HIPAA Compliance News

Is it Okay to Share ePHI via a Business Password Manager?

One of the capabilities of many business password managers is the ability to send encrypted messages to any recipient. Often this capability is used to securely share login credentials or other confidential data. But is it okay to share ePHI via a business password manager?

Over the past few years, the capabilities of business password managers – particularly vault-based password managers – have grown significantly. For example, whereas SSO integration was once big news, these days we are talking more about password-less logins and it has been estimated that biometric facial recognition hardware will be present in 90% of smartphones by 2024.

With regards to the ability to send encrypted messages, this first started as a means of sending passwords to users in the same business subscription. It evolved into sending notes, files, and other data to users in the same business subscription, and then further evolved to sending encrypted messages of any kind to any recipient regardless of whether they are using a password manager.

Why Share ePHI via a Business Password Manager?

There are many circumstances when healthcare providers or other members of a Covered Entity´s workforce need to send or request ePHI to or from a colleague or Business Associate. In many cases, the colleague or Business Associate may not be in the same communications network – raising the issue of how to transmit ePHI securely in compliance with the HIPAA Security Rule.

The most common forms of communication – such as SMS, IM, email, etc. – are not suitable because they lack the necessary features to fulfil the requirements of the Technical Safeguards – for example, access controls, automatic logoff, encryption, audit controls, etc. However, most business password managers do have the necessary features to send and receive ePHI compliantly.

These features enable users to share ePHI via a business password manager securely without risking an impermissible disclosure of ePHI and facilitate “the flow of health information needed to provide and promote high-quality healthcare” – a major goal of the HIPAA Privacy Rule. However, in order to share ePHI via a business password manager in full compliance with HIPAA, the vendor of the password manager must sign a Business Associate Agreement. Not all are willing to do so.

Is a Business Associate Agreement Necessary?

In 2016, the Department of Health & Human Services (HHS) published an FAQ regarding whether or not a Cloud Service Provider is excluded from the definition of a Business Associate if the Cloud Service Provider cannot access ePHI stored in the cloud because it is encrypted and the Cloud Service Provider does not have the decryption key.

The answer was that a Cloud Service Provider is not excluded under the “conduit exception rule” because conduits such as the U.S. Postal Service, Fed-Ex, and DHL are transmission services and the temporary storage of PHI while it is in the conduit´s possession is incident to the transmission, while the temporary storage of ePHI with a Cloud Service Provider is persistent.

HHS stated in the FAQ that “a Cloud Service Provider that maintains ePHI for the purpose of storing it will qualify as a Business Associate […] even if the Cloud Service Provider does not actually view the information”. Substitute password manager vendors for Cloud Service Providers, and it is clear a Business Associate Agreement is necessary to share ePHI via a business password manager.

Which Vendors will Sign a Business Associate Agreement?

Not many, despite claiming to have HIPAA-compliant password managers. 1Password and Keeper – the two most popular password managers in the U.S. – both state they do not qualify as Business Associates because of their zero knowledge architectures (which is incorrect). LastPass and NordPass have such incorrect information about HIPAA on their websites that we strongly suspect they don´t understand a Business Associate Agreement is necessary. Most others keep quiet about the issue.

Among those that do publicly state they are willing to sign a Business Associate Agreement, Bitwarden and Zoho Vault are the most well-known. Of the two, Zoho Vault is the most feature-rich; but at nearly 50% more expensive per user than Bitwarden, Zoho Vault could work out to be unnecessarily expensive if you are not going to use all the features you are paying for. Additionally, Bitwarden passed a HIPAA Security Rule Assessment Report conducted by AuditOne in 2020.

In conclusion, it is okay to share ePHI via a business password manager, provided that the password manager has been configured to comply with the Technical Safeguards of the Security Rule and the vendor of the password manager has signed a Business Associate Agreement. If the vendor is unwilling to sign a Business Associate Agreement, it is not possible to share ePHI via a business password manager without violating HIPAA.

The post Is it Okay to Share ePHI via a Business Password Manager? appeared first on HIPAA Journal.

What Happens after a HIPAA Complaint is Filed?

What happens after a HIPAA complaint is filed can vary according to who it is filed with, whether or not the complaint is justified, and the nature of the complaint.

When you register with a healthcare provider or become a member of a group health plan, you are given a Notice of Privacy Practices. The Notice of Privacy Practices explains how the healthcare provider or health plan can use or disclose your health information and also what rights you have to restrict specific uses and disclosures and request a copy of any health information held about you.

The Notice of Privacy Practices should also provide details of who you can complain to if you think a healthcare provider or health plan has used or disclosed your health information impermissibly, or if your rights have been violated. Usually, the contact details are those of the organization´s Privacy Office and the Department of Health & Human Services´ Office for Civil Rights.

