HIPAA Compliance News

OCR Confirms Use of Website and Other Tracking Technologies Without a BAA is a HIPAA Violation

The HHS’ Office for Civil Rights has issued a bulletin confirming that the use of third-party tracking technologies on websites, web applications, and mobile apps without a business associate agreement (BAA) is a HIPAA violation if the tracking technology collects and transmits individually identifiable health information. Even with a BAA in place, the use of the tracking technology may still violate the HIPAA Rules

The bulletin has been issued in response to the discovery earlier this year that Meta Pixel tracking code was being extensively used on the websites of hospitals and that the code snippet transferred data to Meta, including sensitive patient data. These privacy breaches came to light during an investigation by The Markup and STAT, which found Meta Pixel had been added to the websites of one-third of the top 100 hospitals in the United States and, in 7 cases, the code had been added to password-protected patient portals. The study was limited to the top 100 hospitals, so it is likely that hundreds of hospitals have used the code and have – in all likelihood unwittingly – transferred sensitive data to Meta/Facebook without a business associate agreement in place and without obtaining patient consent.

Following the publication of the report, several lawsuits were filed against healthcare providers over these impermissible disclosures, with some plaintiffs claiming the information disclosed on the websites of their healthcare providers had been transferred to Meta and was used to serve them targeted advertisements related to their medical conditions. The news came as a shock to healthcare providers, triggering investigations and recent data breach notifications; however, despite so the widespread use of the tracking code, only a handful of hospitals and health systems have reported the breach and have sent notifications so far. The bulletin from the HHS is likely to trigger a flurry of breach notifications as providers realize that the use of Meta Pixel and other tracking code constitutes a HIPAA violation.

What are Tracking Technologies?

Tracking technologies are commonly snippets of code that are added to websites, web applications, and mobile apps for tracking user activity, typically for determining the journeys of users while using websites and monitoring their on-site interactions. The data collected by these technologies can be analyzed and used to improve the services provided through the websites and applications and enhance the user experience, which benefits patients. While there are benefits to individuals from the use of this code, there is also considerable potential for harm to be caused, as in addition to providing a HIPAA-regulated entity with useful information, the data collected through these technologies is usually transmitted to the vendor.

For instance, if a female patient arranged an appointment on the website of a healthcare provider to discuss the termination of a pregnancy, the tracking technology on the site could be transmitted to the vendor, and subsequently disclosed to other third parties. That information could be provided to law enforcement or other third parties. Information disclosed in confidence by a patient of a website or web application could be transferred to a third party and be used for fraud, identity theft, extortion, stalking, harassment, or to promote misinformation.

In many cases, these tracking technologies are added to websites and applications without the knowledge of users, and it is often unclear how any disclosed information will be used by a vendor and to whom that transmitted information will be disclosed. These tracking technologies often use cookies and web beacons that allow individuals to be tracked across the Internet, allowing even more information to be collected about them to form detailed profiles. When tracking technologies are included in web applications, they can collect device-related information, including location data which is tied to a unique identifier for that device, through which a user could be identified.

All Tracking Technologies Must be HIPAA Compliant

There is nothing in HIPAA that prohibits the use of these tracking technologies, but the HIPAA Rules apply when third-party tracking technologies are used, if the tracking technology collects individually identifiable information that is protected under HIPAA and if it transmits that information to a third party, be that the vendor of the tracking technology or any other third-party. If the tracking technology collects any identifiers, they are classed as protected health information because the information connects the individual to the regulated entity, indicating the individual has received or will receive health care services or benefits from the regulated entity, and that relates to the individual’s past, present, or future health or health care or payment for care.

There is an elevated risk of an impermissible disclosure of PHI when tracking technology is used on patient portals or any other pages that require authentication as these pages usually have access to PHI. If tracking code is added to these pages it must be configured in a way to ensure that the code only uses and discloses PHI in compliance with the HIPAA Privacy Rule, and that any information collected is secured in a manner compliant with the HIPAA Security Rule. Tracking code on unauthenticated pages also has the potential to have access to PHI. The same applies to tracking technologies within a HIPAA-regulated entity’s mobile apps, if it collects and transmits PHI. OCR confirmed that only mobile apps offered by healthcare organizations are covered by HIPAA. HIPAA does not apply to third-party apps that are voluntarily downloaded by individuals, even if the apps collect and transmit health information.

“Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules,” explained OCR in the bulletin.

The OCR bulleting confirms that if tracking technologies are used, the provider of that code – which includes Meta Platforms (Meta Pixel) and Google (Google Analytics) – would be classed as a business associate and must enter into a business associate agreement (BAA) with the HIPAA-regulated entity before the code can be added to a website or application. The BAA must state the responsibilities of the vendor with respect to the PHI and specify the permitted uses and disclosures of that information. If the vendor will not sign a BAA, PHI cannot legally be provided to that vendor, therefore the code cannot be used or must be configured in a way that it does not collect or transmit PHI. OCR also confirmed that if a vendor states that they will strip out any identifiable information prior to saving or using the transferred data, such a disclosure to the vendor would still only be permitted if a BAA was signed and if the HIPAA Privacy Rule permits such a disclosure.

Other potential violations of HIPAA could occur. If any PHI is disclosed to a vendor, it must be in line with the organization’s privacy policy and be detailed in their Notice of Privacy Practices. It is important to note that simply stating that tracking technology is used in a notice of privacy practices is not sufficient by itself to ensure compliance. In addition to a BAA, any disclosure of PHI for a purpose not expressly permitted by the HIPAA Privacy Rule requires a HIPAA-compliant authorization from a patient, giving their consent to disclose that information. Website banners that ask a website visitor to consent to cookies and the use of web tracking technologies do not constitute valid HIPAA authorizations.

