HIPAA Compliance News

New Jersey Fines Hackensack Healthcare Providers for PHI Breach and HIPAA Violations

Posted by HIPAA Journal

The New Jersey Division of Consumer Affairs has agreed to settle a data breach investigation that uncovered violations of the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act (HIPAA)

Hackensack, NJ-based Regional Cancer Care Associates is an umbrella name for three healthcare providers that operate healthcare facilities in 30 locations in Connecticut, New Jersey, and Maryland: Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC.

Between April and June 2019, several employee email accounts were compromised. Employees had responded to targeted phishing emails and disclosed their credentials, which allowed the scammers to access their email accounts and the protected health information (PHI) of more than 105,000 individuals. The email accounts contained PHI such as names, Social Security numbers, driver’s license numbers, health records, bank account information, and credit card details.

In July 2019, notification letters were sent to 13,047 individuals by a third-party vendor; however, the letters were mismailed to the individuals’ next-of-kin. The notification letters disclosed sensitive information such as the patient’s medical conditions, including cancer diagnoses, when consent to disclose that information had not been provided by the patients.

Across the two incidents, the PHI of more than 105,000 individuals was exposed or impermissibly disclosed, including the PHI of more than 80,000 New Jersey residents.

“New Jerseyans battling cancer should never have to worry about whether their medical providers are properly securing and protecting their personal information from cyber threats,” said New Jersey Acting Attorney General Bruck. “We require healthcare providers to implement adequate security measures to protect patient data, and we will continue to hold accountable companies that fall short.”

The companies are alleged to have violated HIPAA and the Consumer Fraud Act by failing to ensure the confidentiality, integrity, and availability of patient data, did not protect against reasonably anticipated threats to the security/integrity of patient data, did not implement security measures to reduce risks and vulnerabilities to an acceptable level, did not conduct an accurate and comprehensive risk assessment, and had not implemented a security awareness and training program for all members of its workforce.

Under the terms of the settlement, three companies will pay a financial penalty of $425,000 and are required to implement further privacy and security measures to ensure the confidentiality, integrity, and availability of PHI.

The companies are required to implement and maintain a comprehensive information security program, a written incident response plan and cybersecurity operations center, employ a CISO to oversee cybersecurity, conduct initial training for employees and annual training on information privacy and security policies, and obtain a third-party assessment on policies and procedures relating to the collection, storage, maintenance, transmission, and disposal of patient data.

“Companies have a duty to take meaningful steps to safeguard protected health and personal information, and to avoid unauthorized disclosures,” said Division of Consumer Affairs Acting Director Sean P. Neafsey. “Our investigation revealed RCCA failed to fully comply with HIPAA requirements, and I am pleased that the companies have agreed to improve their security measures to ensure consumers’ information is protected.”

New Jersey has been one of the most active states in HIPAA enforcement. In the past few months, settlements have been reached with two other companies for violations of HIPAA and the Consumer Fraud Act. In October, a New Jersey fertility clinic was fined $495,000, and two printing companies were fined $130,000 in November.

The post New Jersey Fines Hackensack Healthcare Providers for PHI Breach and HIPAA Violations appeared first on HIPAA Journal.

Guidance Issued for Healthcare CISOs on Identity, Interoperability, and Patient Access

Posted by HIPAA Journal

The Health Information Sharing and Analysis Center (Health-ISAC) has released guidance for Chief Information Security Officers (CISOs) on adopting an identity-centric approach to enabling secure and easy access to patient data to meet the interoperability, patient access, and data sharing requirements of the 21st Century Cures Act.

New federal regulations tied to the 21st Century Cures Act call for healthcare organizations to provide patients with easy access to their healthcare data and ensure patients can easily share their electronic health information (EHI) data wherever, whenever, and with whomever they want. The failure of a healthcare organization to implement systems to support patient access and interoperability could be considered information blocking and would be subject to fines and penalties.

The new federal requirements are for healthcare providers and insurers to allow data sharing through Application Programming Interfaces (APIs) that operate on the Fast Healthcare Interoperability and Resources (FHIR) standard. Healthcare providers and insurers are required to establish APIs to allow patients to access their EHI; however, providing patients with easy access to their healthcare data has the potential to introduce security vulnerabilities.

