HIPAA Compliance News

April 2022 Healthcare Data Breach Report

After four successive months of declining numbers of data breaches, there was a 30.2% increase in reported data breaches. In April 2022, 56 data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR).

Healthcare data breaches in the past 12 months (April 2022)

While the number of reported breaches increased month-over-month, the number of healthcare records that were exposed or impermissibly disclosed decreased by 30% to 2,160,194 – the lowest monthly number since October 2021. The average breach size in April 2022 was 38,575 records, and the median breach size was 6,546 records.

Breached healthcare records in the past 12 months (April 2022)

Largest Healthcare Data Breaches in April 2022

22 healthcare data breaches were reported in April 2022 that affected 10,000 or more individuals. The worst breach was a hacking incident reported by Adaptive Health Integrations, a provider of software and billing/revenue services to laboratories, physician offices, and other healthcare companies. More than half a million healthcare individuals were affected.  The Arkansas healthcare provider ARcare suffered a malware attack that disrupted its systems and potentially allowed hackers to access the records of 345,353 individuals. Refuah Health Center reported a hacking and data theft incident in April, which had occurred almost a year previously in May 2021 and affected up to 260,740 patients.

Illinois Gastroenterology Group, PLLC reported a hacking incident where the attackers had access to the records of 227,943 individuals, and Regional Eye Associates, Inc. & Surgical Eye Center of Morgantown were affected by a data breach at the cloud-EHR vendor Eye Care Leaders (ECL), which exposed the records of 194,035 individuals. The ECL cyberattack saw the attackers delete databases and system configuration files of one of its cloud services. The cyberattack affected close to a dozen eye care providers and resulted in the exposure of more than 342,000 records.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Adaptive Health Integrations ND Healthcare Provider 510,574 Hacking incident with potential data theft
ARcare AR Healthcare Provider 345,353 Malware infection
Refuah Health Center NY Healthcare Provider 260,740 Hacking incident and data theft incident
Illinois Gastroenterology Group, PLLC IL Healthcare Provider 227,943 Hacking incident with potential data theft
Regional Eye Associates, Inc. & Surgical Eye Center of Morgantown WV Healthcare Provider 194,035 Hacking incident at EHR provider
Healthplex, Inc. NY Health Plan 89,955 Email account breach
Optima Dermatology Holdings, LLC NH Healthcare Provider 59,872 Unspecified email incident
SUMMIT EYE ASSOCIATES P.C. TN Healthcare Provider 53,818 Hacking incident at EHR provider
Newman Regional Health KS Healthcare Provider 52,224 Email account breach
WellStar Health System, Inc. GA Healthcare Provider 30,417 WellStar Health System
Central Vermont Eye Care VT Healthcare Provider 30,000 Unspecified hacking incident
Frank Eye Center, P.A. KS Healthcare Provider 26,333 Hacking incident at EHR provider
New Creation Counseling Center OH Healthcare Provider 24,029 Ransomware attack
Georgia Pines CSB GA Healthcare Provider 24,000 Theft of laptop computers
The Guidance Center, Inc. AZ Healthcare Provider 23,104 Email account breach
Allied Eye Physicians and Surgeons, Inc. OH Healthcare Provider 20,651 Hacking incident at EHR provider
King County Public Hospital District No. 2 d/b/a EvergreenHealth WA Healthcare Provider 20,533 Hacking incident at EHR provider
Onehome Health Solutions FL Healthcare Provider 15,401 Theft of laptop computers
Southern Ohio Medical Center OH Healthcare Provider 15,136 Hacking incident with potential data theft
Arkfeld, Parson, and Goldstein, P.C. doing business as ilumin NE Healthcare Provider 14,984 Hacking incident at EHR provider
Pediatric Associates, P.C. VA Healthcare Provider 13,000 Hacking incident at EHR provider
Fairfield County Implants and Periodontics, LLC CT Healthcare Provider 10,502 Email account breach

Causes of April 2022 Healthcare Data Breaches

Hacking and IT incidents accounted for 73.2% of the healthcare data breaches reported in April 2022 and 97.1% of the month’s breached healthcare records. 2,098,390 individuals were affected by those hacking incidents and may have had their protected health information stolen. The average breach size was 51,180 records and the median breach size was 9,969 records. 16 of the hacking incidents involved unauthorized individuals gaining access to employee email accounts, and there were 7 breaches of electronic health records, due to the hacking incident at the EHR vendor Eye Care Leaders.

Causes of April 2022 Healthcare Data Breaches (april 2022)

There were just breaches reported as unauthorized access/disclosure incidents which involved a total of 20,391 records. The average breach size was 1,854 records and the median breach size was 820 records. There were two theft incidents reported involving laptop computers and one loss incident involving an ‘other portable electronic device’. Across the three loss/theft incidents, the records of 40,298 individuals were potentially compromised. All three breaches could have been prevented if data had been encrypted. There was also one improper disposal incident reported, involving 1,115 paper records.

Location of breached protected health information (April 2022)

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected HIPAA-covered entity, with 39 reporting breaches in April. 7 data breaches were reported by health plans, and 10 data breaches were reported by business associates. However, a further 17 data breaches occurred at business associates but were reported by the respective covered entity. The chart below shows the month’s data breaches adjusted to reflect where the breaches occurred.

Healthcare Data Breaches by Covered Entity Type (April 2022)

Healthcare Data Breaches by State

In April 2022, HIPAA-regulated entities in 26 states reported breaches. New York and Ohio were the worst affected states in April, with 7 & 6 data breaches reported respectively.

State Number of Data Breaches
New York 7
Ohio 6
California 4
Arizona, Georgia, Kansas, Michigan, Tennessee, & Virginia 3
Florida, Maryland, North Carolina & New Hampshire 2
Alabama, Arkansas, Colorado, Connecticut, Illinois, Nebraska, North Dakota, Pennsylvania, South Carolina, Utah, Vermont, Washington & West Virginia 1

HIPAA Enforcement Activity in April 2022

There were no HIPAA enforcement activities announced by the HHS’ Office for Civil Rights or State Attorneys General in April 2022. So far this year, 4 financial penalties have been imposed to resolve HIPAA violations.