Actions HIPAA-Regulated Entities Should Take Immediately

In light of the bulletin, HIPAA-regulated entities should read it carefully to make sure they understand how HIPAA applies to tracking technologies. They should also conduct a review of any tracking technologies that they are using on their websites, web applications, or mobile apps to ensure those technologies are being used in a manner compliant with the HIPAA Rules. If they are not already, website tracking technologies must be included in a HIPAA-regulated entity’s risk analysis and risk management processes.

It is important to state that a tracking technology vendor is classed as a business associate under HIPAA, even if a BAA is not signed. As such, any disclosures to that vendor would be classed as an impermissible disclosure of PHI without a BAA in place, and the HIPAA-regulated entity would be at risk of fines and other sanctions if PHI is transmitted without a signed BAA.

If during the review a HIPAA-regulated entity discovers tracking technologies are being used in a manner not compliant with the HIPAA Rules, or have been in the past, then the HIPAA Breach Notification Rule applies. Notifications will need to be sent to OCR and the individuals whose PHI has been impermissibly disclosed.

The post OCR Confirms Use of Website and Other Tracking Technologies Without a BAA is a HIPAA Violation appeared first on HIPAA Journal.

HHS, SAMHSA Propose Update to Improve Alignment of HIPAA Privacy Rule and 42 CFR Part 2

The Department of Health and Human Services (HHS) and the Substance Abuse and Mental Health Services Administration (SAMHSA) have issued a Notice of Proposed Rulemaking (NPRM) detailing changes to the Confidentiality of Substance Use Disorder (SUD) Patient Records (42 CFR Part 2) and HIPAA to increase care coordination and better align Part 2 with the HIPAA Privacy Rule, as required by Section 3221 of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act).

Part 2 protects patient privacy and records related to treatment for SUD and the HIPAA Privacy Rule is concerned with the privacy of protected health information (PHI); however, SUD records are treated differently from other types of PHI. The HIPAA Privacy Rule permits disclosures of protected health information without consent for treatment, payment, or healthcare operations, but Part 2 imposes greater restrictions on disclosures of SUD records. Generally, SUD records can only be disclosed by a SUD treatment provider if consent to do so is obtained from the patient. Further, even with a valid consent form, SUD treatment providers must include a written statement that the information cannot be redisclosed. This is because SUD records are particularly sensitive due to the stigma of substance abuse and the potential discrimination, which can potentially result in loss of insurance and employment.

Having to treat PHI and SUD records differently is problematic as it creates barriers to information sharing that is in the best interests of patients and the dual compliance obligations creates compliance challenges for regulated entities. “Varying requirements of privacy laws can slow treatment, inhibit care, and perpetuate negative stereotypes about people facing substance use challenges,” HHS Secretary Xavier Becerra, hence the need for better alignment of Part 2 with the HIPAA Privacy Rule. It is important, however, to ensure patient privacy, as any lessening of the protections for SUD records could deter individuals suffering from SUD from seeking treatment, which could have life-threatening consequences.

The proposed rule strikes a balance between the need for strong privacy protections and having the flexibility to allow information sharing to improve care coordination. “One of SAMHSA’s priorities is working to make effective treatments and recovery supports for SUD more accessible to all Americans,” said Miriam E. Delphin-Rittmon, Ph.D., the HHS Assistant Secretary for Mental Health and Substance Use and the leader of SAMHSA. “Bringing Part 2 requirements into closer alignment with HIPAA will support more effective coordination for people accessing care. At the same time, the proposed rule mitigates the discrimination and stigma that we know too often people with SUDs experience.”

The key changes in the NPRM are:

  • Permitted use and disclosure of Part 2 records will be based on a single patient consent. Once that consent is given, it covers all future uses and disclosures for treatment, payment, and healthcare operations.
  • Redisclosure of Part 2 records will be permitted – with certain exceptions – if redisclosure is permitted by the HIPAA Privacy Rule.
  • Patients are given new rights under Part 2 to obtain an accounting of disclosures and to request restrictions on certain disclosures, as also granted by the HIPAA Privacy Rule.
  • Prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings have been expanded.
  • The HHS has new enforcement authority and can impose civil money penalties for violations of Part 2, in line with HIPAA and the HITECH Act
  • Part 2 programs must establish a process to receive complaints about Part 2 violations, those programs are prohibited from taking adverse action in response to complaints, and must not require patients to waive the right to file a complaint as a condition of providing treatment, enrollment, payment, or eligibility for services.
  • Breach notification requirements to the HHS and affected patients for Part 2 records will be aligned with the HIPAA Breach Notification Rule.
  • The HIPAA Privacy Rule Notice of Privacy Practices requirements have been updated to address uses and disclosures of Part 2 records and individual rights with respect to those records.

The HHS and SAMHSA are encouraging healthcare industry stakeholders and the public to submit comments on the proposed changes. To be considered, they must be submitted within 60 days of publication of the NPRM in the Federal Register. The expected publication date is 12/02/2022. A fact sheet on the proposed changes has been published on the HHS website.

The post HHS, SAMHSA Propose Update to Improve Alignment of HIPAA Privacy Rule and 42 CFR Part 2 appeared first on HIPAA Journal.

HHS, SAMHSA Propose Update to Improve Alignment of HIPAA Privacy Rule and 42 CFR Part 2

The Department of Health and Human Services (HHS) and the Substance Abuse and Mental Health Services Administration (SAMHSA) have issued a Notice of Proposed Rulemaking (NPRM) detailing changes to the Confidentiality of Substance Use Disorder (SUD) Patient Records (42 CFR Part 2) and HIPAA to increase care coordination and better align Part 2 with the HIPAA Privacy Rule, as required by Section 3221 of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act).

Part 2 protects patient privacy and records related to treatment for SUD and the HIPAA Privacy Rule is concerned with the privacy of protected health information (PHI); however, SUD records are treated differently from other types of PHI. The HIPAA Privacy Rule permits disclosures of protected health information without consent for treatment, payment, or healthcare operations, but Part 2 imposes greater restrictions on disclosures of SUD records. Generally, SUD records can only be disclosed by a SUD treatment provider if consent to do so is obtained from the patient. Further, even with a valid consent form, SUD treatment providers must include a written statement that the information cannot be redisclosed. This is because SUD records are particularly sensitive due to the stigma of substance abuse and the potential discrimination, which can potentially result in loss of insurance and employment.