It is also possible to file a complaint with your State Attorney General. However, the majority of states require that you complain to the organization before filing a complaint with the State Attorney General. For this reason, it is important to keep copies of any correspondence between you and the organization, and records of who you spoke with and when if complaining by phone.

What Happens after a HIPAA Complaint is Filed with an Organization?

There is no HIPAA-mandated process for what happens after a HIPAA complaint is filed with a healthcare provider or health plan, so the process is likely to vary from organization to organization. However, the Privacy Rule states that all complaints have to be documented, so the first thing that will happen is that you will receive an acknowledgement of your complaint.

Healthcare providers and health plans are aware that if they do not respond to your complaint satisfactorily and in a timely manner, you have the right to escalate the complaint to HHS´ Office for Civil Rights or your State Attorney General. Therefore, as regulatory investigations can be disruptive and attract indirect costs, your complaint will be reviewed as a matter of priority.

If the review identifies a potential HIPAA violation, it will be investigated further. An investigation can result in several outcomes.

  • If no violation is identified, you should receive a communication explaining why.
  • If a minor violation is identified, the organization will likely take steps to rectify it.
  • If a more serious violation is identified, the organization may escalate your complaint to HHS´ Office for Civil Rights for technical assistance or to report a data breach.

If you are dissatisfied with the response from your healthcare provider or health plan – or you fail to hear from them in a timely manner – you can escalate the complaint to HHS´ Office for Civil Rights or your State Attorney General. Unlike complaining to a State Attorney General, HHS´ Office for Civil Rights does not require you to have complained to the organization before complaining to them.

What Happens after a HIPAA Complaint is Filed with HHS´ Office for Civil Rights?

When a complaint is filed with HHS´ Office for Civil Rights, the complaint is reviewed to establish the agency has the authority to investigate, the complaint is made within 180 days of the alleged violation, and that the complaint relates to a violation of the Privacy, Security, or Breach Notification Rules. Around two-thirds of complaints are rejected at the review stage because the complaint is made against an organization not subject to HIPAA, is too late, or no violation has occurred.

If a complaint passes the review stage, HHS´ Office for Civil Rights will contact the healthcare provider or health plan to attempt an informal resolution to the complaint – for example, by providing technical assistance. If a more serious violation is identified, HHS´ Office for Civil Rights will conduct a full-scale investigation into the organization´s compliance, with the possible outcomes being technical assistance, a more formal corrective action plan, or a civil money penalty.

The process is much the same when a complaint is filed with a State Attorney General, and both the HHS´ Office for Civil Rights and State Attorneys General will inform a complainant of the outcome of their complaint once it is resolved. The only exception to this process is when a possible criminal violation of HIPAA is identified by either HHS´ Office for Civil Rights – in which case the complaint is escalated to the Department of Justice for investigation.

What Happens after a HIPAA Complaint is Filed?

The post What Happens after a HIPAA Complaint is Filed? appeared first on HIPAA Journal.

Understanding the HIPAA Medical Records Destruction Rules

Some of the biggest fines for HIPAA violations have been for failing to comply with the medical records destruction rules. Consequently, it is vital Covered Entities and Business Associates are aware how to destruct medical records compliantly.

Each state has its own requirements for retaining medical records; and, in some cases, certain types of medical records have to be retained for longer periods than others. Federal laws can also dictate how long specific records have to be retained (i.e., OSHA 1910.1200(g)), and if these records are maintained in a designated record set, they are considered to PHI and Covered Entities are required to keep them until the retention period expires.

Although HIPAA has document retention requirements, there are no minimum retention periods for medical records. However, the Privacy Rule does require that Covered Entities implement appropriate administrative, technical, and physical safeguards to protect the privacy of medical records for whatever period the records are maintained by the Covered Entity. This requirement also applies to the destruction of medical records.

The HIPAA Medical Records Destruction Rules

Although there are no specific HIPAA medical records destruction rules, the Privacy Rule requires Covered Entities to determine what steps are reasonable to safeguard medical records through the destruction process and develop and implement policies and procedures to carry out those steps. In determining what is reasonable, Covered Entities should assess potential risks to patient privacy in the context of what form the information is in and how it is being destructed

Additionally, the Security Rule requires Covered Entities and Business Associates to develop and implement policies and procedures to facilitate the compliant destruction of electronic PHI and/or media on which it is stored. Any members of the workforce involved in the destruction process, or who supervise other members of the workforce responsible for destructing medical records in compliance with HIPAA must receive training on the PHI destruction policies and procedures.