The post April 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

HIPAA Enforcement Rule

The HIPAA Enforcement Rule of 2006 – and subsequent amendments attributable to the passage of HITECH – details the procedures for investigating violations of HIPAA and the penalties that the HHS Office for Civil Rights can impose on Covered Entities and Business Associates for failing to comply with the Privacy, Security, and Breach Notification Rules.

In 1996, the passage of HIPAA gave the Secretary of Health and Human Services (HHS) the authority to impose financial penalties for violations of the Administrative Simplification provisions (see Sections 1176 and 1177). The Administrative Simplification provisions led to the publication of the HIPAA Privacy and Security Rules which were enacted in 2002 and 2003 respectively.

The authorization to enforce the HIPAA Privacy and Security Rules (and later, the Breach Notification Rule) was delegated to the HHS´ Office for Civil Rights. However, despite receiving more than 13,000 complaints in the first two years, the Office for Civil Rights failed to bring a single enforcement action – giving Covered Entities the impression that HIPAA compliance was optional rather than mandatory.

The HIPAA Enforcement Rule takes Shape

In 2003, HHS released an Interim Final Rule relating to the “Procedures for Investigations, Imposition of Penalties, and Hearings” (68 FR 18895). Despite describing the Interim Final Rule as the first installment of a HIPAA Enforcement Rule, the document describes the Office for Civil Rights´ approach to enforcement as intending to “seek and promote voluntary compliance with the rules” – further giving the impression HIPAA compliance was optional.

In order to overcome this impression and encourage voluntary compliance with the Privacy and Security Rules, the 2003 Interim HIPAA Enforcement Rule increased the volume of the General Administrative Requirements relating to compliance and investigations (45 CFR § 160 Subpart C) and introduced a new section to the General Administrative Requirements relating to the procedures for investigation (45 CFR § 160 Subpart E).

A further new section was added to the General Administrative Requirements when a later Interim HIPAA Enforcement Rule was published in 2005 (PDF). This new section (45 CFR § 160 Subpart D) explained the basis for issuing a financial penalty and the amounts Covered Entities could be fined for violations of HIPAA. At the time, the maximum penalty per violation was $100, with fines being capped at $25,000 per year for identical violations.

Despite the new section, many public comments were critical of the apparent “policy of nonenforcement” – so much so that when the Final HIPAA Enforcement Rule was published in 2006, the preamble goes to considerable lengths to explain the challenges of enforcing HIPAA and claims that “68 percent [of cases] have been resolved or otherwise closed”. Nonetheless, it was a further three years before a Covered Entity was fined for a violation of HIPAA.

Subsequent Amendments Attributable to HITECH

The passage of the HITECH Act in 2009 had a significant impact on the enforcement of HIPAA. HITECH introduced the HIPAA Breach Notification Rule and new compliance requirements for both Covered Entities and their Business Associates. Compliance with the Security Rule and some elements of the Privacy Rule was extended to Business Associates, and – significantly in the context of the HIPAA Enforcement Rule – the burden of proof was reversed.

Prior to HITECH, the Office for Civil Rights had to prove that an unauthorized disclosure of PHI had resulted in harm before it could issue a financial penalty to a non-compliant Covered Entity. Subsequent to HITECH, Covered Entities and Business Associates have the burden of demonstrating that all required notifications have been made or that a use or disclosure of unsecured PHI did not constitute a breach as defined by 45 CFR § 164.402.

In addition, the previous maximum penalty and penalty cap were scrapped, and a new four-level penalty tier introduced via the HIPAA Final Omnibus Rule of 2013 in which fines would reflect the non-compliant entity´s level of culpability. The minimum and maximum limits in each penalty tier and the annual penalty limit are adjusted annually to account for inflation. The current penalty limits are:

HIPAA Enforcement Rule - Penalties

How Enforcement Changed in the Post-HITECH Era

The HITECH amendments started a new era of HIPAA enforcement. From 2014 onwards, the Office for Civil Rights increased the number of investigations into alleged HIPAA violations, gave more technical assistance, issued more Corrective Action Plans, and reached more settlements with offenders. The revenues from the fines were used to provide the Office for Civil Rights with more enforcement resources; and, in 2016, the HIPAA audit program was extended.

Now, in addition to investigating unauthorized disclosures of unsecured PHI, the Office for Civil Rights is able to investigate other types of HIPAA violations. In recent years, the focus has been on non-compliance with Privacy Rule provisions relating to patients´ rights. Although fewer individuals are affected by this type of HIPAA violation – and the fines issued are much less – enforcement action of this nature demonstrates that claims of lax enforcement are no longer justified.

Looking forward, proposed new HIPAA regulations could affect short-term enforcement action. As with all previous HIPAA Rules, Covered Entities and Business Associates will be given a period of time to adjust to any new regulations; and because some of the proposals relax existing HIPAA standards, there is likely to be a number of unintentional violations attributable to misunderstanding the rules that will be resolved by technical assistance rather than Corrective Action Plans and fines.

The post HIPAA Enforcement Rule appeared first on HIPAA Journal.

March 2022 Healthcare Data Breach Report

For the fourth successive month, the number of reported healthcare data breaches has fallen. In March 2022, 43 healthcare data breaches of 500 or more records were reported to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), which is a 6.52% fall from February and well below the 12-month average of 57.75 data breaches a month.

healthcare data breaches past 12 months - March 2022

However, there was a 36.94% increase in the number of breached records compared to February. Across the 43 reported breaches, 3,083,988 healthcare records were exposed, stolen, or impermissibly disclosed, which is slightly below the average of 3,424,818 breached records a month over the past 12 months.

number of breached healthcare recovers over the past 12 months - March 2022

Largest Healthcare Data Breaches in March 2022

In March 2022, there were 25 data breaches reported to OCR that affected 10,000 or more individuals, all but one of which were hacking incidents. The largest data breach of the month affected over half a million patients. Christie Business Holdings Company, which operates Christie Clinic in Illinois, discovered an employee email account had been accessed by unauthorized individuals and was used in a business email compromise (BEC) attack to try to divert payment to a third-party vendor. BEC attacks may account for a relatively small percentage of healthcare data breaches, but according to figures from the FBI, they are the biggest cause of losses to cybercrime.