Having to treat PHI and SUD records differently is problematic as it creates barriers to information sharing that is in the best interests of patients and the dual compliance obligations creates compliance challenges for regulated entities. “Varying requirements of privacy laws can slow treatment, inhibit care, and perpetuate negative stereotypes about people facing substance use challenges,” HHS Secretary Xavier Becerra, hence the need for better alignment of Part 2 with the HIPAA Privacy Rule. It is important, however, to ensure patient privacy, as any lessening of the protections for SUD records could deter individuals suffering from SUD from seeking treatment, which could have life-threatening consequences.

The proposed rule strikes a balance between the need for strong privacy protections and having the flexibility to allow information sharing to improve care coordination. “One of SAMHSA’s priorities is working to make effective treatments and recovery supports for SUD more accessible to all Americans,” said Miriam E. Delphin-Rittmon, Ph.D., the HHS Assistant Secretary for Mental Health and Substance Use and the leader of SAMHSA. “Bringing Part 2 requirements into closer alignment with HIPAA will support more effective coordination for people accessing care. At the same time, the proposed rule mitigates the discrimination and stigma that we know too often people with SUDs experience.”

The key changes in the NPRM are:

  • Permitted use and disclosure of Part 2 records will be based on a single patient consent. Once that consent is given, it covers all future uses and disclosures for treatment, payment, and healthcare operations.
  • Redisclosure of Part 2 records will be permitted – with certain exceptions – if redisclosure is permitted by the HIPAA Privacy Rule.
  • Patients are given new rights under Part 2 to obtain an accounting of disclosures and to request restrictions on certain disclosures, as also granted by the HIPAA Privacy Rule.
  • Prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings have been expanded.
  • The HHS has new enforcement authority and can impose civil money penalties for violations of Part 2, in line with HIPAA and the HITECH Act
  • Part 2 programs must establish a process to receive complaints about Part 2 violations, those programs are prohibited from taking adverse action in response to complaints, and must not require patients to waive the right to file a complaint as a condition of providing treatment, enrollment, payment, or eligibility for services.
  • Breach notification requirements to the HHS and affected patients for Part 2 records will be aligned with the HIPAA Breach Notification Rule.
  • The HIPAA Privacy Rule Notice of Privacy Practices requirements have been updated to address uses and disclosures of Part 2 records and individual rights with respect to those records.

The HHS and SAMHSA are encouraging healthcare industry stakeholders and the public to submit comments on the proposed changes. To be considered, they must be submitted within 60 days of publication of the NPRM in the Federal Register. The expected publication date is 12/02/2022. A fact sheet on the proposed changes has been published on the HHS website.

The post HHS, SAMHSA Propose Update to Improve Alignment of HIPAA Privacy Rule and 42 CFR Part 2 appeared first on HIPAA Journal.

Cybersecurity is Now a Patient Safety Issue, Suggests Sen. Warner In Congressional Report

Senator Mark Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, has recently published a white paper – Cybersecurity is Patient Safety – that highlights the current cybersecurity challenges facing the healthcare industry and suggests several potential policy changes that could help to improve healthcare cybersecurity and better protect all health information, including health data not currently protected under the HIPAA Rules.

Sen. Warner suggests the only way to improve healthcare cybersecurity rapidly is through a collaborative effort involving the public and private sectors, with the federal government providing overall leadership. While further regulation may be necessary, the overall consensus of healthcare industry stakeholders is the best approach is to introduce incentives for improving cybersecurity, rather than mandating cybersecurity improvements with a threat of financial penalties for noncompliance.

The healthcare industry is under attack from cybercriminals and nation-state threat actors and cyberattacks and data breaches are increasing at unacceptable levels. In 2021, 45 million Americans had their sensitive personal and healthcare exposed or stolen in healthcare industry cyberattacks. More must be done to improve resilience and deal with the increasing threats. “Unfortunately, the healthcare sector is uniquely vulnerable to cyberattacks and the transition to better cybersecurity has been painfully slow and inadequate,” said Senator Warner. “Cybersecurity can no longer be viewed as a secondary concern; it must become incorporated into every organization’s – from equipment manufacturers to health care providers – core business models.”

The white paper suggests several areas where policies could be changed to improve cybersecurity in the healthcare industry.

Improve Federal Leadership

The Department of Health and Human Services (HHS) is the Sector Risk Management Agency (SRMA) for the healthcare industry, but within the HHS agencies such as the Office for Civil Rights (OCR), Centers for Medicare and Medicaid Services (CMS), and the Food and Drug Administration (FDA) have their own jurisdictions and cybersecurity policies. The white paper explains that there is a lack of overall leadership and suggests a senior leader should be appointed, who should be “empowered—both operationally and politically—to ensure HHS speaks with one voice regarding cybersecurity in health care, including expectations of external stakeholders and the government’s role.”

Modernize HIPAA

HIPAA was enacted in 1996, and the HIPAA Privacy and Security Rules have been in place for two decades, and while updates have been made to the HIPAA Rules, they fail to fully address emerging threats to the confidentiality, integrity, and availability of healthcare data. The current focus is on protecting the healthcare data collected, stored, and transmitted by HIPAA-regulated entities, but the same information is collected, stored, and transmitted by entities that are not bound by the HIPAA Rules. It has been suggested that more sensitive healthcare data is now being collected by health apps than is collected and stored by HIPAA-regulated entities, yet this data is largely unregulated. The white paper suggests Congress should direct the HHS to update HIPAA and expand the definition of covered entities and stipulate the allowable uses and disclosures of health data by entities that are not currently classed as HIPAA-regulated entities, to address the gap between HIPAA and the FTC Health Breach Notification Rule.