Failing to implement reasonable safeguards to protect PHI in connection with its destruction could result in impermissible disclosures of PHI, and several Covered Entities have received substantial fines for failing to comply with the HIPAA medical records destruction rules:

  • In 2009, CVS Pharmacy Inc. was one of the first Covered Entities to reach a financial settlement for a HIPAA violation – the company agreeing to a $2.25 million settlement for the improper disposal of PHI.
  • The following year, the pharmacy chain Rite Aid agreed to pay $1 million to settle a similar HIPAA violation; and, a few years, the independent Cornell Prescription Pharmacy had to pay $125,000 for also disposing of PHI improperly.
  • It is not just pharmacies who fail to comply with the HIPAA medical records destruction rules. In 2013, the former owners of a medical billing practice were fined $140,000 for disposing of 67,000 medical records in a public dump.
  • More recently, the New England Dermatology and Laser Center agreed to settle an investigation into the improper destruction of medical records for $300,640 and implement a Corrective Action Plan for two years – which will incur further indirect costs.

How to Destruct Medical Records in Compliance with HIPAA

HHS´ Office for Civil Rights has previously released guidance on how to destruct medical records in compliance with HIPAA. With regards to paper records, the agency suggests “shredding or otherwise destroying PHI […]so the PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed prior to it being placed in a dumpster or other trash receptacle”.

With regards to the bulk destruction of PHI, the agency suggests depositing PHI in locked dumpsters that are only accessible by authorized persons or maintaining PHI in a secure area until such time as a disposal company removes it to destroy it professionally. In such circumstances, it will be necessary to enter into a Business Associate Agreement with the entity responsible for destructing the records.

With regards to ePHI stored electronically HHS´ Office for Civil Rights advocates clearing and purging electronic media, or destroying the media by disintegration, pulverization, melting, incinerating, or shredding. It is important to note that some clearing and purging techniques are not 100% effective on modern hard drives, and it may be possible to recover deleted data in some cases.

It is also important to note that some states have more stringent medical records destruction rules than HIPAA; and, in some states, any organization that creates, maintains, or transmits personal health information may be subject to medical records destruction rules – not just HIPAA Covered Entities and Business Associates. If you are unsure which medical records destruction rules apply to your organization, it is recommended you seek professional compliance advice.

The post Understanding the HIPAA Medical Records Destruction Rules appeared first on HIPAA Journal.

30 Senators Call for HIPAA Privacy Rule Update to Better Protect Women’s Privacy

A group of 30 senators is urging the Department of Health and Human Services to update the Health Insurance Portability and Accountability Act (HIPAA) to better protect the privacy of patients’ reproductive health information in the wake of the Supreme Court decision on Dobbs v. Jackson Women’s Health Organization and the overturning of Roe Vs Wade, which removed the Federal right to an abortion that had existed for almost 50 years. Following the decision, several states have either banned abortion for state residents or implemented restrictions, with some already seeking to investigate and punish women for seeking abortion care.

The senators, led by Senate Committee on Health, Education, Labor and Pensions (HELP) Chair Patty Murray (D-Wa.), wrote to HHS Secretary, Xavier Becerra, calling for further rulemaking to update the HIPAA Privacy Rule to broadly restrict HIPAA-regulated entities from sharing individuals’ reproductive health information without explicit consent, specifically the sharing of that information with law enforcement, or related to civil or criminal proceedings premised on the provision of abortion care. The senators are calling for the update “to protect patients, and their providers, from having their health information weaponized against them.”

This is the second such request to be sent to Becerra to update the HIPAA Privacy Rule with respect to reproductive healthcare information following the Supreme Court decision. In July 2022, Sens Michael Bennet (D-CO) and Catherine Cortez Masto (D-NV) wrote to Secretary Becerra requesting a HIPAA Privacy Rule update to improve patients’ reproductive healthcare rights.

Confusion About Permitted and Required Disclosures of PHI to Law Enforcement

HIPAA was passed by Congress in 1996, with the legislation calling for the HHS to issue regulations that ensured the privacy of personal health information, which led to the HIPAA Privacy Rule being penned in 2000 to limit uses and disclosures of protected health information unless consent is obtained. The HIPAA Privacy Rule has been updated several times since, with the senators now calling for a further update. “In order for patients to feel comfortable seeking care, and for health care personnel to provide this care, patients and providers must know that their personal health information, including information about their medical decisions, will be protected,” wrote the senators.

They explained that since the Dobbs decision, there has been widespread confusion among healthcare providers about when they are required to provide patients’ health information to state and local law enforcement. Some healthcare providers felt they were legally required to hand over that information when the HIPAA Privacy Rule only permits information to be provided to law enforcement. There have also been cases of healthcare providers being unaware that certain disclosures of reproductive health information are not permitted under HIPAA. “Stakeholders have even described clashes between providers and health care system administrators on whether certain information must be shared. Many of these issues seem to arise from misunderstandings of what the HIPAA Privacy Rule requires of regulated entities and their employees,” wrote the senators.