SuperCare Health reported a major breach from July 2021 where hackers accessed its network and potentially stole patient data. Around two weeks after announcing the data breach the first lawsuit against SuperCare Health was filed. There is often a rush to file lawsuits following healthcare data breaches, and it is now common for multiple lawsuits to be filed.

CSI Laboratories reported a cyberattack that was discovered in February. While the nature of the attack was not disclosed, the Conti ransomware gang claimed responsibility for the attack and published a sample of the stolen data on its data leak site to pressure the lab into paying the ransom. Double extortion tactics, where payment is required for the keys to decrypt files and to prevent the publication of stolen data, are now the norm in ransomware attacks.

Name of Covered Entity State Covered Entity Type Individuals Affected Breach Cause
Christie Business Holdings Company, P.C. IL Healthcare Provider 502,869 Hacked email account
Super Care, Inc. dba SuperCare Health CA Healthcare Provider 318,379 Unspecified hacking incident
Cytometry Specialists, Inc., d/b/a CSI Laboratories GA Healthcare Provider 312,000 Ransomware attack (Conti)
South Denver Cardiology Associates, PC CO Healthcare Provider 287,652 Unspecified hacking incident
Clinic of North Texas, LLP TX Healthcare Provider 244,174 Unspecified hacking incident
Taylor Regional Hospital KY Healthcare Provider 190,209 Unspecified hacking incident
Chelan Douglas Health District WA Healthcare Provider 188,236 Unspecified hacking and data theft incident
Urgent Team Holdings TN Healthcare Provider 166,601 Unspecified hacking incident
New Jersey Brain and Spine NJ Healthcare Provider 92,453 Unspecified hacking incident
Duncan Regional Hospital, Incorporated OK Healthcare Provider 86,379 Unspecified hacking incident
Labette Health KS Healthcare Provider 85,635 Unspecified hacking incident
Law Enforcement Health Benefits, Inc. PA Health Plan 85,282 Ransomware attack
Central Indiana Orthopedics IN Healthcare Provider 83,705 Unspecified hacking incident
Highmark Inc PA Health Plan 67,147 Hacking incident at mailing vendor
Advanced Medical Practice Management NJ Business Associate 56,427 Unspecified hacking and data theft incident
Charleston Area Medical Center, Inc. WV Healthcare Provider 54,000 Hacked email accounts (Phishing)
Resources for Human Development PA Healthcare Provider 46,673 Theft of unencrypted hard drive
Cancer and Hematology Centers of Western Michigan MI Healthcare Provider 43,071 Ransomware attack
Horizon Actuarial Services, LLC GA Business Associate 38,418 Unspecified hacking and data theft incident
Central Minnesota Mental Health Center MN Healthcare Provider 28,725 Hacked email accounts
Capital Region Medical Center MO Healthcare Provider 17,578 Unspecified hacking incident
Dialyze Direct, LLC NJ Healthcare Provider 14,203 Hacked email account
Major League Baseball Players Benefit Plan MD Health Plan 13,156 Unspecified hacking and data theft incident at a business associate
Colorado Physician Partners, PLLC CO Healthcare Provider 12,877 Hacked email account
Crossroads Health OH Healthcare Provider 10,324 Unspecified hacking and data theft incident

Causes of March 2022 Healthcare Data Breaches

The healthcare data breaches reported in March were dominated by hacking/IT incidents, which accounted for 90.7% of all data breaches reported and 98.3% of the breached healthcare records. 3,083,988 individuals were affected by those hacking incidents. The average breach size was 77,766 records and the median breach size was 17,758 records.

Causes of MArch 2022 healthcare data breaches

While the category “hacking/IT incidents” covers a broad range of causes, 31 of the incidents involved hackers gaining access to network servers where patient data was stored. 10 incidents involved unauthorized individuals gaining access to employee email accounts.

 

There were just three breaches reported as unauthorized access/disclosure incidents which involved a total of 4,447 records. The average breach size was 1,482 records and the median was 1,682 records. There was only one theft incident reported – a hard drive containing the records of 46,673 individuals was stolen.

Location of breached PHI in March 2022 healthcare data breaches

March 2022 Healthcare Data Breaches by State

HIPAA-regulated entities in 22 states and Puerto Rico reported data breaches in March 2022. New Jersey, Pennsylvania & Texas were the worst affected states with 4 breaches reported in each state.

State Number of Reported Data Breaches
New Jersey, Pennsylvania & Texas 4
Colorado, Georgia, Indiana, Kansas, Michigan, Minnesota, Washington, West Virginia, and Puerto Rico 2
California, Illinois, Kentucky, Maryland, Massachusetts, Missouri, New York, Ohio, Oklahoma, Tennessee, and Utah 1

HIPAA Enforcement Activity in March 2022

There were no HIPAA enforcement actions announced by the HHS’ Office for Civil Rights or state attorneys general in March 2022.

The post March 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

On-the-spot Email Interventions Reduce Repeat Medical Record Snooping Incidents by 95%

Immediate intervention following an instance of unauthorized access to protected health information (PHI) by a healthcare employee is 95% effective at preventing repeat offenses, according to a new study published in JAMA Open Network.

Healthcare data breaches are occurring at record levels, and while large data breaches are often the result of hacking and other IT incidents, insider breaches such as snooping on medical records are common. According to HHS data, in 2019, 92% of combined small and large breaches were tied to unauthorized access.

