HIPAA Compliance News

ONC and OCR Release Updated Security Risk Assessment Tool

The Department of Health and Human Services (HHS)’ Office of the National Coordinator for Health Information Technology (ONC) and the Office for Civil Rights (OCR) have released a new version of the HHS Security Risk Assessment (SRA) Tool.

The HIPAA Security Rule requires HIPAA-regulated entities to conduct a comprehensive, organization-wide risk analysis to identify the risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). All risks identified must then be subject to risk management processes to reduce the identified risks and vulnerabilities to a low and acceptable level.

Risk analyses/assessments are vital for HIPAA compliance. They help HIPAA-covered entities determine if they are compliant with the administrative, physical, and technical safeguards of the HIPAA Security Rule and help to identify the most effective and appropriate administrative, physical, and technical safeguards to protect ePHI. Investigations and audits of HIPAA-regulated entities have shown that the risk assessment/analysis is an aspect of compliance that many healthcare organizations fail to get right, and it is one of the most commonly cited HIPAA violations in OCR enforcement actions.

In 2014, ONC and OCR jointly developed and launched the SRA Tool to help small- and medium-sized healthcare practices and business associates with this important aspect of HIPAA Security Rule compliance. The SRA tool is a downloadable tool that can be used to guide HIPAA-regulated entities through the risk assessment process. The SRA Tool is a desktop application that uses a wizard-based approach involving multiple-choice questions, threat and vulnerability assessments, and asset and vendor management, and walks users through the security risk assessment process.

The SRA tool has been updated over the years, with the latest version incorporating new features in response to user feedback and public input. Those features include the incorporation of Health Industry Cybersecurity Practices (HICP) references, file association in Windows, improved reports, bug fixes, and stability improvements.

ONC and OCR have also developed a new SRA Tool Excel Workbook, which is intended to replace the legacy paper version of the SRA Tool. The workbook contains conditional formatting and formulas to calculate and help identify risk in a similar fashion to the SRA Tool application and is a good alternative for users who do not have Microsoft Windows.

ONC and ORC explain that the use of the tool does not guarantee compliance with HIPAA but can help them achieve compliance. The tool was developed for SMBs, and may not be appropriate for larger healthcare organizations.

The SRA tool, which can be downloaded here, can be installed as an application on 64-bit versions of Microsoft Windows 7/8/10/11. The new SRA Tool Excel Workbook can be used on other systems.

The post ONC and OCR Release Updated Security Risk Assessment Tool appeared first on HIPAA Journal.

OCR Issues Guidance on Audio-Only Telehealth for When the COVID Public Health Emergency Ends

Start preparing now and get your telehealth services HIPAA compliant as when the COVID-19 Public Health Emergency (PHE) ends, the telehealth HIPAA flexibilities stop. That is the advice of the Department of Health and Human Services’ Office for Civil Rights, which released new guidance this week on HIPAA and audio-only telehealth services.

The Period of Enforcement Discretion Will End

In March 2020, the HHS’ Office for Civil Rights issued a Telehealth Notification and said it would be exercising enforcement discretion and would not be imposing sanctions and penalties for HIPAA violations with respect to the good faith provision of telehealth services. The move was intended to make it easier for healthcare organizations to offer telehealth services to patients to help prevent the spread of COVID-19.

OCR permitted healthcare organizations to use remote communication tools for telehealth, which included apps and platforms that would not normally be considered ‘HIPAA-compliant,’ and did not require HIPAA-covered entities to enter into a business associate agreement with the providers of remote communication tools. The notice of enforcement discretion stated that it lasted for the duration of the PHE. When the Secretary of the HHS declares that the COVID-19 PHE no longer exists, or upon the expiration date of the declared PHE, whichever comes sooner, the period of enforcement discretion will end. That means that the continued use of remote communication technologies could potentially violate the HIPAA Rules and could lead to financial penalties and other remedies to resolve the HIPAA violations.

In the new guidance on HIPAA and audio-only telehealth, OCR explains when, and under what circumstances, audio-only telehealth is permitted under HIPAA. OCR confirmed that telehealth services are permitted under HIPAA, but HIPAA-regulated entities should apply reasonable safeguards to protect the privacy of protected health information (PHI), such as ensuring telehealth services are provided in private settings, as far as is possible, and using lowered voices to reduce the potential for incidental disclosures of PHI. It is also necessary to verify the identity of the patient, orally or in writing.