Develop a Healthcare-Specific Cybersecurity Framework

The National Institute of Standards and Technology (NIST) has released its Framework for Improving Critical Infrastructure Cybersecurity, and while that work has been commended, many healthcare industry stakeholders want more detailed guidance from NIST that is specific to the healthcare industry and have called for NIST develop a consensus-based healthcare-specific cybersecurity framework.

Improve Security Incident Preparedness and Response

The HHS recently stressed in its October Cybersecurity newsletter the importance of security incident preparedness and planning, as cyberattacks are inevitable in the lifespan of a healthcare organization. More needs to be done to encourage healthcare organizations to prepare for attacks. The HHS could direct healthcare facilities to consider cyberattacks to be equivalent to natural disasters such as hurricanes and earthquakes, including mandating training of hospital staff to use analog equipment and legacy systems, and to establish a disaster relief program for victims of cyberattacks.

Incentivize Healthcare Providers to Replace Legacy Systems

Legacy systems are still extensively used in the healthcare industry, despite software and operating systems reaching end-of-life and having support withdrawn. Legacy systems are a security risk, yet healthcare organizations continue to use them as they continue to function and the cost of replacing them is too high. Incentives should be offered to phase out these legacy systems, such as a program similar to the 2009 Car Allowance Rebate System (CARS) that encouraged people to trade in their old vehicles.

Improve Medical Device Cybersecurity

There is considerable concern about the cybersecurity of medical devices and a need for minimum standards of security to be maintained and good cyber hygiene practices followed. There is a need for all software and devices to be supplied with a software bill of materials (SBOMs), and for security requirements to be required during pre-market approval, as proposed by the PATCH Act. The white paper also suggests restrictions could be imposed on the sale of medical devices that have software that has reached end-of-life and is no longer supported, and for healthcare organizations to be incentivized to invest in systems for tracking medical equipment.

Address the Current Cybersecurity Talent Shortage

There is currently a global shortage of cybersecurity professionals that is unlikely to be resolved in the short to medium term. Healthcare organizations struggle to recruit the necessary talent and many cybersecurity positions in healthcare remain unfilled. The white paper suggests one way to address the shortage would be for Congress to create a workforce development program and to incentivize individuals to take on cybersecurity positions in healthcare, such as offering student loan forgiveness for cybersecurity professionals who commit to serving in rural communities, similar to the National Health Service Corps Loan Repayment Program.

Reduce the Cost of Cyber Insurance

Cyber insurance is becoming increasingly expensive and there is an extensive and burdensome application process. The white paper suggests a federal reinsurance program could be introduced to cover plans that require minimum cyber hygiene standards to be maintained, which could help the industry achieve minimum cyber hygiene standards without government mandates. The program would standardize coverage elements and provide incentives for insurance companies to adopt them. This could lower overall risks, which could help to reduce the cost of insurance.

Senator Warner is seeking feedback on the white paper from businesses, advocacy groups, researchers, and individuals. Comments should be submitted no later than December 1, 2022.

The post Cybersecurity is Now a Patient Safety Issue, Suggests Sen. Warner In Congressional Report appeared first on HIPAA Journal.

Advocate Aurora Health and WakeMed Sued Over Meta Pixel Privacy Breaches

Two class action lawsuits have been filed on behalf of patients whose protected health information (PHI) was impermissibly disclosed to Meta/Facebook as a result of the use of the Meta Pixel JavaScript code snippet on the websites and web applications of Advocate Aurora Health and WakeMed Health and Hospitals. Advocate Aurora Health said the PHI of up to 3 million patients had potentially been disclosed to Meta/Facebook, and WakeMed said around 495,000 patients were affected due to the inclusion of the code on the MyChart patient portal and its appointment scheduling page. Both healthcare providers have admitted to an impermissible disclosure of PHI but said at the time of issuing notifications that they were unaware of any cases of misuse of patient information and that there are no indications that employees of Meta or Facebook viewed the transmitted data.

The lawsuit against Advocate Aurora Health, which also names Meta as a defendant, was filed in the U.S. District Court for the Northern District of Illinois and names Alistair Stewart, of Illinois, as the lead plaintiff. The lawsuit seeks class action status, damages, and injunctive and other equitable relief. According to the lawsuit, “Whenever a patient uses Advocate’s websites and applications, including its LiveWell portal, Advocate and Facebook intercept, contemporaneously cause transmission of, and use personally identifiable patient information and PHI without patients’ knowledge, consent, or authorization.” The lawsuit alleges Advocate Aurora Health and Meta were aware that protected health information was being transmitted, and that this was in violation of the HIPAA Rules. “This was evidenced from, among other things, the functionality of the Pixel, including that it enabled Advocate’s LiveWell portal to show targeted advertising to its digital subscribers based on the products those digital subscribers had previously viewed on the website, including certain medical tests or procedures, for which Advocate received financial remuneration.”

Advocate Aurora Health maintains that the tracking code was only used to improve the consumer experience across its websites, and to encourage individuals to schedule necessary preventive care, and said it has stopped using the code and has implemented additional safeguards and third-party code-checking procedures to prevent similar breaches in the future.

The lawsuit against WakeMed was filed in the Wake County Superior Court in North Carolina by attorneys Gary Jackson and Tom Wilmoth and similarly seeks class action status, damages, and injunctive relief. The lawsuit makes similar claims and also alleges that the code was added to the website in the knowledge that sensitive patient data would be shared with Meta, and that WakeMed received financial benefits from sharing that information with Meta. The lawsuit alleges violations of FTC Rules and HIPAA, as sensitive healthcare data, including PHI, was shared with Meta without the knowledge or consent of the plaintiff and class members.

The lawsuit states the plaintiff reasonably expected her online communications with WakeMed to be confidential and would not be shared with or intercepted by a third party, and that consent to share her data had not been requested or obtained. The lawsuit alleges negligence for failing to implement reasonable safeguards to prevent improper disclosures of PHI, failing to adequately train employees, and failing to follow industry-standard data security practices.

