employees were separately charged for violating HIPAA.

Harvey pled guilty to the conspiracy charge on April 21, 2023, and will be sentenced on August 1, 2023. Harvey faces up to five years in jail, a fine of up to $250,000, and three years of supervised release. Dandridge, Taylor, Thompson, Russell, and Taber each face a maximum of one year in jail, $50,000 fine, and one year of supervised release and will be sentenced on five separate dates between April 25, 2023, and June 21, 2023.

The post Former Methodist Hospital Employees Plead Guilty to Criminal HIPAA Violations appeared first on HIPAA Journal.

Noncompliant Use of Website Tracking Technologies is an Enforcement Priority for OCR

If you are a HIPAA-covered entity and use tracking technologies on your websites or apps, you must ensure that they are HIPAA-compliant. The Director of the HHS’ Office for Civil Rights has confirmed that this aspect of compliance with the HIPAA Rules is now an enforcement priority for OCR and the department is actively looking into noncompliance by HIPAA-covered entities.

OCR Director, Melanie Fontes Rainer, confirmed in an interview with Information Security Media Group that enforcement actions will be taken very soon against HIPAA-regulated entities that use tracking technologies that disclose protected health information to third parties without authorization or business associate agreements. OCR has recently undergone restructuring to improve efficiency which will allow it to undertake more enforcement actions against HIPAA-regulated entities for non-compliance with the HIPAA Rules.

Tracking technologies, often referred to as pixels, are snippets of code that are added to websites and apps that collect the data of website users and are typically used for website analytics to improve the quality of websites and services. While there is nothing wrong with improving services for website and app users, these tools often pass the data they collect to the third-party providers of the code. When an individual visits a healthcare website, the information collected may include data classed as protected health information, and disclosing that information to third parties not authorized to receive that data is a HIPAA violation.

The disclosure of PHI via tracking technologies is not permitted by the HIPAA Privacy Rule unless the third party to which the information is disclosed is a business associate under HIPAA, the disclosure is permitted by the HIPAA Privacy Rule, and a HIPAA-compliant business associate agreement is in place. Alternatively, authorization must be obtained from website visitors prior to the collection and transmission of PHI.

Over the past two years, analyses have been conducted on the use of these technologies by healthcare organizations such as hospitals, counseling providers, and telehealth companies which suggest they have been extensively used. One study indicates 99% of hospitals had added the tools to their websites.

Last year, OCR issued guidance to HIPAA-regulated entities on the use of these tools and confirmed how HIPAA applies to these tools. HIPAA-regulated entities have had several months to assess their websites and apps and either remove tracking code or ensure it is used in a manner compliant with the HIPAA Rules. The continued use of these tools and/or failure to send breach notifications when there have been confirmed disclosures of PHI to third parties will likely result in enforcement actions. The Federal Trade Commission is also cracking down on the use of these tools by non-HIPAA-regulated entities.

If you are a HIPAA-regulated entity, it is important to conduct an audit of your websites and apps to identify if any tracking code is in use and if there is the potential for PHI to be impermissibly disclosed to third parties. If such code is identified, it must be made HIPAA-compliant or be removed. If unauthorized disclosures of PHI have occurred breach notifications must be issued to OCR and the affected individuals.

The post Noncompliant Use of Website Tracking Technologies is an Enforcement Priority for OCR appeared first on HIPAA Journal.

March 2023 Healthcare Data Breach Report

Our monthly data breach reports are based on data breaches of 500 or more records that have been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) each month. The monthly reports provide an indication of the extent to which healthcare data breaches are increasing, decreasing, or remaining flat. To view longer-term healthcare data breach trends, visit our healthcare data breach statistics page.

Healthcare Data Breaches Reported in March 2023

In March, 63 breaches of 500 or more records were reported to OCR, which is a 46.51% increase from February, 6.92% more than the 12-month average, and 40% more breaches than in March 2022.