While many cases of employees snooping on the medical records of VIP patients have been covered in the media, these types of snooping incidents are relatively uncommon. It is much more common for healthcare employees to access the medical records of family members, friends, and colleagues, and those privacy violations can be just as damaging for patients.

All cases of unauthorized access start with an employee accessing a single patient record, but they can easily turn into major data breaches if left unchecked. There have been several cases of healthcare employees accessing the medical records of thousands of patients without authorization over several years when the unauthorized access is not promptly identified and addressed.

A study conducted by Bai, Jiang, and Flasher in 2017 found the risk of data breaches was higher at large academic medical centers than at other hospitals. Around one-quarter of the data breaches were cases of employees accessing patient information without authorization.

The recent study, Effectiveness of Email Warning on Reducing Hospital Employees’ Unauthorized Access to Protected Health Information: A Nonrandomized Controlled Trial, conducted by researchers at Michigan State University, Johns Hopkins, and Nick Culbertson, CEO and Co-founder of the healthcare compliance analytics firm Protenus, investigated the effectiveness of email warnings at preventing repeat offenses by employees.

Between January 1 and July 31, 2018, a system that monitored unauthorized accessing of PHI at a large academic medical center flagged unauthorized accessing of electronic medical records by 444 employees, all of whom were professional medical staff who were not part of the patient’s intervention team and did not have access permission.

A group of 219 employees was randomly selected and received an email warning on the night of their access. The email explained that the individual had been identified as having accessed a patient’s electronic medical record when there was no work-related reason for doing so, and that it was a privacy violation. The remaining 225 employees formed a control group and received no email warning.

In the group that received an email intervention, 4 employees out 219 went on to access patient information without authorization on a second occasion between 20 and 70 days after the initial unauthorized access. In the control group, 90 out of the 225 employees accessed the protected health information of patients again without authorization between 20 and 70 days after the initial unauthorized access.

While there were limitations of the study and the findings may not translate to other hospitals, it demonstrates that on-the-spot intervention can be highly effective at preventing further privacy breaches and that if no action is taken, employees are likely to continue to access patient data in violation of the HIPAA Rules.

“What an email warning can do to deter employees’ unauthorized access is stunning. A simple email can lead to big changes,” said Dr. Ge Bai, a professor at Johns Hopkins Carey Business School and Bloomberg School of Public Health, and corresponding author of the study.

For the duration of the trial, no disciplinary action was taken against any of the employees. Disciplinary action was taken after the trial was concluded against all employees involved for violating the PHI access policy of the medical center, which prohibits employees from accessing the records of family members, coworkers, friends, or other acquaintances without prior written authorization.

The post On-the-spot Email Interventions Reduce Repeat Medical Record Snooping Incidents by 95% appeared first on HIPAA Journal.

OCR Seeks Comment on Recognized Security Practices and the Sharing of HIPAA Settlements with Harmed Individuals

The Department of Health and Human Services’ Office for Civil Rights has released a Request for information (RFI) related to two outstanding requirements of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).

The HITECH Act, as amended in 2021 by the HIPAA Safe Harbor Act, requires the HHS consider the security practices that have been implemented by HIPAA-regulated entities when considering financial penalties and other remedies to resolve potential HIPAA violations discovered during investigations and audits.

The aim of the HIPAA Safe Harbor Act was to encourage HIPAA-regulated entities to implement cybersecurity best practices, with the reward being lower financial penalties for data breaches and less scrutiny by the HHS if industry-standard security best practices have been implemented for the 12 months prior to a data breach occurring.

Another outstanding requirement that dates back to when the HITECH Act was signed into law, is for the HHS to share a percentage of the civil monetary penalties (CMPs) and settlement payments with individuals who have been harmed as a result of the violations for which the penalties have been applied. The HITECH Act calls for a methodology to be established by the HHS for determining appropriate amounts to be shared, based on the nature and extent of the HIPAA violation and the nature and extent of the harm that has been caused.

Earlier this year, the recently appointed Director of the HHS’ Office for Civil Rights (OCR) – Lisa J. Pino – confirmed that these two requirements of the HITECH Act were being addressed this year. Yesterday, OCR published the RFI in the Federal Register seeking public comment on these two requirements of the HITECH Act.

Specifically, OCR is seeking feedback on what constitutes “Recognized Security Practices,” the recognized security practices that are being implemented to safeguard electronic protected health information by HIPAA-compliant entities, and how those entities anticipate adequately demonstrating that recognized security practices are in place. OCR would also like to learn about any implementation issues that those entities would like to be clarified by OCR, either through further rulemaking or guidance, and suggestions on the action that should initiate the beginning of the 12-month look-back period, as that is not stated in the HIPAA Safe Harbor Act.

One of the main issues with the requirement to share CMPs and settlements with victims is the HITECH Act has no definition of harm. OCR is seeking comment on the types of “harms” that should be considered when distributing a percentage of SMPs and settlements, and suggestions on potential methodologies for sharing and distributing monies to harmed individuals.

“This request for information has long been anticipated, and we look forward to reviewing the input we receive from the public and regulated industry alike on these important topics,” said Pino. “I encourage those who have been historically underserved, marginalized, or subject to discrimination or systemic disadvantage to comment on this RFI, so we hear your voice and fully consider your interests in future rulemaking and guidance.”

In order to be considered, comments must be submitted to OCR by June 6, 2022.

The post OCR Seeks Comment on Recognized Security Practices and the Sharing of HIPAA Settlements with Harmed Individuals appeared first on HIPAA Journal.

OCR Announces 4 Financial Penalties to Resolve HIPAA Violations

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its first financial penalties of 2022 to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). Three of the cases were settled with OCR, and one resulted in a civil monetary penalty being imposed.