As more states introduce bans on abortions or implement laws that severely restrict access to abortion care, the confusion is likely to grow. Some states have implemented laws that criminalize abortion providers and also make it illegal for anyone to aid or abet an abortion, which means that any healthcare professional could be exposed to legal liability, from a referring provider to a receptionist. Some state legislators are proposing laws that will ban state residents from visiting another state to have an abortion. “In many cases, these laws have been used to disproportionately criminalize or surveil women of color for their pregnancy loss,” warn the senators.

The senators warn that prohibiting access to abortions and undermining health information privacy will likely have devastating consequences for women’s health. If there is a threat of legal action, many women may delay or avoid disclosing a pregnancy or avoid seeing prenatal care. They may also avoid seeking care for medical conditions such as arthritis or cancer, where the treatment could impact their pregnancy, and healthcare providers may hesitate to provide certain treatments. There are fears that women who are experiencing complications from pregnancy or abortion may avoid seeking essential emergency care, which could have profound health consequences.

Prompt Rulemaking Requested to Update the HIPAA Privacy Rule

The senators explained that HIPAA has protected patient privacy for more than 20 years and recognized the need for stronger protections to be in place for highly sensitive information such as psychotherapy notes, and suggest similar restrictions are required for reproductive health information. The senators praised the efforts of the HHS after the Dobbs decision, which included issuing guidance on the requirements of the HIPAA Privacy Rule with respect to information related to reproductive care, but have called for further proactive steps to be taken to strengthen patient privacy protections.

In addition to broadly restricting HIPAA-regulated entities from sharing reproductive health information without explicit consent for law enforcement, civil, or criminal proceedings premised on the provision of abortion care, the senators have called for the HHS to increase its efforts to engage and educate the healthcare community about the obligations of HIPAA-regulated entities under the HIPAA Privacy Rule, including explaining the difference between permitted and required disclosures of PHI, best practices for educating patients and health plan enrollees on their privacy rights, and how HIPAA interacts with state laws.

They have called for the HHS to expand its efforts to educate patients about their rights under the HIPAA Privacy Rule and to ensure cases involving reproductive health information receive timely, appropriate attention for compliance and enforcement activities.

The post 30 Senators Call for HIPAA Privacy Rule Update to Better Protect Women’s Privacy appeared first on HIPAA Journal.

Melanie Fontes-Rainer Appointed Director of the HHS’ Office for Civil Rights

U.S Department of Health and Human Services Director Xavier Becerra has formally sworn in Melanie Fontes Rainer as the new Director of the HHS’ Office for Civil Rights (OCR).  Fontes Rainer will lead the department’s enforcement of federal civil rights and HIPAA compliance and will direct the department’s policy and strategic initiatives.

Fontes Rainer previously served as Acting Director, replacing Lisa J. Pino who left the post in July 2022 after 11 months as Director. Prior to joining OCR, Fontes Rainer served as Counselor to Secretary Becerra and provided strategy guidance on issues pertaining to civil rights, patient privacy, reproductive health, the Affordable Care Act (ACA), competition in healthcare, equity, and the private insurance market. In that role, she led the implementation of the No Surprises Act, which has helped to improve the transparency of medical billing and save consumers money. Fontes Rainer sits on the White House Task Force on Reproductive Healthcare Access, and recently advised the Secretary and the Administration on how best to respond to the Supreme Court decision on Dobbs v. Jackson Women’s Health Organization. Fontes Rainer has also served as the Secretary’s designee on the White House Competition Council, leading cross-cutting Department work and a whole-of-Government approach on price transparency, costs, and competition to benefit American consumers.

Prior to joining the Biden-Harris Administration, Fontes Rainer served as Special Assistant to the Attorney General and Chief Health Care Advisor at the California Department of Justice. In that role, she led a national team to save the Affordable Care Act and protect healthcare coverage for more than 133 million Americans. In her role as Special Assistant, Fontes Rainer assisted with the creation of the Health Care Rights and Access – a new office devoted to proactively advancing laws pertaining to health care civil rights, privacy, competition, and consumer protection. Fontes Rainer has also served in the U.S. Senate as a Senior Aide and Women’s Policy Director to Chair Patty Murray on the Health, Education, Labor and Pensions and the Budget Committees, where she helped pass several transformative health care laws, including the 21st Century Cures Act, Every Student Succeeds Act, and the Justice for Victims of Trafficking Act, among other laws and led the Senate’s work on the Affordable Care Act, reproductive rights, and gender equity.

“Melanie has devoted her entire professional career to public service and has worked tirelessly to ensure that health care is accessible, affordable, and available to all, no matter where you live or who you are,” said Secretary Becerra. “As one of my longtime senior aides, I can say with certainty that Melanie will vigorously protect and enforce the healthcare and civil rights of Americans across the country. Melanie’s commitment and expertise are vital to implementing the health and human services priorities of the Biden-Harris Administration as we work to ensure families across the country know that we have their back.”

The post Melanie Fontes-Rainer Appointed Director of the HHS’ Office for Civil Rights appeared first on HIPAA Journal.