The HIPAA Security Rule May Apply to Telehealth

The HIPAA Security Rule may apply to telehealth. When audio-only telehealth services are provided over standard telephone lines – landlines – the HIPAA Security Rule does not apply, as the information transmitted is not electronic. However, if electronic communication technologies are used, the HIPAA Security Rule does apply, which includes “Voice over Internet Protocol (VoIP) and mobile technologies that use electronic media, such as the Internet, intra-, and extranets, cellular, and Wi-Fi.”

When these technologies are used, the HIPAA Security Rule requires safeguards to be implemented to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI), and risks and vulnerabilities must be identified, assessed, and addressed as part of a covered entity’s risk analysis and risk management processes. OCR suggests that due to the speed at which communication technologies evolve, a robust inventory and asset management process is recommended to identify such technologies and the information systems that use them, as this will help to ensure an accurate and thorough risk analysis.

Business Associate Agreements May be Required

Any vendor that is provided with access to ePHI, or comes into contact with ePHI, is required to enter into a business associate agreement (BAA) with a HIPAA-covered entity. BAAs may be required with vendors providing platforms to support telehealth. A BAA is only required when a telecommunication service provider (TSP) is acting as a business associate. The HIPAA conduit exception applies if the TSP has only transient access to the PHI it transmits. “If the TSP is not also creating, receiving, or maintaining PHI on behalf of the covered entity, and the TSP does not require access on a routine basis to the PHI it transmits in the call, no business associate relationship has been created.  Therefore, a BAA is not needed,” explained OCR in the guidance.

A BAA is required when a TSP is more than a conduit and is not just providing data transmission services, and is either creating, receiving, or maintaining ePHI. In such cases, a BAA is required before the service is used. That applies to remote communication technologies, mobile apps, and Internet and cloud services.

“Audio telehealth is an important tool to reach patients in rural communities, individuals with disabilities, and others seeking the convenience of remote options. This guidance [Guidance on How the HIPAA Rules Permit Covered Health Care Providers and Health Plans to Use Remote Communication Technologies for Audio-Only Telehealth] explains how the HIPAA Rules permit health care providers and plans to offer audio telehealth while protecting the privacy and security of individuals’ health information,” said OCR Director Lisa J. Pino.

The post OCR Issues Guidance on Audio-Only Telehealth for When the COVID Public Health Emergency Ends appeared first on HIPAA Journal.

OCR Issues Guidance on Audio-Only Telehealth for When the COVID Public Health Emergency Ends

Start preparing now and get your telehealth services HIPAA compliant as when the COVID-19 Public Health Emergency (PHE) ends, the telehealth HIPAA flexibilities stop. That is the advice of the Department of Health and Human Services’ Office for Civil Rights, which released new guidance this week on HIPAA and audio-only telehealth services.

The Period of Enforcement Discretion Will End

In March 2020, the HHS’ Office for Civil Rights issued a Telehealth Notification and said it would be exercising enforcement discretion and would not be imposing sanctions and penalties for HIPAA violations with respect to the good faith provision of telehealth services. The move was intended to make it easier for healthcare organizations to offer telehealth services to patients to help prevent the spread of COVID-19.

OCR permitted healthcare organizations to use remote communication tools for telehealth, which included apps and platforms that would not normally be considered ‘HIPAA-compliant,’ and did not require HIPAA-covered entities to enter into a business associate agreement with the providers of remote communication tools. The notice of enforcement discretion stated that it lasted for the duration of the PHE. When the Secretary of the HHS declares that the COVID-19 PHE no longer exists, or upon the expiration date of the declared PHE, whichever comes sooner, the period of enforcement discretion will end. That means that the continued use of remote communication technologies could potentially violate the HIPAA Rules and could lead to financial penalties and other remedies to resolve the HIPAA violations.

In the new guidance on HIPAA and audio-only telehealth, OCR explains when, and under what circumstances, audio-only telehealth is permitted under HIPAA. OCR confirmed that telehealth services are permitted under HIPAA, but HIPAA-regulated entities should apply reasonable safeguards to protect the privacy of protected health information (PHI), such as ensuring telehealth services are provided in private settings, as far as is possible, and using lowered voices to reduce the potential for incidental disclosures of PHI. It is also necessary to verify the identity of the patient, orally or in writing.

The HIPAA Security Rule May Apply to Telehealth

The HIPAA Security Rule may apply to telehealth. When audio-only telehealth services are provided over standard telephone lines – landlines – the HIPAA Security Rule does not apply, as the information transmitted is not electronic. However, if electronic communication technologies are used, the HIPAA Security Rule does apply, which includes “Voice over Internet Protocol (VoIP) and mobile technologies that use electronic media, such as the Internet, intra-, and extranets, cellular, and Wi-Fi.”