OCR is continuing to enforce compliance with the HIPAA Right of Access, with two of the enforcement actions resolving violations of this important HIPAA provision. One of the fines was been imposed, in part, for overcharging a patient who requested a copy of their medical records – The first financial penalty under the 2019 enforcement initiative to allege overcharging for copies of medical records. To date, OCR has imposed 27 financial penalties on healthcare providers that have failed to provide patients with timely access to their medical records. The other two cases involved impermissible disclosures of the protected health information of patients.

“Between the rising pace of breaches of unsecured protected health information and continued cyber security threats impacting the health care industry, it is critical that covered entities take their HIPAA compliance responsibilities seriously,” said OCR Director Lisa J. Pino. “OCR will continue our steadfast commitment to protect individuals’ health information privacy and security through enforcement, and we will pursue civil money penalties for violations that are not addressed.”

Dental Practitioner Fined $30,000 for Noncompliance with the HIPAA Right of Access

Dr. Donald Brockley D.D.M, a solo dental practitioner in Butler, PA, was investigated by OCR over a complaint from a patient who had not been provided with a copy of the requested medical records within the time allowed by the HIPAA Privacy Rule. OCR determined that there had been a HIPAA Right of Access violation and provided Dr. Brockley with the opportunity to provide written evidence of any mitigating factors in an August 27, 2019, letter. No response was received.

OCR then notified Dr. Brockley of its intention to impose a financial penalty of $104,000, and Dr. Brockley requested a hearing with an Administrative Law Judge to contest the financial penalty. On October 8, 2021, the parties filed a joint motion to stay proceedings for 60 days, during which time an agreement was reached with both parties and the case was settled.

Dr. Brockley agreed to pay a $30,000 financial penalty and adopt a corrective action plan which included updating policies and procedures to ensure compliance with the HIPAA Right of Access.

$28,000 Financial Penalty for California Psychiatric Medical Services in HIPAA Right of Access Case

Jacob & Associates, a California provider of psychiatric medical services, was investigated by OCR over a complaint from a patient who claimed that medical records had been requested from Jacob & Associates on July 1, 2018, but had not been provided. The complainant claimed to have sent similar requests every July 1 since 2013 but had never been provided with the requested records.

After submitting the complaint to OCR, the complainant resent their record request was provided with a complete copy of the requested records on May 16, 2019, by electronic mail. However, in order for the patient to be provided with those records, she was required to travel to the practice to complete a record access form in person. She was also charged $25 for the copy of her records, and initially was only provided with an incomplete, single-page copy and had to submit another request to obtain her full records.

OCR determined that Jacob & Associates had violated the HIPAA Right of Access by not providing timely access to the patient’s medical records, had charged the patient an unreasonable non-cost-based fee, and did not have policies and procedures in place concerning the right of patients to access their protected health information.

During the investigation, OCR also determined that Jacob & Associates had not designated a HIPAA Privacy Officer and its notice of privacy practices lacked the required content. The case was settled for $28,000 and Jacob & Associates agreed to a corrective action plan to address all areas of alleged non-compliance.

$50,000 Civil Monetary Penalty Imposed on Dental Practice for Social Media HIPAA Violation

Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A., (UPI), a dental practice with offices in Charlotte and Monroe, NC, was investigated by OCR after a patient submitted a complaint in November 2015 alleging an unauthorized disclosure of his protected health information in response to a negative online review of the practice.

On or around September 28, 2015, the complainant, using a pseudonym to protect his privacy, posted a negative review on UPI’s Google page.  UPI responded to the review and claimed the accusations made by the patient were unsubstantiated; however, UPI identified the patient and mentioned the patient’s full name on three occasions in the response, the symptoms the patient was experiencing, and the treatment that was recommended but not provided.

OCR reviewed the complaint and requested documentation from UPI in July 2016 on its policies and procedures covering responses to online reviews and social media, uses and disclosures of PHI, safeguarding PHI, and details of HIPAA training that was provided prior to, and in response to, the incident. UPI confirmed that a response had been posted to the Google page, but only provided OCR with its notice of privacy practices.

In August 2016, OCR informed UPI that the response to the review violated the HIPAA Privacy Rule and was an impermissible disclosure of PHI and told UI to remove its response to the review and implement policies and procedures, if they had not already been implemented, covering online reviews and social media. In 2017, OCR requested a copy of the policies and procedures and again told UPI to remove the response to the review.

Only an acknowledgment of training was provided to OCR, and it did not include any of the training content. The response to the review was not removed. OCR then requested financial statements to be used to determine an appropriate financial penalty, but UPI refused to provide them claiming they were not related to HIPAA. After OCR explained why they were required, UPI responded in September 2017 and refused to provide the records, and included the statement “I will see you in court”.

After receiving and failing to respond to an administrative subpoena requesting the provision of policies and procedures, training, income statements, balance sheets, statements of cash flow, and federal tax returns, and the failure to respond to further communications, OCR obtained the authorization of the Attorney General of the United States and imposed a civil monetary penalty of $50,000 under the penalty tier of wilful neglect with no correction.

Dental Practice Fined $62,500 for Impermissible Disclosure of PHI for Marketing Purposes

Northcutt Dental-Fairhope, LLC (Northcutt Dental), a Fairhope, AL dental practice, was investigated by OCR over an impermissible disclosure of PHI. Dr. David Northcutt, the operator and owner of Northcutt Dental, ran for state senator for Alabama District 32 in 2017. Dr. Northcutt engaged a campaign manager and a third-party marketing company to provide assistance with the state senate election campaign. The campaign manager was provided with an Excel spreadsheet that included the names and addresses of 3,657 patients, and letters were sent to those individuals to notify them that Dr. Northcutt was running for state senate.  The email addresses of those individuals, along with the email addresses of a further 1,727 patients, were provided to the marketing company Solutionreach to send a campaign email.

OCR determined that the disclosures of PHI to the campaign manager and third-party marketing company were impermissible disclosures of PHI. OCR also determined that Northcutt Dental had not appointed a HIPAA Privacy Officer until November 14, 2017, and policies and procedures related to the HIPAA Privacy and Breach Notification Rules were not implemented until January 1, 2018. The case was settled and Northcutt Dental agreed to a $62,500 penalty and a corrective action plan to address the alleged areas of non-compliance.