Improper Disposal of PHI Results in $300,640 HIPAA Penalty

Massachusetts-based New England Dermatology P.C., dba New England Dermatology and Laser Center (NDELC), has agreed to settle a HIPAA violation case with the HHS’ Office for Civil Rights (OCR) and has paid a $300,640 penalty to resolve alleged violations of the HIPAA Privacy Rule.

On May 11, 2021, NDELC notified OCR about a privacy breach involving the protected health information of 58,106 patients. On March 31, 2021, NDELC disposed of empty specimen containers in a regular dumpster in the MDELC parking lot. The containers had labels that included patients’ names, dates of birth, sample collection date, and the names of the providers that took the specimens. OCR investigated the incident and NDELC revealed it was a standard practice to dispose of empty specimen containers with regular waste, and that practice had been in effect from February 4, 2011, until March 31, 2021.

The administrative safeguards of the HIPAA Privacy Rule – 45 C.F.R. § 164.530(c) – require appropriate administrative, technical, and physical safeguards to be implemented to protect the privacy of protected health information. Covered entities must reasonably safeguard protected health information to limit incidental uses or disclosures, and must reasonably safeguard protected health information from any intentional or unintentional use or disclosure. When protected health information no longer needs to be legally retained it must be disposed of securely, which means protected health information must be essentially rendered unreadable, indecipherable, and otherwise cannot be reconstructed prior to disposal.

In addition to a violation of 45 C.F.R. § 164.530(c), OCR determined there had been an impermissible disclosure of PHI to unauthorized individuals, in violation of 45 C.F.R. § 164.502(a). NDELC chose to settle the case with no admission of liability. In addition to paying a financial penalty, NDELC has agreed to implement a corrective action plan, which includes two years of monitoring.

“Improper disposal of protected health information creates an unnecessary risk to patient privacy,” said Acting OCR Director Melanie Fontes Rainer. “HIPAA regulated entities should take every step to ensure that safeguards are in place when disposing of patient information to keep it from being accessible by the public.” Rainer replaced Lisa J. Pino in July 2022. Pino held the post of OCR Director for 10 months.

It has been a busy year of HIPAA enforcement for OCR. In 2022, 17 HIPAA cases have been resolved with financial penalties, just two short of the record of 19 financial penalties set in 2020.

The post Improper Disposal of PHI Results in $300,640 HIPAA Penalty appeared first on HIPAA Journal.

1H 2022 Healthcare Data Breach Report

Ransomware attacks are rife, hacking incidents are being reported at high levels, and there have been several very large healthcare data breaches reported so far in 2022; however, our analysis of healthcare data breaches reported in 1H 2022, shows that while data breaches are certainly being reported in high numbers, there has been a fall in the number of reported breaches compared to 1H 2021.

Between January 1, 2022, and June 30, 2022, 347 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) – the same number of data breaches reported in 2H, 2021. In 1H, 2021, 368 healthcare data breaches were reported to OCR, 21 fewer breaches than the corresponding period this year. That represents a 5.71% reduction in reported breaches.

Reported healthcare data breaches - 1H 2022

The number of healthcare records breached has continued to fall. In 1H, 2021, 27.6 million healthcare records were breached. In 2H, 2021, the number of breached records fell to 22.2 million, and the fall continued in 1H, 2022, when 20.2 million records were breached. That is a 9.1% fall from 2H, 2021, and a 26.8% reduction from 1H, 2021.

breached healthcare records - 1H 2022

While it is certainly good news that data breaches and the number of breached records are falling, the data should be treated with caution, as there have been some major data breaches reported that are not yet reflected in this breach report – Data breaches at business associates where only a handful of affected entities have reported the data breaches so far.

One notable breach is a ransomware attack on the HIPAA business associate, Professional Finance Company. That one breach alone affected 657 HIPAA-covered entities, and only a few of those entities have reported the breach so far. Another major business associate breach, at Avamere Health Services, affected 96 senior living and healthcare facilities. The end-of-year breach report could tell a different story.

Largest Healthcare Data Breaches in 1H 2022

1H 2022 Healthcare Data Breaches of 500 or More Records
500-1,000 Records 1,001-9,999 Records 10,000- 99,000 Records 100,000-249,999 Records 250,000-499,999 Records 500,000 – 999,999 Records 1,000,000+ Records
61 132 117 20 7 6 4

 