When these technologies are used, the HIPAA Security Rule requires safeguards to be implemented to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI), and risks and vulnerabilities must be identified, assessed, and addressed as part of a covered entity’s risk analysis and risk management processes. OCR suggests that due to the speed at which communication technologies evolve, a robust inventory and asset management process is recommended to identify such technologies and the information systems that use them, as this will help to ensure an accurate and thorough risk analysis.

Business Associate Agreements May be Required

Any vendor that is provided with access to ePHI, or comes into contact with ePHI, is required to enter into a business associate agreement (BAA) with a HIPAA-covered entity. BAAs may be required with vendors providing platforms to support telehealth. A BAA is only required when a telecommunication service provider (TSP) is acting as a business associate. The HIPAA conduit exception applies if the TSP has only transient access to the PHI it transmits. “If the TSP is not also creating, receiving, or maintaining PHI on behalf of the covered entity, and the TSP does not require access on a routine basis to the PHI it transmits in the call, no business associate relationship has been created.  Therefore, a BAA is not needed,” explained OCR in the guidance.

A BAA is required when a TSP is more than a conduit and is not just providing data transmission services, and is either creating, receiving, or maintaining ePHI. In such cases, a BAA is required before the service is used. That applies to remote communication technologies, mobile apps, and Internet and cloud services.

“Audio telehealth is an important tool to reach patients in rural communities, individuals with disabilities, and others seeking the convenience of remote options. This guidance [Guidance on How the HIPAA Rules Permit Covered Health Care Providers and Health Plans to Use Remote Communication Technologies for Audio-Only Telehealth] explains how the HIPAA Rules permit health care providers and plans to offer audio telehealth while protecting the privacy and security of individuals’ health information,” said OCR Director Lisa J. Pino.

The post OCR Issues Guidance on Audio-Only Telehealth for When the COVID Public Health Emergency Ends appeared first on HIPAA Journal.

OCR to Produce Video Presentation on HITECH Act Recognized Security Practices

The HHS’ Office for Civil Rights (OCR) is producing a video presentation to help HIPAA-regulated entities implement “Recognized Security Practices.”

The Health Information Technology for Economic and Clinical Health (HITECH) Act was recently amended (Public Law 116-321) to require OCR to consider recognized security practices that have been in place for at least 12 months prior to certain Security Rule enforcement and audit activities. OCR previously issued a Request for Information regarding the HITECH Act recognized security practices, the comment period for which ended last week.

There has been confusion about what constitutes recognized security practices and how it is possible to demonstrate to OCR that recognized security practices have been adopted and have been continuous for the 12 months prior to a data breach or OCR investigation.

In the video presentation, Nicholas Heesters, Senior Advisor for Cybersecurity at OCR will explain the 2021 HITECH Act amendment regarding recognized security practices, provide guidance on demonstrating security practices have been in place, how evidence of those security practices will be requested by OCR, and how to find out more information on the best security practices to implement.

Ahead of the publication of the video, OCR has requested questions from HIPAA-regulated entities to ensure they are addressed in the presentation. The deadline for submitting questions is June 17, 2022. Questions should be sent to: OCRPresents@hhs.gov

OCR will be releasing the presentation this summer and will make an announcement about how the presentation can be viewed at a later date.

The post OCR to Produce Video Presentation on HITECH Act Recognized Security Practices appeared first on HIPAA Journal.

Healthcare Groups Provide Feedback on HITECH Recognized Security Practices

Earlier this year, the HHS’ Office for Civil Rights issued a request for information (RFI) on how the financial penalties for HIPAA violations should be distributed to individuals who have been harmed by those HIPAA violations, and the “recognized security practices” under the amended Health Information Technology for Economic and Clinical Health (HITECH) Act. The comment period has now closed, and OCR is considering the feedback received.

Background

It has long been OCR’s intention to distribute a proportion of the funds raised through its HIPAA enforcement actions to victims of those HIPAA violations; however, to date, OCR has not developed a methodology for doing so and requested feedback on a method for distributing the funds to ensure they are directed to victims effectively.

In January 2021, the HITECH Act was amended by Congress to encourage healthcare organizations to adopt recognized security practices. The amendment called for the Secretary of the Department of Health and Human Services to consider whether recognized security practices had been adopted by a HIPAA-regulated entity for no less than 12 months previously, when making certain determinations. Recognized security practices are those outlined by the National Institute of Standards and Technology (NIST), HIPAA Security Rule, and privacy and security frameworks.

Essentially, if recognized security practices have been adopted and have been continuously in place for at least 12 months, financial penalties could be reduced or avoided altogether, and the length and extent of audits and compliance investigations would be reduced.