The post OCR Announces 4 Financial Penalties to Resolve HIPAA Violations appeared first on HIPAA Journal.

February 2022 Healthcare Data Breach Report

For the third successive month, the number of data breaches reported to the HHS’ Office for Civil Rights (OCR) has fallen. 46 healthcare data breaches of 500 or more records were reported to OCR in February – an 8% fall from January. February saw the lowest number of data breaches in the past 5 months. Even with the reduction in breaches, on average, more than 2 healthcare data breaches have been reported each day over the past 12 months. From March 1, 2021, to February 28, 2022, there have been 723 reported data breaches of 500 or more records.

Healthcare data breaches in the past 12 months

Across February’s 46 incidents, the records of 2,525,023 individuals were exposed or compromised – a 2.28% fall from the previous month – which is considerably lower than the 3,506,400 records that have been breached each month, on average, from March 1, 2021, to February 28, 2022. At least 42,076,805 healthcare records were exposed over that period. In February, the average breach size was 48,957 records and the median breach size was 7,014 records.

breached healthcare records over the past 12 months

Largest Healthcare Data Breaches Reported in February 2022

22 HIPAA-regulated entities reported breaches of 10,000 or more healthcare records in February. The largest breach of the month was reported by Morley Companies, which was a hacking incident that resulted in the exposure and possible theft of the protected health information of 521,046 members of its health plan.

Monongalia Health System reported a major hacking incident that potentially resulted in the theft of the PHI of 492,861 individuals. The breach was discovered a few days after the health system announced a previous data breach – a phishing and business email compromise attack – that affected almost 398,164 individuals.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Breach
Morley Companies, Inc. MI Business Associate 521,046 Hacking/IT Incident Unspecified hacking incident
Monongalia Health System, Inc. WV Healthcare Provider 492,861 Hacking/IT Incident Unspecified hacking incident
Norwood Clinic AL Healthcare Provider 228,000 Hacking/IT Incident Unspecified hacking incident
Logan Health Medical Center MT Healthcare Provider 213,543 Hacking/IT Incident Unspecified hacking incident
South Shore Hospital Corporation IL Healthcare Provider 115,670 Hacking/IT Incident Unspecified hacking incident
Comprehensive Health Services FL Healthcare Provider 106,752 Hacking/IT Incident Business email compromise
US Radiology Specialists, Inc. NC Business Associate 87,552 Hacking/IT Incident Unknown
Memorial Village ER TX Healthcare Provider 80,000 Hacking/IT Incident Unspecified hacking incident
Montrose Regional Health CO Healthcare Provider 52,632 Hacking/IT Incident Compromised email accounts
Cross Timbers Health Clinics dba AccelHealth TX Healthcare Provider 48,126 Hacking/IT Incident Ransomware attack
Jacksonville Spine Center, P.A. FL Healthcare Provider 38,000 Hacking/IT Incident Ransomware attack
The Puerto Rican Organization to Motivate, Enlighten, and Serve Addicts, Inc. NY Healthcare Provider 30,220 Hacking/IT Incident Compromised email accounts
EPIC Pharmacy Network, Inc. VA Healthcare Provider 28,776 Hacking/IT Incident Compromised email accounts
Ascension Michigan (single affiliated covered entity) ACE MI Healthcare Provider 27,177 Unauthorized Access/Disclosure Unauthorized EHR access by an employee
Bako Diagnostics GA Healthcare Provider 25,745 Hacking/IT Incident Unspecified hacking incident (data exfiltration confirmed)
Ultimate Care, Inc. NY Healthcare Provider 15,788 Hacking/IT Incident Compromised email accounts
Alliance Physical Therapy Group, LLC MI Business Associate 14,970 Hacking/IT Incident Unspecified hacking incident
University Medical Center Southern Nevada NV Healthcare Provider 12,230 Hacking/IT Incident Unknown
Seneca Nation Health System NY Healthcare Provider 12,000 Hacking/IT Incident Unknown
CareOregon Advantage OR Health Plan 10,467 Unauthorized Access/Disclosure Misdirected email
Extend Fertility NY Healthcare Provider 10,373 Hacking/IT Incident Ransomware attack
Houston Health Department TX Healthcare Provider 10,291 Unauthorized Access/Disclosure Misconfigured web portal

Causes of February 2022 Healthcare Data Breaches

As the table above shows, hacking incidents dominated the breach reports in February. 39 of the month’s data breaches were hacking/IT incidents, the majority of which saw unauthorized individuals hack into networks and view and/or exfiltrate sensitive data. It is common for breached entities to disclose hacking incidents but not publicly disclose details about the exact nature of the attacks, such as if they involved malware or ransomware. Across those 39 breaches, the records of 2,184,973 individuals were exposed or compromised. The average breach size was 56,025 records and the median breach size was 6,221 records.

causes of february 2022 healthcare data breaches

There were 6 unauthorized access/disclosure incidents reported in February involving the records of 62,550 individuals. The average breach size was 10,425 records and the median breach size was 8,953 records. There was one loss incident involving a desktop computer that contained the PHI of 4,500 individuals. There were no reported theft or improper disposal incidents.location of breached PHI in February 2022 healthcare data breaches

Healthcare Data Breaches by State

HIPAA-regulated entities in 23 states reported data breaches in February. New York the worst affected state with 6 reported breaches, followed by Florida, Michigan, and New Jersey which each had 5.

State Number of reported breaches
New York 6
Florida, Michigan, and New Jersey 5
Texas and Virginia 3
Pennsylvania and West Virginia 2
Alabama, Arizona, Colorado, Connecticut, Georgia, Illinois, Massachusetts, Montana, Nevada, North Carolina, Oklahoma, Oregon, Rhode Island, Utah, and Washington 1

Healthcare Data Breaches by HIPAA-Regulated Entity Type

Healthcare providers were the worst affected entity in February 2022 having reported a total of 35 data breaches involving the records of 1,597,155 individuals. There were 6 data breaches reported by health plans involving 21,284 records, and 5 data breaches were self-reported by business associates of HIPAA-covered entities, which involved the records of 633,584 individuals.