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Business Associate Data Breach Cause of Data Breach
Shields Health Care Group, Inc. MA Business Associate 2,000,000 Hacking/IT Incident Yes Unspecified cyberattack
North Broward Hospital District (Broward Health) FL Healthcare Provider 1,351,431 Hacking/IT Incident No Cyberattack through the office of 3rd party medical provider
Texas Tech University Health Sciences Center TX Healthcare Provider 1,290,104 Hacking/IT Incident Yes Ransomware attack on EHR provider (Eye Care Leaders)
Baptist Medical Center TX Healthcare Provider 1,243,031 Hacking/IT Incident No Unspecified cyberattack
Partnership HealthPlan of California CA Health Plan 854,913 Hacking/IT Incident No Ransomware attack
MCG Health, LLC WA Business Associate 793,283 Hacking/IT Incident Yes Unspecified hacking and data theft incident
Yuma Regional Medical Center AZ Healthcare Provider 737,448 Hacking/IT Incident No Ransomware attack
Morley Companies, Inc. MI Business Associate 521,046 Hacking/IT Incident Yes Unspecified hacking and data theft incident
Adaptive Health Integrations ND Healthcare Provider 510,574 Hacking/IT Incident No Unspecified hacking incident
Christie Business Holdings Company, P.C. IL Healthcare Provider 502,869 Hacking/IT Incident No Unauthorized access to email accounts
Monongalia Health System, Inc. WV Healthcare Provider 492,861 Hacking/IT Incident No Unspecified hacking incident
ARcare AR Healthcare Provider 345,353 Hacking/IT Incident No Malware infection
Super Care, Inc. dba SuperCare Health CA Healthcare Provider 318,379 Hacking/IT Incident No Unspecified hacking incident
Cytometry Specialists, Inc. (CSI Laboratories) GA Healthcare Provider 312,000 Hacking/IT Incident No Ransomware attack
South Denver Cardiology Associates, PC CO Healthcare Provider 287,652 Hacking/IT Incident No Unspecified hacking incident
Stokes Regional Eye Centers SC Healthcare Provider 266,170 Hacking/IT Incident Yes Ransomware attack on EHR provider (Eye Care Leaders)
Refuah Health Center NY Healthcare Provider 260,740 Hacking/IT Incident No Ransomware attack

Causes of 1H 2022 Healthcare Data Breaches

Hacking and other IT incidents dominated the breach reports in 1H 2022, accounting for 277 data breaches or 79.83% of all breaches reported in 1H. That represents a 7.36% increase from 2H, 2021, and a 6.44% increase from 1H, 2021. Across the hacking incidents in 1H, 2022, the protected health information of 19,654,129 individuals was exposed or compromised – 97.22% of all records breached in 1H, 2022.

That represents a 6.51% reduction in breached records from 2H, 2021, and a 26.56% reduction in breached records from 1H, 2021, showing that while hacking incidents are being conducted in very high numbers compared to previous years, the severity of those incidents has reduced.

The average hacking/IT incident breach size was 70,954 records in 1H, 2022 and the median breach size was 10,324 records. In 2H, 2022, the average breach size was 81,487 records with a median breach size of 5,989 records, and in 1H, 2021, the average breach size was 96,658 records and the median breach size was 6,635 records.

In 1H, 2022, there were 52 unauthorized access/disclosure breaches reported – 14.99% of all breaches in 1H, 2022. These incidents resulted in the impermissible disclosure of 278,034 healthcare records, 72.33% fewer records than in 2H, 2021, and 61.37% fewer records than in 1H, 2021. In 1H, 2022, the average breach size was 5,347 records and the median breach size was 1,421 records. In 1H, 2021, the average breach size was 14,778 records and the median was 1,946 records. In 1H, 2021, the average breach size was 9,725 records, and the median breach size was 1,848 records.

The number of loss, theft, and improper disposal incidents has remained fairly constant over the past 18 months, although the number of records exposed in these incidents increased in 1H, 2022 to 279,266 records, up 217.33% from 2H, 2021, and 422.53% from 1H, 2021.

Location of Breached Protected Health Information

Protected health information is stored in many different locations. Medical records are housed in electronic medical record systems, but a great deal of PHI is included in documents, spreadsheets, billing systems, email accounts, and many other locations. The chart below shows the locations where PHI was stored. In several security breaches, PHI was breached in several locations.

The data shows that by far the most common location of breached data is network servers, which is unsurprising given the high number of hacking incidents and ransomware attacks. Most data breaches do not involve electronic medical record systems; however, there have been breaches at electronic medical record providers this year, hence the increase in data breaches involving EHRs. The chart below also shows the extent to which email accounts are compromised. These incidents include phishing attacks and brute force attacks to guess weak passwords. HIPAA-regulated entities can reduce the risk of email data breaches by implementing multifactor authentication and having robust password policies and enforcing those policies. A password manager is recommended to make it easier for healthcare employees to set unique, complex passwords. It is also important not to neglect security awareness training for the workforce – a requirement for compliance with the HIPAA Security Rule.

Location of breached PHI

Where are the Data Breaches Occurring?