March 2023 Healthcare Data Breach Report - 12 month breaches

There was a 15.62% month-over-month increase in breached records, with 6,382,618 records exposed or impermissibly disclosed across the 63 data breaches. That’s 36% more records breached than the 12-month average and 76.46% more breached records than in March 2022.

March 2023 Healthcare Data Breach Report - 12 month breached records

Largest Healthcare Data Breaches

In March, 22 healthcare data breaches were reported that impacted more than 10,000 individuals, up from 17 such breaches in February 2023. Four of those breaches, including the largest data breach of the month, were due to the use of tracking code on websites that collected individually identifiable website visitor data. The data collected was used for analytics purposes but was transferred to the providers of the code. Those third parties included, but were not limited to, Meta (Facebook), Instagram, & Google. These tracking tools are not prohibited by the HIPAA Privacy Rule, but if they are used, consent must be obtained, or the disclosure must be permitted by the Privacy Rule and a business associate must be in place with the provider of the code. We can expect to see many more of these breaches reported over the coming weeks and months. According to a recently published study, 99% of U.S. hospitals have used these tools on their websites. Relatively few have reported tracking code-related data breaches to OCR.

Malicious actors continue to use ransomware in their attacks on healthcare organizations. Three of the top 22 data breaches were confirmed as involving ransomware, and several other hacking incidents were reported that involved network disruption, but were not reported as involving ransomware. Several threat actors that are known to use ransomware in their attacks on the healthcare sector are now choosing not to encrypt files, instead, they just steal data for extortion. For example, the Clop ransomware group typically deploys ransomware in its attacks but in recent attacks that exploited a vulnerability in Fortra’s GoAnywhere managed file transfer (MFT) solution, ransomware was not deployed. The group stole data from 130 organizations in the attacks, including Community Health Systems Professional Services Corporations and US Wellness Inc, both of which are in the top 22 list.

There were three 10,000+ record data breaches involving the hacking of email accounts – through phishing or other means. Phishing attacks are common in healthcare, and while these attacks can be difficult to prevent, it is possible to limit the harm caused by placing time limits on how long emails are stored in email accounts. While emails often need to be retained for compliance with HIPAA and other laws –  moving them to a secure archive can help to reduce the extent of a data breach if email accounts are compromised. One of the phishing attacks saw one email account compromised that contained the PHI of more than 77,000 individuals.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Cerebral, Inc DE Business Associate 3,179,835 Website tracking code – Impermissible disclosure to third parties
ZOLL Services LLC MA Healthcare Provider 997,097 Hacking incident (details not made public)
Community Health Systems Professional Services Corporations (CHSPSC), LLC TN Business Associate 962,884 Hacking of Fortra’s GoAnywhere MFT solution
Santa Clara Family Health Plan CA Health Plan 276,993 Hacking incident involving business associate – no information available
Monument, Inc. NY Business Associate 108,584 Website tracking code – Impermissible disclosure to third parties
Bone & Joint Clinic, S.C. WI Healthcare Provider 105,094 Hacking incident: Network disruption and data theft
Florida Medical Clinic, LLC FL Healthcare Provider 94,132 Ransomware attack
Healthy Options dba Postal Prescription Services – Kroger OH Healthcare Provider 82,466 Impermissible disclosure of PHI to Kroger
NorthStar Emergency Medical Services AL Healthcare Provider 82,450 Hacking incident (details not made public)
Merritt Healthcare Advisors CT Business Associate 77,258 Unauthorized accessing of employee email account
NewYork Presbyterian Hospital NY Healthcare Provider 54,396 Website tracking code – Impermissible disclosure to third parties
Trinity Health MI Business Associate 45,350 Phishing attack: employee email account compromised
UHS of Delaware, Inc. PA Business Associate 40,290 Unauthorized accessing of employee email account
SundaySky, Inc. NY Business Associate 37,095 Hacked cloud server – data theft confirmed
Denver Public Schools Medical Plans CO Health Plan 35,068 Hacked network server – data theft confirmed
Atlantic General Hospital MD Healthcare Provider 26,591 Ransomware attack
UC San Diego Health CA Healthcare Provider 23,000 Website tracking code used by a business associate – Impermissible disclosure to third parties
Tallahassee Memorial Healthcare, Inc. FL Healthcare Provider 20,376 Hacked network server – data theft confirmed
Northeast Surgical Group, PC MI Healthcare Provider 15,298 Hacked network server
Health Plan of San Mateo CA Health Plan 11,894 Unauthorized accessing of employee email account
US Wellness Inc. MD Business Associate 11,459 Hacking of Fortra’s GoAnywhere MFT solution
Codman Square Health Center MA Healthcare Provider 10,161 Ransomware attack