In order for healthcare data breach lawsuits to succeed, an actual injury must have been sustained. In contrast to data breach lawsuits filed against healthcare organizations that have been hacked, the plaintiffs’ PHI is not in the hands of cybercriminals and there has been no injury through fraud or identity theft. The lawsuits allege an injury has been suffered in the form of the diminution in the value of the plaintiffs’ and class members’ private information. The plaintiff in the WakeMed lawsuit alleges she has lost time and experienced annoyance, interference, and inconvenience, which has led to her suffering anxiety, emotional distress, and increased concerns about her loss of privacy.

Many healthcare providers added Meta Pixel code to their websites. A study conducted by The Markup revealed 33 of the top 100 hospitals in the United States used the code, several of which added Meta Pixel to their patient portals. In August 2022, Novant Health announced that the PHI of up to 1.36 million patients had potentially been disclosed to Meta/Facebook, and many other healthcare providers are expected to make similar announcements in the coming weeks. Lawsuits have already been filed against Medstar Health System in Maryland, UCSF Medical Center and Dignity Health Medical Foundation, and Northwestern Memorial Hospital in Chicago, due to the use of the tracking code on their websites.

The post Advocate Aurora Health and WakeMed Sued Over Meta Pixel Privacy Breaches appeared first on HIPAA Journal.

Georgia Home Health Company Settles Phishing Investigation and Pays $425,000 Penalty

Aveanna Healthcare has agreed to pay a $425,000 financial penalty to the Office of the Attorney General of Massachusetts for failing to implement appropriate safeguards to prevent phishing attacks, in violation of state and federal laws.

Aveanna Healthcare operates in 33 states and is the nation’s largest provider of pediatric home care. In the summer of 2019, Aveanna Healthcare was targeted in a phishing campaign that saw more than 600 phishing emails sent to its employees. The phishing emails attempted to trick the recipients into providing credentials, money, or other sensitive information. The first email account was breached in July 2019, with the attacks continuing throughout the summer. Aveanna Healthcare discovered the breach on August 24, 2019.

The forensic investigation revealed multiple employees had been tricked into disclosing their account credentials, which provided the attackers with access to parts of the network that contained the protected health information (PHI) of 166,000 patients, including the PHI of approximately 4,000 Massachusetts residents. The patient information exposed and potentially copied included names, Social Security numbers, driver’s license numbers, financial account numbers, and health information such as diagnoses, medications, and treatment information. The threat actors also logged into the human resources system and attempted to change the direct deposit information of employees to divert payments.

The Massachusetts AG’s Office launched an investigation into the phishing attacks and determined that Aveanna Healthcare had failed to implement appropriate safeguards to protect against phishing attacks. The AG’s Office alleged Aveanna was aware that its cybersecurity program was insufficient at the time of the phishing attacks and that it did not have sufficient tools in place to adequately defend against phishing attacks, such as multifactor authentication and sufficient security awareness training for its workforce. The Massachusetts AG’s Office determined that Aveanna’s security program had not met the minimum level of security required by the Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts nor the minimum standards for security demanded by the HIPAA Security Rule.

The consent judgment requires Aveanna to pay a financial penalty of $425,000 to the Massachusetts AG’s office to resolve the violations, and adopt a corrective action plan that requires Aveanna to develop, implement, and maintain a security program that includes phishing protection technology, multi-factor authentication, and other systems designed to detect and address intrusions. Aveanna must also provide additional security awareness training to the workforce, including providing regular updates on the latest security threats. Aveanna is required to undergo annual independent assessments of its compliance with the consent order and will be monitored by the Massachusetts AG’s Office for a period of four years.

“Companies have an obligation to put the right security measures and systems in place to prevent hackers from accessing sensitive information,” said Massachusetts Attorney General Maura Healey. “As a result of this resolution, Aveanna will ensure compliance with our strong data security laws and take steps necessary to protect its employees and the private data of Massachusetts residents moving forward.”

Aveanna Healthcare is also facing a class action lawsuit over the exposure of patient data. The lawsuit alleges the failure to implement appropriate security measures also takes issue with the length of time it took Aveanna to announce the data breach – 5 months after the breach was detected.

The post Georgia Home Health Company Settles Phishing Investigation and Pays $425,000 Penalty appeared first on HIPAA Journal.

OCR Explains HITECH Recognized Security Practices and How to Demonstrate They are in Place

The Department of Health and Human Services (HHS)’ Office for Civil Rights (OCR) has released a video presentation on its YouTube channel that explains in detail how the 2021 HITECH Act amendment regarding “Recognized Security Practices” applies to HIPAA-regulated entities, and how HIPAA-regulated entities can demonstrate to OCR that Recognized Security Practices have been in place for the 12 months prior to a security breach.

Background

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, part of the American Recovery and Reinvestment Act (ARRA), was introduced by the Obama administration to encourage the adoption of health information technology to improve quality, safety, and efficiency; engage patients in their care; increase coordination of care; improve the health status of the population; and ensure the privacy and security of healthcare data.

On January 5, 2022, H.R 7898 was signed into law which amended Section 13412 of the HITECH Act to require the HHS to take the Recognized Security Practices of HIPAA-regulated entities into account in certain HIPAA Security Rule enforcement and audit activities, when a HIPAA-regulated entity is able to demonstrate Recognized Security Practices have been in place continuously for the 12 months prior to a security incident.

The HITECH Act update does not create a safe harbor for organizations that have implemented Recognized Security Practices granting them immunity from liability for HIPAA Security Rule violations, and it will not prevent OCR from imposing financial penalties when HIPAA Security Rule violations are discovered. Organizations that can demonstrate they have implemented Recognized Security Practices can mitigate fines under section 1176 of the Social Security Act, mitigate the remedies that would otherwise be agreed in agreements to resolve violations of the HIPAA Security Rule, and reduce the length and extent of audits and investigations. The HITECH Act amendment acts as an incentive for HIPAA-regulated entities to implement Recognized Security Practices and do everything in their power to safeguard patient data. OCR has confirmed that implementing Recognized Security Practices is voluntary.