Healthcare providers are consistently the worst affected type of HIPAA-covered entity; however, the number of data breaches occurring at business associates has increased. Data breaches at business associates often affect multiple HIPAA-covered entities. These data breaches are shown on the OCR breach portal; however, they are not clearly reflected as, oftentimes, a breach at a business associate is self-reported by each HIPAA-covered entity. Simply tallying up the reported breaches by the reporting entity does not reflect the extent to which business associate data breaches are occurring.

This has always been reflected in the HIPAA Journal data breach reports, and since June 2021, the reporting of data breaches by covered entity type was adjusted further to make business associate data breaches clearer by showing graphs of where the breach occurred, rather than the entity reporting the data breach. The HIPAA Journal data analysis shows the rising number of healthcare data breaches at business associates.

1H 2022 Data Breaches by State

As a general rule of thumb, U.S. states with the highest populations tend to be the worst affected by data breaches, so California, Texas, Florida, New York, and Pennsylvania tend to experience more breaches than sparsely populated states such as Alaska, Vermont, and Wyoming; however, data breaches are being reported all across the United States.

The data from 1H 2022, shows data breaches occurred in 43 states, D.C. and Puerto Rico, with healthcare data safest in Alaska, Iowa, Louisiana, Maine, New Mexico, South Dakota, & Wyoming, where no data breaches were reported in the first half of the year.

State Number of Breaches
New York 29
California 23
New Jersey & Texas 18
Florida & Ohio 17
Michigan & Pennsylvania 15
Georgia 14
Virginia 13
Illinois & Washington 12
Massachusetts & North Carolina 10
Colorado, Missouri, & Tennessee 9
Alabama, Arizona, & Kansas 8
Maryland 7
Connecticut & South Carolina 6
Oklahoma, Utah, & West Virginia 5
Indiana, Minnesota, Nebraska, & New Hampshire 4
Wisconsin 3
Arkansas, Delaware, Mississippi, Montana, Nevada, & the District of Columbia 2
Hawaii, Idaho, Kentucky, North Dakota, Oregon, Rhode Island, Vermont, and Puerto Rico 1

HIPAA Enforcement Activity in 1H 2022

HIPAA Journal tracks HIPAA enforcement activity by OCR and state attorneys general in the monthly and annual healthcare data breach reports. In 2016, OCR started taking a harder line on HIPAA-regulated entities that were discovered to have violated the HIPAA Rules and increased the number of financial penalties imposed, with peak enforcement occurring in 2019 when 19 financial penalties were imposed.

2022 has started slowly in terms of HIPAA enforcement actions, with just 4 financial penalties imposed by OCR in 1H, 2022. However, that should not be seen as OCR going easy on HIPAA violators. In July 2022, OCR announced 12 financial penalties to resolve HIPAA violations, bringing the annual total up to 16. HIPAA Journal records show only one enforcement action taken by state attorneys general so far in 2022.

Limitations of this Report

The nature of breach reporting makes generating accurate data breach reports challenging. HIPAA-regulated entities are required to report data breaches to OCR within 60 days of a data breach occurring; however, the number of individuals affected may not be known at that point. As such, data breaches are often reported with an interim figure, which may be adjusted up or down when the investigation is completed. Many HIPAA-regulated entities report data breaches using a placeholder of 500 records, and then submit an amendment, so the final totals may not be reflected in this report. Data for this report was compiled on August 10, 2022.

While data breaches should be reported within 60 days of discovery, there has been a trend in recent years for data breaches to be reported within 60 days of the date when the investigation has confirmed how many individuals have been affected, even though the HIPAA Breach Notification Rule states that the date of discovery is the date the breach is discovered, not the date when investigations have been completed. Data breaches may have occurred and been discovered several months ago, but have not yet been reported. These will naturally not be reflected in this report.

This report is based on data breaches at HIPAA-regulated entities – healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities. If an entity is not subject to HIPAA, they are not included in this report, even if they operate in the healthcare industry.

The post 1H 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

Cloud Security Alliance Releases Third Party Vendor Risk Management Guidance for Healthcare Organizations

Cyber actors are increasingly targeting business associates of HIPAA-covered entities as they provide an easy way to gain access to the networks of multiple healthcare organizations. To help healthcare delivery organizations (HDOs) deal with the threat, the Cloud Security Alliance (CSA) has published new guidance on third-party vendor risk management in healthcare. The guidance was drafted by the Health Information Management Working Group and includes examples and use cases and provides information on some of the risk management program tools that can be used by HDOs for risk management.

Third-party vendors provide invaluable services to HDOs, including services that cannot be effectively managed in-house; however, the use of vendors introduces cybersecurity, reputational, compliance, privacy, operational, strategic, and financial risks that need to be managed and mitigated. The guidance is intended to help HDOs identify, assess, and mitigate the risks associated with the use of third-party vendors to prevent and limit the severity of security incidents and data breaches.