10 breaches occurred at business associates but were reported by the affected covered entity, with the adjusted figures shown in the chart below.

February 2022 healthcare data breaches by HIPAA-regulated entity type

HIPAA Enforcement Actions in February 2022

There were no announcements by the HHS’ Office for Civil Rights or state Attorneys General about HIPAA enforcement actions in February. In fact, there have been no financial penalties imposed for HIPAA violations so far in 2022.

OCR Director, Lisa J. Pino, has confirmed that the Department of Health and Human Services has an ambitious regulatory agenda for 2021, which will include strong enforcement of HIPAA compliance, including the continuation of its enforcement initiative targeting healthcare providers that violate the HIPAA Right of Access and fail to provide individuals with timely access to their medical records.

The post February 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

OCR: HIPAA Security Rule Compliance Can Prevent and Mitigate Most Cyberattacks

Healthcare hacking incidents have been steadily rising for a number of years. There was a 45% increase in hacking/IT incidents between 2019 and 2020, and in 2021, 66% of breaches of unsecured electronic protected health information were due to hacking and other IT incidents. A large percentage of those breaches could have been prevented if HIPAA-regulated entities were fully compliant with the HIPAA Security Rule.

The Department of Health and Human Services’ Office for Civil Rights explained in its March 2022 cybersecurity newsletter that compliance with the HIPAA Security Rule will prevent or substantially mitigate most cyberattacks. Most cyberattacks on the healthcare industry are financially motivated and are conducted to steal electronic protected health information or encrypt patient data to prevent legitimate access. The initial access to healthcare networks is gained via tried and tested methods such as phishing attacks and the exploitation of known vulnerabilities and weak authentication protocols, rather than exploiting previously unknown vulnerabilities.

Prevention of Phishing

Phishing is one of the commonest ways that cyber actors gain a foothold in healthcare networks. Coveware’s Q2, 2021 Quarterly Ransomware Report suggests 42% of ransomware attacks in the quarter saw initial network access gained via phishing emails. Phishing attacks attempt to trick employees into visiting a malicious website and disclosing their credentials or opening a malicious file and installing malware.

Anti-phishing technologies such as spam filters and web filters are key technical safeguards to prevent phishing attacks. They stop emails from being delivered from known malicious domains, scan attachments and links, and block access to known malicious websites where malware is downloaded or credentials are harvested. These tools are important technical safeguards for ensuring the confidentiality, integrity, and availability of ePHI.

OCR reminded HIPAA-regulated entities that “The Security Rule requires regulated entities to implement a security awareness and training program for all workforce members,” which includes management personnel and senior executives. “A regulated entity’s training program should be an ongoing, evolving process and be flexible enough to educate workforce members on new and current cybersecurity threats (e.g., ransomware, phishing) and how to respond,” said OCR.

The Security Rule also has an addressable requirement to send periodic security reminders to the workforce. OCR said one of the most effective forms of “security reminders” is phishing simulation emails. These exercises gauge the effectiveness of the training program and allow regulated entities to identify weak links and address them. Those weak leaks could be employees who have not fully understood their training or gaps in the training program.

“Unfortunately, security training can fail to be effective if it is viewed by workforce members as a burdensome, “check-the-box” exercise consisting of little more than self-paced slide presentations,” suggested OCR. “Regulated entities should develop innovative ways to keep the security trainings interesting and keep workforce members engaged in understanding their roles in protecting ePHI.”

Prevention of Vulnerability Exploitation

Some cyberattacks exploit previously unknown vulnerabilities (zero-day attacks) but it is much more common for hackers to exploit known vulnerabilities for which patches are available or mitigations have been made public. It is the failure to patch and update operating systems promptly that allows cyber actors to take advantage of these vulnerabilities.

The continued use of outdated, unsupported software and operating systems (legacy systems) is common in the healthcare industry. “Regulated entities should upgrade or replace obsolete, unsupported applications and devices (legacy systems),” said OCR. “However, if an obsolete, unsupported system cannot be upgraded or replaced, additional safeguards should be implemented or existing safeguards enhanced to mitigate known vulnerabilities until upgrade or replacement can occur (e.g., increase access restrictions, remove or restrict network access, disable unnecessary features or services”

The HIPAA Security Rule requires regulated entities to implement a security management process to prevent, detect, contain, and fix security violations. A risk analysis must be conducted and risks and vulnerabilities to ePHI must be reduced to a reasonable and appropriate level. The risk analysis and risk management process should identify and address technical and non-technical vulnerabilities.

To help address technical vulnerabilities, OCR recommends signing up for alerts and bulletins from CISA, OCR, the HHS Health Sector Cybersecurity Coordination Center (HC3), and participating in an information sharing and analysis center (ISAC). Vulnerability management should include regular vulnerability scans and periodic penetration tests.

Eradicate Weak Cybersecurity Practices

Cyber actors often exploit poor authentication practices, such as weak passwords and single-factor authentication. The 2020 Verizon Data Breach Investigations Report suggests over 80% of breaches due to hacking involved compromised or brute-forced credentials.

“Regulated entities are required to verify that persons or entities seeking access to ePHI are who they claim to be by implementing authentication processes,” explained OCR. The risk of unauthorized access is higher when users access systems remotely, so additional authentication controls should be implemented, such as multi-factor authentication for remote access.

Since privileged accounts provide access to a wider range of systems and data, steps should be taken to bolster the security of those accounts. “To reduce the risk of unauthorized access to privileged accounts, the regulated entity could decide that a privileged access management (PAM) system is reasonable and appropriate to implement,” suggests OCR. “A PAM system is a solution to secure, manage, control, and audit access to and use of privileged accounts and/or functions for an organization’s infrastructure.  A PAM solution gives organizations control and insight into how its privileged accounts are used within its environment and thus can help detect and prevent the misuse of privileged accounts.”