On April 6, 2022, OCR issued a Request for Information (RFI) seeking input from the public on the HITECH Act amendment, specifically on how HIPAA-regulated entities were implementing Recognized Security Practices, and how they anticipated demonstrating that they are in place and have been for 12 months. The RFI also included a request for comment on the long-awaited implementation of the HITECH Act requirement for OCR to share a proportion of the civil monetary penalties and settlements collected through its HIPAA enforcement activities with individuals who have been harmed due to HIPAA violations.

What Are Recognized Security Practices?

In the video, Nick Heesters, senior advisor for cybersecurity at OCR, explains how the HITECH Act was amended, what constitutes Recognized Security Practices, and how they can be implemented to reduce liability. Recognized Security Practices are standards, guidelines, best practices, methodologies, procedures, and processes developed under:

  • The National Institute of Standards and Technology (NIST) Cybersecurity Framework
  • Section 405(d) of the Cybersecurity Act of 2015, or
  • Other programs that address cybersecurity that are explicitly recognized by statute or regulation

HIPAA-regulated entities are free to choose the Recognized Security Practices that are best suited to their organization.

OCR Security Rule Audits and HIPAA Security Rule Investigations of Potential Violations

Heesters confirmed that in the event of an audit or investigation into potential HIPAA Security Rule violations, OCR will send a data request to the regulated entity to inform them they can voluntarily provide evidence that Recognized Security Practices have been in place. This will increase awareness of the HITECH Act amendment and also allow the regulated entity to submit evidence as a mitigating factor. The request will also include guidance on how that evidence can be provided and the types of evidence that a HIPAA-regulated entity can consider submitting.

How to Demonstrate Recognized Security Practices Have Been in Place

Heesters explained how HIPAA-regulated entities can demonstrate to OCR that Recognized Security Practices have been in place and the types of evidence that they can consider submitting. OCR will not limit the evidence that can be provided and the request is not a one-time opportunity to provide evidence. Evidence can be provided to OCR continuously.

The regulated entity must demonstrate that Recognized Security Practices have been fully implemented and have been and continue to be actively and consistently in use. Simply providing documentation that only establishes the initial adoption of Recognized Security Practices is insufficient and OCR will not consider documentation stating the organization plans to implement Recognized Security Practices in the future. Documentation must demonstrate the implementation of Recognized Security Practices throughout the enterprise.

In the response, HIPAA-regulated entities should state which Recognized Security Practices have been implemented. If a HIPAA-regulated entity has chosen “other programs,” OCR will need to be provided with statutory or regulatory citations showing they were developed, recognized, or promulgated by statute or regulation.

OCR suggests the following can be provided as evidence, although the list is not exhaustive:

  • Policies and procedures regarding the implementation and use of RSPs
  • RSP implementation project plans and meeting minutes
  • Diagrams and narrative detail of RSP implementation and use
  • Training materials regarding RSP implementation and use
  • Application screenshots and reports showing RSP implementation and use
  • Vendor contracts and statements of work regarding RSP implementation
  • OCR also requires dates that support the implementation and use of RSPs for the previous 12 months

Heesters confirmed that organizations that have implemented Recognized Security Practices, and are able to demonstrate that sufficiently, will not avoid financial penalties, but OCR will consider the Recognized Security Practices as a mitigating factor. These practices only mitigate against HIPAA Security Rule investigations and audits, not other investigations and audits, such as investigations into potential HIPAA Privacy Rule violations. Heesters also confirmed that the lack of Recognized Security Practices will not be considered an aggravating factor and will not result in increased penalties.

The post OCR Explains HITECH Recognized Security Practices and How to Demonstrate They are in Place appeared first on HIPAA Journal.

September 2022 Healthcare Data Breach Report

63 data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in September, bringing an end to the downward trend in data breaches seen over the previous three months. September’s total was above the 12-month average of 59 breaches a month, with data breaches being reported at a rate of more than 2 per day. In 2017, data breaches were being reported at a rate of one per day.

healthcare data breaches in the past 12 months - September 2022

While the number of reported data breaches increased by 28.6% month-over-month, for the third consecutive month the number of breached records decreased, with 2,440,434 records breached across the 63 reported incidents. September’s total was well below the 12-month average of 3,481,033 breached records a month. Breached healthcare records in the past 12 months

So far in 2022, 31,705,618 patient records have been exposed or impermissibly disclosed.