Feedback from Healthcare Industry Groups

Several healthcare industry groups responded to the RFI and provided feedback, including the Healthcare Information and Management Systems Society (HIMSS), Medical Management Association MGMA, and the Connected Health Initiative (CHI).

HIMSS

HIMSS has welcomed the amendments to the HITECH Act and in its letter to the HHS stressed the importance of a unified approach to healthy cybersecurity and information privacy practices, as emphasized in the HITECH Security Practices.

HIMSS recommended “OCR implement policies that only afford enforcement discretion to situations involving use of security best practices as that discretion applies to safeguarding electronic protected health information (PHI) and not to other areas that are within the scope of HIPAA.”

HIMSS recommends OCR should foster innovation in standards by recognizing the value of adherence to widely accepted cybersecurity frameworks and standards, such as the NIST Cybersecurity Framework and the HITRUST Common Security Framework, rather than trying to define a fixed set of cybersecurity practices, which has the potential to become outdated in a rapidly changing threat landscape. OCR should also align its work with other federal agencies to improve best practices for healthcare.

HIMSS expressed concern that “a strict interpretation of security practices in place continuously over a 12-month period could have the unintended consequence of discouraging the adoption of new methods during that time frame.” HIMSS stressed the importance of encouraging organizations to update security practices regularly as new technologies or methodologies emerge and giving them the flexibility to update processes throughout the year to meet ever-changing cybersecurity best practices without fear that they may run afoul of the requirement for consistent and continuous use. “HIMSS recommends OCR distinguish between confirming that a control is in place and narrowly defining how the control is implemented.”

With respect to the financial penalties, HIMSS suggested OCR should earmark some of the fine amounts for helping to fund and distribute educational materials and other resources to HIPAA-regulated entities to ensure that all organizations have the knowledge and resources to prevent or mitigate cyberattacks.

MGMA

MGMA explained in a letter to HHS Secretary Xavier Becerra that it represents a wide range of medical groups and hundreds of thousands of physicians, and has been working diligently to improve education on cybersecurity best practices. MGMA said its members are becoming more vigilant and are voluntarily taking steps to protect themselves and their patients and welcomes the efforts of the HHS to understand and consider those measures when making certain determinations.

MGMA has made three key recommendations. The HHS should provide HIPAA-regulated entities with the flexibility to choose which recognized security practices to adopt, as there are vast differences in the technical and financial capabilities of medical groups, which can include small private practices in rural areas to large regional and national health systems, and the full spectrum of physician specialties and organizational forms. If specific recognized security systems are required, there could be unintended consequences stemming from the increased cost and administrative burden. Medical groups need to balance security with their ability to stay financially viable and avoid interruptions to patient care. MGMA has recommended the HHS does not mandate what constitutes recognized security practices any further, and that the HHS should accept and not limit the broad statutory definition of the term recognized security practices.

MGMA has requested OCR provide best practices and education, including sample frameworks and checklists, that include real-world approaches for medical groups to implement acknowledged cybersecurity policies into their practices, and has also requested the HHS ensure potential requirements are consistent with other programs, such as the Office of National Coordinator for Health Information Technology (ONC) rulemaking to prohibit “information blocking.”

CHI

CHI said it supports OCR’s efforts to encourage the adoption of recognized security practices and for those practices to be considered as a mitigating factor when investigating data breaches, complaints, and reviews for potential HIPAA violations, but suggests that the 2021 HITECH Act revision should only apply to HIPAA compliance enforcement actions and audits.

Since current security standards will evolve over time, CHI recommends that OCR consider new and emerging risk management security standards in its recognized security practices, rather than specifying a set of security practices. CHI has also requested OCR provide up-to-date and clear information on the obligations of healthcare organizations under HIPAA, in light of the many changes that have occurred across the industry since the HITECH Act was passed, including changes to technology.

For instance, the HIPAA Privacy and Security Rules were introduced prior to the release of the first iPhone, and there is a lack of clarity about how HIPAA applies to mobile environments, which can deter healthcare providers from adopting patient-centered technologies and can prevent patients from fully benefiting from mobile technologies. Further guidance is needed to help healthcare providers adopt new technologies that enable care coordination and ensure compliance.

“OCR has created key guidance for mobile developers and those interested in the intersection between information technology and healthcare. OCR’s outreach focus is an educational campaign for that community, and we see vast improvement in the understanding, from connected health companies, of their roles and responsibilities under the HIPAA Privacy Rules,” explained CHI. However, similar educational campaigns are required for providers and patients.