OCR reminds regulated entities that they are required to periodically examine the strength and effectiveness of their cybersecurity practices and increase or add security controls to reduce risk as appropriate, and also conduct periodic technical and non-technical evaluations of implemented security safeguards in response to environmental or operational changes affecting the security of ePHI.

The post OCR: HIPAA Security Rule Compliance Can Prevent and Mitigate Most Cyberattacks appeared first on HIPAA Journal.

Video: Why HIPAA Compliance is Important for Healthcare Professionals

Many sources explaining why HIPAA compliance is important for healthcare professionals tend to focus on the purpose of HIPAA regulations rather than the benefits of compliance for healthcare professionals. The same sources also tend to focus on how noncompliance affects patients and employers, rather than the impact it can have on healthcare professionals´ lives.

This article discusses why HIPAA compliance is important for healthcare professionals from a healthcare professional´s perspective. It explains why healthcare professionals cannot avoid HIPAA; and that, by complying with HIPAA, healthcare professionals can foster patient trust, keep patients safer, and contribute towards better patient outcomes. This is turn raises morale, creates a more rewarding work experience, and enables healthcare professionals to get more from their vocation.

Conversely, the failure to comply with HIPAA can have significant professional and personal consequences. Yet the failure to comply with HIPAA is not always a healthcare professional´s fault. Sometimes it can be due to insufficient training or cultural norms. We look at why Covered Entities might not always be able to provide sufficient training or monitor HIPAA compliance, why they may not accept responsibility when an avoidable HIPAA violation occurs, and how you can avoid HIPAA violations due to a lack of knowledge.

Click here for free HIPAA training

Click here to view HIPAA training pricing

Why Healthcare Professionals Cannot Avoid HIPAA

One of the objectives of HIPAA is to provide a federal floor of privacy protections for individuals´ identifiable health information held by Covered Entities. To achieve this objective, the Privacy and Security Rules imposes standards Covered Entities must comply with in order to protect the privacy of “Protected Health Information” (PHI). The failure to comply with the HIPAA standards can result in substantial financial penalties – even when no data breach occurs and PHI is not compromised.

Most healthcare organizations are Covered Entities and, as such, are required to implement policies and procedures to comply with the Privacy and Security Rule standards. As employees of Covered Entities, healthcare professionals are required to comply with their employer´s policies and procedures. This is why healthcare professionals cannot avoid HIPAA. However, this is not the only reason why HIPAA compliance is important for healthcare professionals.

The Benefits of HIPAA Compliance for Healthcare Professionals

There is little doubt the most important element of a patient/healthcare professional relationship is trust. Patients trust their healthcare professionals with intimate details of their lives because they trust healthcare professionals work in their best interests to achieve optimal health outcomes. However, trust can be a fragile commodity. If their intimate details are exposed due to a HIPAA violation, patients may withhold information crucial to the delivery of care despite the potential long-lasting consequences for their health.

Healthcare professionals can mitigate the risk of trust being broken by complying with the policies and procedures implemented by their employer to prevent HIPAA violations. When patients are confident their privacy is being respected, this fosters trust – which contributes to the delivery of better care in order to achieve optimal health outcomes. Better patient outcomes raise the morale of healthcare professionals and result in a more rewarding work experience.

The Professional and Personal Consequences of Noncompliance

One of the policies a Covered Entity is required to implement is a sanctions policy for when members of its workforce do not comply with HIPAA policies and procedures. Covered Entities are required to enforce the sanctions policy and act on HIPAA violations by healthcare professionals because, if they don´t enforce the sanctions policy, the Covered Entity will be in violation of HIPAA. Furthermore, if the Covered Entity fails to act, noncompliance can deteriorate into a cultural norm.

Being sanctioned for a HIPAA violation can have professional and personal consequences for healthcare professionals. Penalties can range from verbal warnings to the loss of professional accreditation – which will make it difficult for a healthcare professional to get another job – and, if a criminal conviction results from the noncompliance, it will likely be reported in the media which will have repercussions for a healthcare professional´s personal reputation.

Who is Responsible for HIPAA Violations?

As mentioned previously, the failure to comply with HIPAA is not always the healthcare professional´s fault. Although Covered Entities are required to provide training on policies and procedures that relate to healthcare professionals´ functions, they may not have the resources to provide training on every conceivable scenario a healthcare professional may encounter, or to monitor compliance 24/7 in order to prevent the development of cultural norms.

Consequently, unintentional violations of HIPAA can occur due to a lack of knowledge. However, Covered Entities are not always willing to accept responsibility for unintentional violations due to a lack of knowledge because it implies they failed to conduct a thorough risk assessment, overlooked a threat to the privacy of PHI, and failed to provide “necessary and appropriate” training – or, when a cultural norm has developed, failed to monitor compliance with policies and procedures.

How You Can Avoid Unintentional Violations of HIPAA

The best way to avoid unintentional HIPAA violations and the professional and personal consequences of noncompliance – even when they are not your fault – is to ensure your knowledge of HIPAA covers every area of your role and the scenarios you may encounter. To achieve this level of knowledge, you should take advantage of third-party HIPAA training courses that provide you with an in-depth knowledge of HIPAA and its rules and regulations.

Taking responsibility for your own knowledge of HIPAA – and using that knowledge to work in a HIPAA-compliant manner – protects your career, improves your job prospects, and enables you to get more from your vocation. Given the choice, most healthcare professionals would prefer to work in an environment which operates compliantly to delivery better patient outcomes, in which morale is high, and in which the healthcare professional enjoys a more rewarding work experience.

Click here to view HIPAA training pricing

The post Video: Why HIPAA Compliance is Important for Healthcare Professionals appeared first on HIPAA Journal.