Health-ISAC says that in order to provide easy access to patient data, multiple privacy, security, and usability challenges need to be addressed, all of which are rooted in identity. When users request access to their data, strong authentication controls must be in place to verify that the person requesting EHI is who they say they are. For many years, patient matching problems have plagued the healthcare industry, and without a national patient identifier, those problems exist to this day. Those issues must also be addressed to ensure the correct EHI is provided.  Also, if an individual wants to only share part of their EHI, it needs to be possible for a portion of the data to be easily shared.

H-ISAC Framework for Managing Identity

Health-ISAC suggests a Framework for Managing Identity (above) that covers all of those functions; however, privacy and security issues also need to be addressed. For example, if a patient wants to authorize the use of EHI on behalf of someone else that he/she cares for, such as an elderly relative or a minor child, that must be possible. It must also be possible for a patient to delegate access privileges if they are being cared for by someone else, and for appropriate authentication controls to be in place to accommodate such requests. API-level security is also required. FHIR APIs are in the public domain, so they must be secured after authorization to use is granted.

Health-ISAC suggests that healthcare organizations should adopt an identity-centric approach to data sharing to solve these issues. “The most effective way of mitigating the risk that these issues pose to organizations is through the implementation of a modern, robust, and secure identity infrastructure that can securely authenticate and authorize users and incoming requests, enforce the appropriate consent requests, and tightly govern the use of identities,” said Health-ISAC. “By design, this is exactly what the Health-ISAC framework is meant to achieve.”

Additionally, Health-ISAC strongly recommends implementing multi-factor authentication, as while this is not explicitly required by the new ONC and CMS Rules, guidance issued by the government strongly points to the use of MFA. There are risks associated with not implementing MFA due to its importance for authentication.  The HHS’ Office for Civil Rights (OCR) has fined health organizations for HIPAA violations related to inadequate authentication in the past. Health-ISAC has produced a white paper – All About Authentication – which explains the best approach for implementing MFA.

“Identity is a journey. As the healthcare industry focuses on digital adoption, identity will continue to play a foundational role. Whether your implementation of a modern identity system is driven by regulatory and compliance requirements, security and privacy concerns, or a desire to improve customer experience, a well-architected, robust digital identity solution can address all of these drivers,” concludes Health-ISAC.

The post Guidance Issued for Healthcare CISOs on Identity, Interoperability, and Patient Access appeared first on HIPAA Journal.

HHS Launches 405(d) Program Website Providing Resources to Help Mitigate Healthcare Cybersecurity Threats

Posted by HIPAA Journal

The Department of Health and Human Services has launched a new website that offers advice and resources to help the healthcare and public health sector mitigate cybersecurity threats.

The website was created as part of the HHS 405(d) Aligning Health Care Industry Security Approaches Program, which was established in response to the Cybersecurity Act of 2015. The Cybersecurity Act of 2015 called for the HHS to establish the program and a Task Group to enhance cybersecurity and align industry approaches by developing a common set of voluntary, consensus-based, and industry-led cybersecurity guidelines, practices, methodologies, procedures and processes that healthcare organizations can use.

More than 150 individuals from industry and the federal government have collaborated under the program and provided insights into how best to mitigate cyberthreats. The new website supports the motto, Cyber Safety is Patient Safety, and provides videos and other educational material to raise awareness of pertinent threats along with vetted cybersecurity resources to drive behavioral change and move toward consistency in mitigating key threats to healthcare organizations. Through the website, organizations in the HPH sector can subscribe to a bi-monthly 405(d) newsletter and will have easy access to threat-specific products to support cybersecurity awareness and training efforts.

“The new 405(d) Program website is a step forward for HHS to help build cybersecurity resiliency across the Healthcare and Public Health Sector. This is also an exciting moment for the HHS Office of the Chief Information Officer in our ongoing partnership with industry,” said Christopher Bollerer, HHS Acting Chief Information Security Officer.

“This website is the first of its kind! It’s a unique space where the healthcare industry can access vetted cybersecurity practices specific to the HPH sector on a federal government website,” said Erik Decker, 405(d) Task Group Industry co-lead. “I think it’s a great resource for the HPH sector to turn to and will surely be a go-to site for organizations that want to better protect their patients and facilities from the latest cybersecurity threats.”