CHI has requested the HHS make no revisions to the HIPAA Privacy Rule that require disclosures for any additional purposes besides to the individual when the individual exercises his/her right of access under the Rule, or to HHS for purposes of enforcement of the HIPAA Rules, as this could place an unnecessary burden on HIPAA-regulated entities and could lessen the protections for the privacy of individuals’ PHI.

CHI has also requested OCR provide sample business associate agreement language for developers and providers and should ensure that HIPAA does not prevent innovations in AI technology.

The post Healthcare Groups Provide Feedback on HITECH Recognized Security Practices appeared first on HIPAA Journal.

Reader Offer: Free Annual HIPAA Risk Assessment

HIPAA Journal has partnered with The Compliancy Group to offer its readers a free annual HIPAA Risk Assessment.

 

 

Covered Entities like medical practices and Business Associates like IT providers are required conduct a HIPAA risk assessment by the 2003 HIPAA Security Rule (45 CFR § 164.308 – Security Management Process) and HITECH Act 2009.

The post Reader Offer: Free Annual HIPAA Risk Assessment appeared first on HIPAA Journal.

April 2022 Healthcare Data Breach Report

After four successive months of declining numbers of data breaches, there was a 30.2% increase in reported data breaches. In April 2022, 56 data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR).

Healthcare data breaches in the past 12 months (April 2022)

While the number of reported breaches increased month-over-month, the number of healthcare records that were exposed or impermissibly disclosed decreased by 30% to 2,160,194 – the lowest monthly number since October 2021. The average breach size in April 2022 was 38,575 records, and the median breach size was 6,546 records.

Breached healthcare records in the past 12 months (April 2022)

Largest Healthcare Data Breaches in April 2022

22 healthcare data breaches were reported in April 2022 that affected 10,000 or more individuals. The worst breach was a hacking incident reported by Adaptive Health Integrations, a provider of software and billing/revenue services to laboratories, physician offices, and other healthcare companies. More than half a million healthcare individuals were affected.  The Arkansas healthcare provider ARcare suffered a malware attack that disrupted its systems and potentially allowed hackers to access the records of 345,353 individuals. Refuah Health Center reported a hacking and data theft incident in April, which had occurred almost a year previously in May 2021 and affected up to 260,740 patients.

Illinois Gastroenterology Group, PLLC reported a hacking incident where the attackers had access to the records of 227,943 individuals, and Regional Eye Associates, Inc. & Surgical Eye Center of Morgantown were affected by a data breach at the cloud-EHR vendor Eye Care Leaders (ECL), which exposed the records of 194,035 individuals. The ECL cyberattack saw the attackers delete databases and system configuration files of one of its cloud services. The cyberattack affected close to a dozen eye care providers and resulted in the exposure of more than 342,000 records.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Adaptive Health Integrations ND Healthcare Provider 510,574 Hacking incident with potential data theft
ARcare AR Healthcare Provider 345,353 Malware infection
Refuah Health Center NY Healthcare Provider 260,740 Hacking incident and data theft incident
Illinois Gastroenterology Group, PLLC IL Healthcare Provider 227,943 Hacking incident with potential data theft
Regional Eye Associates, Inc. & Surgical Eye Center of Morgantown WV Healthcare Provider 194,035 Hacking incident at EHR provider
Healthplex, Inc. NY Health Plan 89,955 Email account breach
Optima Dermatology Holdings, LLC NH Healthcare Provider 59,872 Unspecified email incident
SUMMIT EYE ASSOCIATES P.C. TN Healthcare Provider 53,818 Hacking incident at EHR provider
Newman Regional Health KS Healthcare Provider 52,224 Email account breach
WellStar Health System, Inc. GA Healthcare Provider 30,417 WellStar Health System
Central Vermont Eye Care VT Healthcare Provider 30,000 Unspecified hacking incident
Frank Eye Center, P.A. KS Healthcare Provider 26,333 Hacking incident at EHR provider
New Creation Counseling Center OH Healthcare Provider 24,029 Ransomware attack
Georgia Pines CSB GA Healthcare Provider 24,000 Theft of laptop computers
The Guidance Center, Inc. AZ Healthcare Provider 23,104 Email account breach
Allied Eye Physicians and Surgeons, Inc. OH Healthcare Provider 20,651 Hacking incident at EHR provider
King County Public Hospital District No. 2 d/b/a EvergreenHealth WA Healthcare Provider 20,533 Hacking incident at EHR provider
Onehome Health Solutions FL Healthcare Provider 15,401 Theft of laptop computers
Southern Ohio Medical Center OH Healthcare Provider 15,136 Hacking incident with potential data theft
Arkfeld, Parson, and Goldstein, P.C. doing business as ilumin NE Healthcare Provider 14,984 Hacking incident at EHR provider
Pediatric Associates, P.C. VA Healthcare Provider 13,000 Hacking incident at EHR provider
Fairfield County Implants and Periodontics, LLC CT Healthcare Provider 10,502 Email account breach