Cyberattacks on vendors serving the healthcare industry have increased in recent years. Rather than attacking an HDO directly, a cyber actor can attack a vendor to gain access to sensitive data or to abuse the privileged access the vendor has to a HDO’s network. For example, a successful intrusion at a managed service provider allows a threat actor to gain access to the networks of all of the company’s clients by abusing the MSP’s privileged access to client systems. This is advantageous for a hacker as it means it is not necessary to hack into the networks of each MSP client individually.

When third-party vendors are used, the attack surface is increased significantly, and managing and reducing risk can be a challenge. While third-party vendors are used in all industry sectors, third-party vendor security risks are most prevalent in the healthcare sector. The CSA suggests that this is due to the lack of automation, extensive use of digital applications and medical devices, and the lack of fully deployed critical vendor management controls. Since healthcare organizations tend to use a large number of vendors, conducting comprehensive and accurate risk assessments for all vendors and implementing critical vendor management controls can be a very time-consuming and costly process.

“Healthcare Delivery Organizations entrust the protection of their sensitive data, reputation, finances, and more to third-party vendors. Given the importance of this critical, sensitive data, combined with regulatory and compliance requirements, it is crucial to identify, assess, and reduce third-party cyber risks,” said Dr. James Angle, the paper’s lead author and co-chair of the Health Information Management Working Group. “This paper offers a summary of third-party vendor risks in healthcare as well as suggested identification, detection, response, and mitigation strategies.”

If an HDO chooses to use a third-party vendor, it is essential that effective monitoring controls are implemented, but it is clear from the number of third-party or vendor-related data breaches that many healthcare organizations struggle to identify, protect, detect, respond to, and recover from these incidents, which suggests the current approaches for assessing and managing vendor risks are failing. These failures can have a major financial impact, not just in terms of the breach mitigation costs, but HDOs also face the risk of regulatory fines from the HHS’ Office for Civil Rights and state Attorneys General and there is also significant potential for long-lasting reputation damage.

The CSA makes several suggestions in the paper, including adopting the NIST Cybersecurity Framework for monitoring, measuring, and tracking third-party risk. The NIST Framework is mostly concerned with cybersecurity, but the same principles can also be applied for measuring other types of risk. The core functions of the framework are identify, protect, detect, respond, and recover. Using the framework, HDOs can identify risks, understand what data is provided to each, prioritize vendors based on the level of risk, implement safeguards to protect critical services, ensure monitoring controls are implemented to detect security incidents, and a plan is developed for responding to and mitigating any security breach.

“The increased use of third-party vendors for applications and data processing services in healthcare is likely to continue, especially as HDOs find it necessary to focus limited resources on core organizational objectives and contract out support services, making an effective third-party risk management program essential,” said Michael Roza, a contributor to the paper.

The post Cloud Security Alliance Releases Third Party Vendor Risk Management Guidance for Healthcare Organizations appeared first on HIPAA Journal.

NIST Updates Guidance on HIPAA Security Rule Compliance

The National Institute of Standards and Technology (NIST) has updated its guidance for HIPAA-regulated entities on implementing the HIPAA Security Rule to help them better protect patients’ personal and protected health information.

The Security Rule of the Health Insurance Portability and Accountability Act established national standards for protecting the electronic protected health information (ePHI) that HIPAA-regulated entities create, receive, maintain or transmit. Ensuring compliance with the HIPAA Security Rule is more important than ever due to the increasing number of cyberattacks on HIPAA-regulated entities.

NIST published the first revision of its HIPAA Security Rule guidance in 2008, 6 years before the release of the NIST Cybersecurity Framework. Over the past 14 years, NIST has released other cybersecurity guidance and has regularly updated its Security and Privacy Controls (NIST SP 800-53). One of the main reasons for updating the HIPAA Security Rule guidance was to integrate it into NIST guidance that did not exist when Revision 1 was published in 2008.

“One of our main goals is to help make the updated publication more of a resource guide,” said Jeff Marron, a NIST cybersecurity specialist. “The revision is more actionable so that healthcare organizations can improve their cybersecurity posture and comply with the Security Rule.”

NIST has mapped the elements of the HIPAA Security Rule to the NIST Cybersecurity Framework subcategories, the controls in NIST SP 800-53, has increased the emphasis on the risk management component of the guidance, and has integrated enterprise risk management concepts. NIST has also factored in the feedback received from healthcare industry stakeholders in its pre-draft call for comments.

The latest revision is more of a refresh than an overhaul. The structure of the guidance has only changed slightly with the content updated to have an increased emphasis on assessment and management of risk to ePHI

“We provide a resource that can assist you with implementing the Security Rule in your own organization, which may have particular needs,” said Marron. “Our goal is to offer guidance and resources you can use in one readable publication.”

Comments will be accepted by NIST on the updated guidance – Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide (NIST Special Publication 800-66, Revision 2) – until September 21, 2022.

The post NIST Updates Guidance on HIPAA Security Rule Compliance appeared first on HIPAA Journal.