The Largest Healthcare Data Breaches Reported in September

30 data breaches of 10,000 or more patient records were reported to the HHS’ Office for Civil Rights in September 2022, all but one of which were hacking/IT incidents. The largest data breach involved the records of more than 542,000 patients of the Wolfe Clinic in Iowa and occurred at its electronic health record provider Eye Care Leaders. The attack saw database and system configuration files deleted. More than 3.6 million individuals were affected by the data breach.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Wolfe Clinic, P.C. IA Healthcare Provider 542,776 Hacking incident at its EHR provider (Eye Care Leaders)
Empress Ambulance Service LLC NY Healthcare Provider 318,558 Ransomware attack
Cytometry Specialists, Inc. d/b/a CSI Laboratories GA Healthcare Provider 244,850 Business email compromise (BEC) attack
FMC Services, LLC TX Healthcare Provider 233,948 Hacked network server
Physician’s Business Office, Inc. WV Business Associate 196,673 Hacked network server
Providence WA Anesthesia Services PC NY Healthcare Provider 98,643 Hacked network server at management company
Medical Associates of the Lehigh Valley PA Healthcare Provider 75,628 Ransomware attack
Dyersburg Family Walk-In Clinic, LLC (Reelfoot Family Walk-In Clinic) TN Healthcare Provider 58,562 Hacked network server (data theft confirmed)
Palm Springs Anesthesia Services PC NY Healthcare Provider 58,513 Hacked network server at management company
Reiter Affiliated Companies, LLC CA Business Associate 48,000 Ransomware attack at a business associate
Reiter Affiliated Health and Welfare Plan CA Health Plan 45,000 Ransomware attack
Anesthesia Services of San Joaquin PC NY Healthcare Provider 44,015 Hacked network server at management company
Anesthesia Associates of El Paso PA NY Healthcare Provider 43,168 Hacked network server at management company
The Physicians’ Spine and Rehabilitation Specialists of Georgia, P.C. GA Healthcare Provider 38,765 Hacked network server
Country Doctor Community Clinic WA Healthcare Provider 38,751 Hacked network server
Resource Anesthesiology Associates PC NY Healthcare Provider 37,697 Hacked network server at management company
Lubbock Heart & Surgical Hospital TX Healthcare Provider 23,379 Hacked network server
Genesis Health Care, Inc. SC Healthcare Provider 21,226 Hacked network server
Resource Anesthesiology Associates of IL PC NY Healthcare Provider 18,321 Hacked network server at management company
Bronx Anesthesia Services PC NY Healthcare Provider 17,802 Hacked network server at management company
Resource Anesthesiology Associates of CA A Medical Corporation CA Healthcare Provider 16,001 Hacked network server at management company
Monroe Ear Nose and Throat Associates, PC MI Healthcare Provider 14,500 Hacked network server hosting EHRs
Magellan Rx Management MD Business Associate 13,663 Hacked network server
Hazleton Anesthesia Services PC NY Healthcare Provider 13,607 Hacked network server at management company
Riverside Medical Group NJ Healthcare Provider 12,499 Hacked legacy server containing EHRs
Anesthesia Associates of Maryland LLC MD Healthcare Provider 12,403 Hacked network server at management company
Northern California Fertility Medical Center CA Healthcare Provider 12,145 Ransomware attack
Neurology Center of Nevada NV Healthcare Provider 11,700 Hacking incident involving EHRs
Dr. Alexander J. Richardson, DPM OH Healthcare Provider 11,300 Hacking incident involving EHRs
WellMed Medical Management TX Healthcare Provider 10,506 A physician took records to his new practice

Causes of September 2022 Data Breaches

As is now the norm, the majority of the month’s data breaches were categorized as hacking/IT incidents, which include hacking, ransomware and malware attacks, phishing attacks, and misconfigured databases and cloud resources.

Causes of September 2022 healthcare data breaches

52 breaches – 82% of the month’s total – were hacking/IT incidents, which resulted in the exposure and/or theft of the records of 2,410,654 individuals. The average breach size was 46,359 records and the median breach size was 12,274 records. These incidents accounted for 98.78% of all records breached in September.

Ransomware is commonly used in attacks on hospitals to prevent access to business-critical files and patient records. These attacks typically involve data theft prior to file encryption with the attackers threatening to sell or publish the stolen data if the ransom is not paid. Several threat actors have now dispensed with the file encryption and are just stealing data and demanding payment to prevent its sale or release. That makes the attacks quicker and easier for the attackers and ransoms are still often paid. These extortion-only attacks have been increasing in recent months.

There were 7 reported unauthorized access/disclosure incidents reported, which include unauthorized access by employees, misdirected emails, and mailing errors. Across the 7 breaches, the records of 24,639 individuals were impermissibly disclosed. The average breach size was 3,250 records and the median breach size was 1,359 records.

There were 4 data breaches reported that involved the loss or theft of electronic devices that contained individually identifiable protected health information. Those devices contained 5,141 records. The average breach size was 1,285 records and the median breach size was 1,207 records. These incidents could have been avoided had data on the devices been encrypted.

The number of email-related data breaches is below the levels normally seen, with just 7 email data breaches reported. However, data from the ransomware remediation firm Coveware suggests email is still the most common way that threat actors gain access to networks in ransomware attacks. One of the largest data breaches reported this month – at CSI Laboratories – saw threat actors gain access to email accounts containing the records of almost 245,000 individuals. The email account was then used in a business email compromise attack to try to reroute CSI customer healthcare provider payments.

locatioon of PHI in september 2022 healthcare data breaches

HIPAA-Regulated Entities Affected by Data Breaches

Healthcare providers were the worst affected entity in September with 46 data breaches reported, with 10 breaches reported by business associates and 7 breaches reported by health plans. Healthcare providers and health plans often choose to report breaches at business associates themselves, as was the case in 7 data breaches at business associates in September. The pie chart below reflects this and shows where the data breaches actually occurred.

September 2022 healthcare data breaches - entities reporting

Healthcare Data Breaches by State

HIPAA-regulated entities in 22 states reported data breaches in September. New York was the worst affected state with 15 breaches reported. 13 of the breaches were reported by providers of anesthesia services – The breach actually occurred at their management company.

State Breaches
New York 15
California 8
Tennessee & Washington 5
Florida & Texas 4
Georgia 3
Indiana, Maryland, New Jersey, & Pennsylvania 2
Colorado, Connecticut, Iowa, Michigan, Montana, Nebraska, Nevada, Ohio, Rhode Island, South Carolina, & Wisconsin 1

HIPAA Enforcement Activity in September

The HHS’ Office for Civil Rights agreed to settle HIPAA violations with three healthcare providers in September. All three of the settlements resolved violations of the HIPAA Right of Access, where patients were not provided with timely access to their medical records. All three cases were investigated by OCR after patients filed complaints that they had not been provided with their requested medical records. Great Expressions Dental Center of Georgia was also discovered to have overcharged a patient for providing a copy of her medical records.

Great Expressions Dental Center of Georgia, P.C. settled its case for $80,000, Family Dental Care, P.C. settled its case for $30,000, and B. Steven L. Hardy, D.D.S., LTD, dba Paradise Family Dental, settled its care for $25,000,  All three settlements involved a corrective action plan to address the areas of non-compliance.

OCR has now imposed 20 financial penalties on HIPAA-regulated entities to resolve HIPAA violations so far this year – more than any year to date.