Causes of April 2022 Healthcare Data Breaches

Hacking and IT incidents accounted for 73.2% of the healthcare data breaches reported in April 2022 and 97.1% of the month’s breached healthcare records. 2,098,390 individuals were affected by those hacking incidents and may have had their protected health information stolen. The average breach size was 51,180 records and the median breach size was 9,969 records. 16 of the hacking incidents involved unauthorized individuals gaining access to employee email accounts, and there were 7 breaches of electronic health records, due to the hacking incident at the EHR vendor Eye Care Leaders.

Causes of April 2022 Healthcare Data Breaches (april 2022)

There were just breaches reported as unauthorized access/disclosure incidents which involved a total of 20,391 records. The average breach size was 1,854 records and the median breach size was 820 records. There were two theft incidents reported involving laptop computers and one loss incident involving an ‘other portable electronic device’. Across the three loss/theft incidents, the records of 40,298 individuals were potentially compromised. All three breaches could have been prevented if data had been encrypted. There was also one improper disposal incident reported, involving 1,115 paper records.

Location of breached protected health information (April 2022)

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected HIPAA-covered entity, with 39 reporting breaches in April. 7 data breaches were reported by health plans, and 10 data breaches were reported by business associates. However, a further 17 data breaches occurred at business associates but were reported by the respective covered entity. The chart below shows the month’s data breaches adjusted to reflect where the breaches occurred.

Healthcare Data Breaches by Covered Entity Type (April 2022)

Healthcare Data Breaches by State

In April 2022, HIPAA-regulated entities in 26 states reported breaches. New York and Ohio were the worst affected states in April, with 7 & 6 data breaches reported respectively.

State Number of Data Breaches
New York 7
Ohio 6
California 4
Arizona, Georgia, Kansas, Michigan, Tennessee, & Virginia 3
Florida, Maryland, North Carolina & New Hampshire 2
Alabama, Arkansas, Colorado, Connecticut, Illinois, Nebraska, North Dakota, Pennsylvania, South Carolina, Utah, Vermont, Washington & West Virginia 1

HIPAA Enforcement Activity in April 2022

There were no HIPAA enforcement activities announced by the HHS’ Office for Civil Rights or State Attorneys General in April 2022. So far this year, 4 financial penalties have been imposed to resolve HIPAA violations.

The post April 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

HIPAA Enforcement Rule

The HIPAA Enforcement Rule of 2006 – and subsequent amendments attributable to the passage of HITECH – details the procedures for investigating violations of HIPAA and the penalties that the HHS Office for Civil Rights can impose on Covered Entities and Business Associates for failing to comply with the Privacy, Security, and Breach Notification Rules.

In 1996, the passage of HIPAA gave the Secretary of Health and Human Services (HHS) the authority to impose financial penalties for violations of the Administrative Simplification provisions (see Sections 1176 and 1177). The Administrative Simplification provisions led to the publication of the HIPAA Privacy and Security Rules which were enacted in 2002 and 2003 respectively.

The authorization to enforce the HIPAA Privacy and Security Rules (and later, the Breach Notification Rule) was delegated to the HHS´ Office for Civil Rights. However, despite receiving more than 13,000 complaints in the first two years, the Office for Civil Rights failed to bring a single enforcement action – giving Covered Entities the impression that HIPAA compliance was optional rather than mandatory.

The HIPAA Enforcement Rule takes Shape

In 2003, HHS released an Interim Final Rule relating to the “Procedures for Investigations, Imposition of Penalties, and Hearings” (68 FR 18895). Despite describing the Interim Final Rule as the first installment of a HIPAA Enforcement Rule, the document describes the Office for Civil Rights´ approach to enforcement as intending to “seek and promote voluntary compliance with the rules” – further giving the impression HIPAA compliance was optional.

In order to overcome this impression and encourage voluntary compliance with the Privacy and Security Rules, the 2003 Interim HIPAA Enforcement Rule increased the volume of the General Administrative Requirements relating to compliance and investigations (45 CFR § 160 Subpart C) and introduced a new section to the General Administrative Requirements relating to the procedures for investigation (45 CFR § 160 Subpart E).