Causes of March 2023 Data Breaches

The majority of the month’s reported breaches were classified as hacking/IT incidents, as has been the case for many months. While hacking incidents usually account for the vast majority of breached records, in March they accounted for only 54.29% of the month’s breached records due to very large data breaches caused by the use of tracking technologies. The average size of a hacking incident in March was 73,724 records and the median breach size was 2,785 records.

March 2023 Healthcare Data Breach Report - causes

There were 14 data breaches reported as unauthorized access/disclosure incidents and while they only accounted for 22.22% of the month’s data breaches, they were responsible for 45.65% of the breached records, mostly due to the website tracking code breaches. The average breach size was 208,114 records and the median breach size was 2,636 records. There was one theft incident reported involving the protected health information of 3,013 individuals and one improper disposal incident involving 999 records.

March 2023 Healthcare Data Breach Report - data location

Where Did the Breaches Occur?

The entity reporting a data breach is not always the entity that experienced the breach. Business associates of HIPAA -covered entities may self-report breaches, but it is common for the covered entity to report the breaches. The data submitted to OCR indicates breaches occurred at 33 healthcare providers, 24 business associates, and 6 health plans. The pie charts below are based on where the breaches actually occurred rather than the reporting entity, as this provides a clearer picture of the extent to which data breaches are occurring at business associates.

March 2023 Healthcare Data Breach Report - breaches at hipaa-regulated entities

The pie chart below shows the extent to which patient and health plan member records have been exposed or compromised at business associates. 75.4% of the month’s breached records were due to data breaches at business associates.

March 2023 Healthcare Data Breach Report - records breached at hipaa-regulated entities

Geographical Distribution of March 2023 Data Breaches

Data breaches were reported by HIPAA-regulated entities in 25 U.S. states in March, with New York topping the list with 18 reported data breaches. The unusually high total was due to an attack on a business associate – Atlantic Dialysis Management Services – which reported the breach separately for each affected client and submitted 14 separate breach reports to OCR.

State Breaches
New York 18
California 7
Florida, Massachusetts, Ohio, Pennsylvania & Texas 3
Indiana, Kansas, Maryland, Michigan & Oregon 2
Alabama, Arizona, Colorado, Connecticut, Delaware, Georgia, Illinois, Kentucky, New Jersey, Oklahoma, Tennessee, Wisconsin & West Virginia 1

HIPAA Enforcement Activity in March 2023

No HIPAA enforcement actions were announced by the HHS’ Office for Civil Rights in March, but there was one enforcement action by a state Attorney General. The New York Attorney General confirmed that a case had been settled with the law firm, Heidell, Pittoni, Murphy & Bach LLP. The law firm was investigated following a breach of the personal and protected health information of 61,438 New York residents to identify potential violations of HIPAA and New York laws. The law firm chose to settle the case with no admission of wrongdoing and paid a financial penalty of $200,000. The New York Attorney General alleged violations of 17 HIPAA provisions and implementation specifications, details of which can be found here.