The post HHS Launches 405(d) Program Website Providing Resources to Help Mitigate Healthcare Cybersecurity Threats appeared first on HIPAA Journal.

26th Annual Compliance Institute: March 28 – 31, 2022

Posted by HIPAA Journal

The Health Care Compliance Association (HCCA) will be hosting the 26th Annual Compliance Institute at the Phoenix Convention Center, AZ, March 28 – 31, 2022.

The HCCA is a member-based association for healthcare compliance professionals that is dedicated to enabling the lasting success and integrity of all professionals working for, with, or supporting healthcare organizations. Established in 1996, the HCCA now has more than 12,000 members across the United States.  The HCCA promotes the highest standards in compliance programs, creates high-quality educational training events, and provides a forum for interaction and information exchange within the healthcare compliance community.

The Compliance Institute is the HCCA’s primary educational and networking event. Running over 4 days, attendees will be able to attend 109 educational sessions, benefit from professional development opportunities, and will be able to network and improve their career prospects.

The educational sessions highlight real-world compliance issues, emerging trends, and practical applications that attendees can use to strengthen their compliance programs., with the 2022 event covering the following subject areas:

  • Auditing and monitoring
  • Behavioral health
  • Compliance law
  • General compliance/hot topics
  • How to succeed as a compliance officer
  • Investigations
  • Physician compliance
  • Post-acute care
  • Privacy and security
  • Risk management
  • Telehealth

The event will be of great benefit to healthcare compliance professionals, risk managers, privacy officers, coding and billing specialists, healthcare regulators, government personnel, nurse managers and executives, staff educators and trainers, health information management specialists, CIOs, healthcare senior executives, healthcare professionals, healthcare journalists and researchers.

26th Annual Compliance Institute

The conference will run from Monday, March 28 to Thursday, March 31 at the Phoenix Convention Center, AZ.

If it is not possible to attend in person, this year there will be the option of attending virtually from Tuesday, March 29 to Thursday, March 31. Virtual visitors will be able to attend 47 educational sessions which are being live-streamed from the conference center.

Register for the Conference

The post 26th Annual Compliance Institute: March 28 – 31, 2022 appeared first on HIPAA Journal.

HHS’ Office for Civil Rights Imposes Further 5 Financial Penalties for HIPAA Right of Access Violations

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) is continuing with its enforcement of compliance with the HIPAA Right of Access and has recently announced a further 5 financial penalties. The HIPAA Right of Access enforcement initiative was launched in the fall of 2019 in response to a significant number of complaints from patients who had not been provided with timely access to their medical records.

The HIPAA Privacy Rule requires covered entities to provide individuals with access to their medical records. A copy of the requested information must be provided within 30 days of the request being received, although an extension of 30 days may be granted in limited circumstances. HIPAA-covered entities are permitted to charge patients for exercising this important Privacy Rule right, but may only charge a reasonable, cost-based fee. Labor costs are only permitted for copying or otherwise creating and delivering the PHI after it has been identified.

The enforcement actions to date have not been imposed for charging excessive amounts, only for impermissibly refusing to provide a copy of the requested records or for unnecessary delays. In some cases, patients have had to wait many months before they were provided with a copy of their records.

The latest announcement by OCR brings the total number of HIPAA Right of Access enforcement actions under the 2019 enforcement initiative up to 25.

In all of the new cases below, OCR determined the healthcare providers were in violation of 45 C.F.R. § 164.524 and had not provided timely access to protected health information about the individual after receiving a request.

Advanced Spine & Pain Management, a provider of chronic pain-related medical services in Cincinnati and Springboro, OH, agreed to settle OCR’s investigation and paid a $32,150 financial penalty and will be monitored by OCR for compliance with its corrective action plan for 2 years. The investigation stemmed from a complaint from a patient who requested his medical records on November 25, 2019, but was not provided with the records until March 19, 2020.

Denver Retina Center, a Denver, CO-based provider of ophthalmological services, settled its investigation with OCR and paid a $30,000 financial penalty and will be monitored for compliance with its corrective action plan for 12 months. A patient alleged she had requested her records in December 2018 but did not receive a copy of her records until July 26, 2019. OCR had provided technical assistance to the healthcare provider following receipt of a previous HIPAA Right of Access complaint from the same patient and closed the case. When evidence was received of continued non-compliance the case was reopened. OCR determined that in addition to the delay, Denver Retina Center’s access policies and procedures were not compliant with the HIPAA Privacy Rule, as required by 45 C.F.R. § 164.530(i).