A further new section was added to the General Administrative Requirements when a later Interim HIPAA Enforcement Rule was published in 2005 (PDF). This new section (45 CFR § 160 Subpart D) explained the basis for issuing a financial penalty and the amounts Covered Entities could be fined for violations of HIPAA. At the time, the maximum penalty per violation was $100, with fines being capped at $25,000 per year for identical violations.

Despite the new section, many public comments were critical of the apparent “policy of nonenforcement” – so much so that when the Final HIPAA Enforcement Rule was published in 2006, the preamble goes to considerable lengths to explain the challenges of enforcing HIPAA and claims that “68 percent [of cases] have been resolved or otherwise closed”. Nonetheless, it was a further three years before a Covered Entity was fined for a violation of HIPAA.

Subsequent Amendments Attributable to HITECH

The passage of the HITECH Act in 2009 had a significant impact on the enforcement of HIPAA. HITECH introduced the HIPAA Breach Notification Rule and new compliance requirements for both Covered Entities and their Business Associates. Compliance with the Security Rule and some elements of the Privacy Rule was extended to Business Associates, and – significantly in the context of the HIPAA Enforcement Rule – the burden of proof was reversed.

Prior to HITECH, the Office for Civil Rights had to prove that an unauthorized disclosure of PHI had resulted in harm before it could issue a financial penalty to a non-compliant Covered Entity. Subsequent to HITECH, Covered Entities and Business Associates have the burden of demonstrating that all required notifications have been made or that a use or disclosure of unsecured PHI did not constitute a breach as defined by 45 CFR § 164.402.

In addition, the previous maximum penalty and penalty cap were scrapped, and a new four-level penalty tier introduced via the HIPAA Final Omnibus Rule of 2013 in which fines would reflect the non-compliant entity´s level of culpability. The minimum and maximum limits in each penalty tier and the annual penalty limit are adjusted annually to account for inflation. The current penalty limits are:

HIPAA Enforcement Rule - Penalties

How Enforcement Changed in the Post-HITECH Era

The HITECH amendments started a new era of HIPAA enforcement. From 2014 onwards, the Office for Civil Rights increased the number of investigations into alleged HIPAA violations, gave more technical assistance, issued more Corrective Action Plans, and reached more settlements with offenders. The revenues from the fines were used to provide the Office for Civil Rights with more enforcement resources; and, in 2016, the HIPAA audit program was extended.

Now, in addition to investigating unauthorized disclosures of unsecured PHI, the Office for Civil Rights is able to investigate other types of HIPAA violations. In recent years, the focus has been on non-compliance with Privacy Rule provisions relating to patients´ rights. Although fewer individuals are affected by this type of HIPAA violation – and the fines issued are much less – enforcement action of this nature demonstrates that claims of lax enforcement are no longer justified.

Looking forward, proposed new HIPAA regulations could affect short-term enforcement action. As with all previous HIPAA Rules, Covered Entities and Business Associates will be given a period of time to adjust to any new regulations; and because some of the proposals relax existing HIPAA standards, there is likely to be a number of unintentional violations attributable to misunderstanding the rules that will be resolved by technical assistance rather than Corrective Action Plans and fines.

The post HIPAA Enforcement Rule appeared first on HIPAA Journal.

March 2022 Healthcare Data Breach Report

For the fourth successive month, the number of reported healthcare data breaches has fallen. In March 2022, 43 healthcare data breaches of 500 or more records were reported to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), which is a 6.52% fall from February and well below the 12-month average of 57.75 data breaches a month.

healthcare data breaches past 12 months - March 2022

However, there was a 36.94% increase in the number of breached records compared to February. Across the 43 reported breaches, 3,083,988 healthcare records were exposed, stolen, or impermissibly disclosed, which is slightly below the average of 3,424,818 breached records a month over the past 12 months.

number of breached healthcare recovers over the past 12 months - March 2022

Largest Healthcare Data Breaches in March 2022

In March 2022, there were 25 data breaches reported to OCR that affected 10,000 or more individuals, all but one of which were hacking incidents. The largest data breach of the month affected over half a million patients. Christie Business Holdings Company, which operates Christie Clinic in Illinois, discovered an employee email account had been accessed by unauthorized individuals and was used in a business email compromise (BEC) attack to try to divert payment to a third-party vendor. BEC attacks may account for a relatively small percentage of healthcare data breaches, but according to figures from the FBI, they are the biggest cause of losses to cybercrime.

SuperCare Health reported a major breach from July 2021 where hackers accessed its network and potentially stole patient data. Around two weeks after announcing the data breach the first lawsuit against SuperCare Health was filed. There is often a rush to file lawsuits following healthcare data breaches, and it is now common for multiple lawsuits to be filed.