The post September 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

When Can PHI be Disclosed?

Most sources of information answering the question when can PHI be disclosed refer to the standards of the HIPAA Privacy Rule that specify the required and permissible uses and discloses of PHI, and those that require the consent or authorization of the individual (§164.502 – §164.514).

However, it is important to be aware that there are inconsistencies within these standards. Scenarios exist when “permissible” disclosures are actually “required” disclosures, when only a limited amount of information can be provided in a permissible disclosure, and when PHI can be disclosed for purposes other than those listed in the Privacy Rule.

It is also important to be aware that the Privacy Rule has limited scope inasmuch as It only applies to Covered Entities and Business Associates (subject to the contents of a Business Associate Agreement). Any healthcare provider that is not a Covered Entity – or any organization not covered by HIPAA – is not required to comply with the standards for when can PHI be disclosed.

When Can PHI be Disclosed According to the Privacy Rule?

The standards of the Privacy Rule distinguish between when PHI has to be disclosed, when PHI can be disclosed, and when PHI must only be disclosed if a written authorization exists from the subject of the PHI or their personal representative. There is also a standard for occasions when an individual should be given an opportunity to agree or object to a disclosure of PHI.

When Does PHI Have to be Disclosed?

According to the Privacy Rule, PHI has to be disclosed when an individual requests access to it or when HHS´ Office for Civil Rights is conducting an audit, an investigation, or a compliance review. Other than in these two scenarios, disclosures of PHI are “permitted” by the Privacy Rule or require a written authorization from the subject of the PHI or their personal representative.

When Can PHI be Disclosed?

There are many scenarios in which PHI can be disclosed but the disclosure is not “required” (according to the Privacy Rule). These include, but are not limited to:

  • Disclosures to the individual or their personal representative other than access requests or requests for an accounting of disclosures.
  • Disclosures for treatment, payment, and healthcare operations (TPOs). This includes disclosures to external healthcare providers for treatment purposes.
  • Disclosures as required by other federal laws or state legislation – for example, to report abuse, neglect, or domestic violence.
  • Disclosures for the twelve public interest and benefit activities listed in 164.512 – subject to compliance with the Minimum Necessary Standard.
  • When PHI is disclosed in a Limited Data Set for the purposes of research or public health subject to a data use agreement being in place.
  • When a Covered Entity of Business Associate receives a subpoena for medical records in connection with a judicial or administrative proceeding.

Which Disclosures Require an Authorization?

Practically all other disclosures of PHI require a written authorization from the subject of the PHI or their personal representative. This includes “protected” disclosures such as the disclosure of psychotherapy notes and substance abuse disorder records, as well as disclosures for marketing and fundraising – which the subject of the PHI has the right to revoke at any time.

The Opportunity to Agree or Object

The exception to the authorization requirement is when an individual has the opportunity to informally agree or object to a disclosure of PHI. Cases in which this option exists are limited to inclusion in a hospital directory and for notifying family and friends of an admission. However, if the individual is unable to agree or object, Covered Entities can make a good-faith judgment instead.

What Inconsistencies Exist within these Standards?

It is important for Covered Entities and Business Associates to be aware that inconsistencies exist in the Privacy Rule standards to ensure PHI is not inadvertently disclosed – or withheld. It was mentioned above that scenarios exist when “permissible” disclosures are actually “required” when only a limited amount of information can be provided in a permissible disclosure, and when PHI can be disclosed for purposes other than those listed in the Privacy Rule. Here are a few examples:

It would have been impossible for the Department of Health and Human Services to predict state legislation in respect of the mandatory reporting of abuse, neglect, and domestic violence at the time the Privacy Rule was published; but federal laws – such as OSHA – existed and had mandatory reporting requirements. Under these reporting requirements, the disclosure of PHI is required (by OSHA) rather than permissible – an inconsistency that has raised issues in the past.

With regards to limited “permissible” disclosures, these can limit what PHI can be disclosed to less than the minimum necessary. An example of this inconsistency occurs with regard to the identification of a suspect, fugitive, witness, or missing person. In such cases, Covered Entities may not be able to provide law enforcement officers with sufficient PHI to achieve the intended purpose because they are not allowed (amongst other things) to disclose photos of the individual.

The issue of when can PHI be disclosed for purposes other than those listed in the Privacy Rule depends on what information is being disclosed and whether it is maintained in a designated record set. For example, car license numbers are considered PHI if they are maintained in a designated record set along with health information; but, if a patient´s car is blocking an emergency exit, is it acceptable to request the car is moved over a Public Address system? The Privacy Rule says no!

When Can PHI be Disclosed by Other Organizations?

Not all organizations that collect, receive, maintain, or transmit PHI are subject to the HIPAA Privacy Rules for uses and disclosures. For example, a healthcare provider that accepts payments directly from patients is not a Covered Entity under HIPAA because they do not conduct transactions for which the Department of Health and Human Services has developed standards. Whether or not they can disclose PHI will be subject to state privacy legislation rather than HIPAA.

Also not subject to the Privacy Rule are vendors of Personal Health Devices (although they are subject to the Breach Notification Rule) and payment processors. Payment processors such as PayPal and Venmo are known to disclose data to advertisers, and therefore it is important Covered Entities only use services that are not subject to the Privacy Rule when a payment is initiated by a patient. Covered Entities should never request a payment nor create an invoice using an unsecure service.

It is also important that Covered Entities conduct due diligence on potential Business Associates before entering into a Business Associate Agreement to ascertain if they use third-party services that are not subject to the Privacy Rule. If the third party was to disclose PHI without the Business Associate first entering into a Business Associate Agreement with the third party – for example, PayPal will not sign a Business Associate Agreement – the Covered Entity could be considered liable for any breach of unsecured PHI. If doubts remain about when can PHI be disclosed, seek professional compliance advice.

The post When Can PHI be Disclosed? appeared first on HIPAA Journal.