Rainrock Treatment Center LLC (dba Monte Nido Rainrock), a Eugene, OR-based provider of residential eating disorder treatment services, settled OCR’s investigation and paid a $160,000 financial penalty and will be monitored for compliance with the corrective action plan for 12 months. OCR had received three complaints from a patient who had not been provided with a copy of her medical records. The patient had requested a copy of her records on October 1, 2019, and November 21, 2019, and did not receive the requested records until May 22, 2020.

Wake Health Medical Group, a Raleigh, NC-based provider of primary care and other health care services, settled OCR’s investigation and paid a $10,000 financial penalty and has agreed to take corrective action to prevent further HIPAA Right of Access violations. OCR had received a complaint from a patient who requested a copy of her medical records on June 27, 2019 and paid a $25 flat fee, which is the standard fee charged by Wake Health Medical Group for providing copies of medical records. As of the date of the settlement, the patient has still not been provided with the requested records.

Dr. Robert Glaser, a New Hyde Park, NY-based cardiovascular disease and internal medicine doctor, did not cooperate with OCR during the investigation, although did not contest the findings and waived his right to a hearing. A civil monetary penalty of $100,000 was imposed by OCR. An investigation was launched following receipt of a complaint from a former patient who alleged he had made several written and verbal requests for a copy of his medical records between 2013 and 2014. The complaint was filed with OCR on November 9, 2017, and the case was closed by OCR on December 15, 2017, after advising Dr. Glaser to investigate the complaint and provide the requested records if the requests were in line with the HIPAA Right of Access. The patient filed a further complaint with OCR on March 20, 2018, and provided evidence of further written requests. OCR tried to contact Dr. Glaser on multiple occasions by letter and phone, but he repeatedly failed to respond, hence the decision to impose a civil monetary penalty.

“Timely access to your health records is a powerful tool in staying healthy, patient privacy and it is your right under law,” said OCR Director Lisa J. Pino. “OCR will continue its enforcement actions by holding covered entities responsible for their HIPAA compliance and pursue civil money penalties for violations that are not addressed.”

The post HHS’ Office for Civil Rights Imposes Further 5 Financial Penalties for HIPAA Right of Access Violations appeared first on HIPAA Journal.

October 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

October saw 59 healthcare data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights, which represents a 25.5% increase from September. Over the past 12 months, from November 2020 to October 2021, there have been 655 reported breaches of 500 or more records, 546 of which have been reported in 2021.

Healthcare Data Breaches (November 20-October 21)

The protected health information (PHI) of 3,589,132 individuals was exposed, stolen, or impermissibly disclosed across the 59 reported data breaches, which is 186% more records than September. Over the past 12 months, from November 2020 to October 2021, the PHI of 39,938,418 individuals has been exposed or stolen, with 34,557,664 individuals known to have been affected by healthcare data breaches so far in 2021.

Healthcare records breached (november 20-october 21)