CSI Laboratories reported a cyberattack that was discovered in February. While the nature of the attack was not disclosed, the Conti ransomware gang claimed responsibility for the attack and published a sample of the stolen data on its data leak site to pressure the lab into paying the ransom. Double extortion tactics, where payment is required for the keys to decrypt files and to prevent the publication of stolen data, are now the norm in ransomware attacks.

Name of Covered Entity State Covered Entity Type Individuals Affected Breach Cause
Christie Business Holdings Company, P.C. IL Healthcare Provider 502,869 Hacked email account
Super Care, Inc. dba SuperCare Health CA Healthcare Provider 318,379 Unspecified hacking incident
Cytometry Specialists, Inc., d/b/a CSI Laboratories GA Healthcare Provider 312,000 Ransomware attack (Conti)
South Denver Cardiology Associates, PC CO Healthcare Provider 287,652 Unspecified hacking incident
Clinic of North Texas, LLP TX Healthcare Provider 244,174 Unspecified hacking incident
Taylor Regional Hospital KY Healthcare Provider 190,209 Unspecified hacking incident
Chelan Douglas Health District WA Healthcare Provider 188,236 Unspecified hacking and data theft incident
Urgent Team Holdings TN Healthcare Provider 166,601 Unspecified hacking incident
New Jersey Brain and Spine NJ Healthcare Provider 92,453 Unspecified hacking incident
Duncan Regional Hospital, Incorporated OK Healthcare Provider 86,379 Unspecified hacking incident
Labette Health KS Healthcare Provider 85,635 Unspecified hacking incident
Law Enforcement Health Benefits, Inc. PA Health Plan 85,282 Ransomware attack
Central Indiana Orthopedics IN Healthcare Provider 83,705 Unspecified hacking incident
Highmark Inc PA Health Plan 67,147 Hacking incident at mailing vendor
Advanced Medical Practice Management NJ Business Associate 56,427 Unspecified hacking and data theft incident
Charleston Area Medical Center, Inc. WV Healthcare Provider 54,000 Hacked email accounts (Phishing)
Resources for Human Development PA Healthcare Provider 46,673 Theft of unencrypted hard drive
Cancer and Hematology Centers of Western Michigan MI Healthcare Provider 43,071 Ransomware attack
Horizon Actuarial Services, LLC GA Business Associate 38,418 Unspecified hacking and data theft incident
Central Minnesota Mental Health Center MN Healthcare Provider 28,725 Hacked email accounts
Capital Region Medical Center MO Healthcare Provider 17,578 Unspecified hacking incident
Dialyze Direct, LLC NJ Healthcare Provider 14,203 Hacked email account
Major League Baseball Players Benefit Plan MD Health Plan 13,156 Unspecified hacking and data theft incident at a business associate
Colorado Physician Partners, PLLC CO Healthcare Provider 12,877 Hacked email account
Crossroads Health OH Healthcare Provider 10,324 Unspecified hacking and data theft incident

Causes of March 2022 Healthcare Data Breaches

The healthcare data breaches reported in March were dominated by hacking/IT incidents, which accounted for 90.7% of all data breaches reported and 98.3% of the breached healthcare records. 3,083,988 individuals were affected by those hacking incidents. The average breach size was 77,766 records and the median breach size was 17,758 records.

Causes of MArch 2022 healthcare data breaches

While the category “hacking/IT incidents” covers a broad range of causes, 31 of the incidents involved hackers gaining access to network servers where patient data was stored. 10 incidents involved unauthorized individuals gaining access to employee email accounts.

 

There were just three breaches reported as unauthorized access/disclosure incidents which involved a total of 4,447 records. The average breach size was 1,482 records and the median was 1,682 records. There was only one theft incident reported – a hard drive containing the records of 46,673 individuals was stolen.

Location of breached PHI in March 2022 healthcare data breaches

March 2022 Healthcare Data Breaches by State

HIPAA-regulated entities in 22 states and Puerto Rico reported data breaches in March 2022. New Jersey, Pennsylvania & Texas were the worst affected states with 4 breaches reported in each state.

State Number of Reported Data Breaches
New Jersey, Pennsylvania & Texas 4
Colorado, Georgia, Indiana, Kansas, Michigan, Minnesota, Washington, West Virginia, and Puerto Rico 2
California, Illinois, Kentucky, Maryland, Massachusetts, Missouri, New York, Ohio, Oklahoma, Tennessee, and Utah 1

HIPAA Enforcement Activity in March 2022

There were no HIPAA enforcement actions announced by the HHS’ Office for Civil Rights or state attorneys general in March 2022.

The post March 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.