While the Federal Trade Commission does not enforce HIPAA, the agency has started taking action over breaches of healthcare data by non-HIPAA-covered entities to resolve violations of the FTC Act and the FTC Health Breach Notification Rule. In February, the FTC announced that its first settlement had been reached for a health data breach notification failure and that was followed up with a second enforcement action in March. The FTC announced that the online counseling service provider, BetterHelp, had agreed to settle alleged FTC Act violations related to impermissible disclosures of health data to third parties when users of its services had been told their information was private and confidential.  While there was no fine, under the terms of the settlement, $7.8 million will be paid to the consumers affected by the breach and they must be notified per the Health Breach Notification Rule.

The post March 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

OCR Proposes HIPAA Privacy Rule Update to Bolster Reproductive Health Care Privacy

The HHS’ Office for Civil Rights has published a Notice of Proposed Rulemaking (NPRM) about an update to the HIPAA Privacy Rule to strengthen privacy protections for reproductive health information. The proposed update is in response to the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization and the overturning of Roe v. Wade, which removed the federal right to abortion that has been in place for almost half a century.

Since that decision in 2022, states have been scrambling to enact abortion laws. 18 states have introduced full or partial bans on abortions in their states, and a further 4 states are due to introduce full or partial bans. There is concern that those states will attempt to prosecute state residents that seek abortions out of state and will request the health data of individuals from healthcare providers who provide reproductive health services or facilitate reproductive health care.

“When the Supreme Court overturned Roe v. Wade, nearly half a century of precedent changed overnight,” said Secretary Xavier Becerra in an announcement about the NPRM. “The Biden-Harris Administration is committed to protecting women’s lawful access to reproductive health care, including abortion care. President Biden signed not one but two executive orders calling on HHS to take action to meet this moment and we have wasted no time in doing so. Today’s action is yet another important step HHS is taking to protect patients accessing critical care.”

Currently, the HIPAA Privacy Rule permits but does not require HIPAA-covered entities to provide reproductive health information to law enforcement. OCR has released guidance on disclosures of reproductive health information and has clarified the circumstances when reproductive health information can be legally disclosed. OCR has also stated that noncompliance with the HIPAA Rules with respect to reproductive health care is an enforcement priority for OCR.

Today’s announcement is intended to enhance privacy protections and strengthen patient-provider confidentiality by prohibiting disclosures of reproductive health information to investigate or prosecute patients, providers, and others involved in the provision of legal reproductive health care, including abortion care.

Specifically, the proposed HIPAA Privacy Rule update will prohibit disclosures of reproductive health care information for:

  • Criminal, civil, or administrative investigations into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
  • The identification of any person for the purpose of initiating such investigations or proceedings.

These restrictions will apply in the following situations:

  • Reproductive health care is sought, obtained, provided, or facilitated in a state where the health care is lawful and outside of the state where the investigation or proceeding is authorized.
  • Reproductive health care that is protected, required, or expressly authorized by federal law, regardless of the state in which such health care is provided.
  • Reproductive health care that is provided in the state where the investigation or proceeding is authorized and is permitted by the law of the state in which such health care is provided.

Reproductive health care is defined as including, but not limited to, prenatal care, abortion, miscarriage management, infertility treatment, contraception use, and treatment for reproductive-related conditions such as ovarian cancer.

Under the proposed rule, if a request is received for protected health information that is potentially related to reproductive health care, a regulated entity will be required to obtain a signed attestation that the use or disclosure is not for a prohibited purpose. The attestations will be required for health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosures to coroners and medical examiners.

“I have met with doctors across the country who have shared their stories,” said OCR Director Melanie Fontes Rainer. “These providers have expressed fear, anger, and sadness that they or their patients may end up in jail for providing or obtaining evidence-based and medically appropriate care. Trust is critical in the patient-doctor relationship and medical mistrust can damage and chill patients’ relationship with their providers, imperiling patient health, “added Fontes Rainer. “Today’s proposed rule is about safeguarding this trust in the patient-provider relationship, and ensuring that when you go to the doctor, your private medical records will not be disclosed and used against you for seeking lawful care.”

The post OCR Proposes HIPAA Privacy Rule Update to Bolster Reproductive Health Care Privacy appeared first on HIPAA Journal.