Largest Healthcare Data Breaches in October 2021

There were 18 data breaches reported to the HHS’ Office for Civil Rights in October that impacted 10,000 or more individuals, as detailed in the table below.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Breach Cause
Eskenazi Health IN Healthcare Provider 1,515,918 Hacking/IT Incident Ransomware attack
Sea Mar Community Health Centers WA Healthcare Provider 688,000 Hacking/IT Incident Ransomware attack
ReproSource Fertility Diagnostics, Inc. MA Healthcare Provider 350,000 Hacking/IT Incident Ransomware attack
QRS, Inc. TN Business Associate 319,778 Hacking/IT Incident Unauthorized network server access
UMass Memorial Health Care, Inc. MA Business Associate 209,048 Hacking/IT Incident Phishing attack
OSF HealthCare System IL Healthcare Provider 53,907 Hacking/IT Incident Ransomware attack
Educators Mutual Insurance Association UT Health Plan 51,446 Hacking/IT Incident Unauthorized network access and malware infection
Lavaca Medical Center TX Healthcare Provider 48,705 Hacking/IT Incident Unauthorized network access
Professional Dental Alliance, LLC PA Healthcare Provider 47,173 Unauthorized Access/Disclosure Phishing attack on a vendor
Nationwide Laboratory Services FL Healthcare Provider 33,437 Hacking/IT Incident Ransomware attack
Professional Dental Alliance of Michigan, PLLC PA Healthcare Provider 26,054 Unauthorized Access/Disclosure Phishing attack on a vendor
Syracuse ASC, LLC NY Healthcare Provider 24,891 Hacking/IT Incident Unauthorized network access
Professional Dental Alliance of Georgia, PLLC PA Healthcare Provider 23,974 Unauthorized Access/Disclosure Phishing attack on a vendor
Professional Dental Alliance of Florida, LLC PA Healthcare Provider 18,626 Unauthorized Access/Disclosure Phishing attack on a vendor
Professional Dental Alliance of Illinois, PLLC PA Healthcare Provider 16,673 Unauthorized Access/Disclosure Phishing attack on a vendor
Professional Healthcare Management, Inc. TN Healthcare Provider 12,306 Hacking/IT Incident Ransomware attack
Professional Dental Alliance of Tennessee, LLC PA Healthcare Provider 11,217 Unauthorized Access/Disclosure Phishing attack on a vendor
Professional Dental Alliance of New York, PLLC PA Healthcare Provider 10,778 Unauthorized Access/Disclosure Phishing attack on a vendor

Ransomware attacks continue to plague healthcare organizations and threaten patient safety. Half of the top 10 data breaches involved ransomware, including the top three data breaches reported in October.

The worst breach of the month was reported by Eskenazi Health. The PHI of more than 1.5 million patients was exposed and patient data is known to have been stolen in the attack. A major ransomware attack was also reported by Sea Mar Community Health Centers. Its systems were first compromised in December 2020, the ransomware attack was identified in March 2021, and Sea Mar was notified about the posting of patient data on a darknet marketplace in June. It took until late October to issue notifications to affected individuals.

Hackers often gain access to healthcare networks through phishing attacks, and phishing remains the leading attack vector in ransomware attacks. Large quantities of sensitive data are often stored in email accounts and can easily be stolen if employees respond to phishing emails. A phishing attack on UMass Memorial Health Care resulted in the exposure of the PHI of 209,048 individuals, and a phishing attack on a vendor used by the Professional Dental Alliance exposed the PHI of more than 174,000 individuals.

Causes of October 2021 Healthcare Data Breaches

Data breaches classified as hacking/IT incidents, which include ransomware attacks, were the main cause of data breaches in October. 57.63% of all breaches reported in the month were classified as hacking/IT incidents and they accounted for 94.14% of all breached records (3,378,842 records). The average size of the data breaches was 99,378 records and the median breach size was 5,212 records.

Causes of October 2021 healthcare data breaches

22 breaches were classified as unauthorized access/disclosure incidents and involved the PHI of 200,887 individuals. Those breaches include the phishing attack that affected the Professional Dental Alliance. The average breach size was 9,131 records and the median breach size was 4,484 records.

There were 4 breaches reported that involved the loss or theft of physical PHI or electronic devices containing PHI, 3 of which were theft incidents and 1 was a lost laptop computer. The PHI of 9,403 individuals was exposed as a result of those incidents. The average breach size was 2,351 records and the mean breach size was 1,535 records.

Location of breached protected health information -October 2021

Healthcare Data Breaches by HIPAA-Regulated Entity Type

Healthcare providers were the worst affected covered entity type with 43 reported breaches. 8 data breaches were reported by business associates of HIPAA-covered entities and 8 were reported by health plans. Many data breaches occur at business associates of HIPAA-covered entities but are reported by the affected covered entity. The pie chart below shows the breakdown of breaches based on where they occurred.

October 2021 healthcare data breaches by HIPAA-regulated entity type

Healthcare Data Breaches by State

Healthcare data breaches were reported by HIPAA-regulated entities in 26 states. Pennsylvania was the worst affected state with 12 reported breaches, although 11 of those breaches were the same incident – the phishing attack on the Professional Dental Alliance vendor that was reported separately by each affected HIPAA-covered entity.

State No. Breaches
Pennsylvania 12
California 5
Illinois, Indiana, & Texas 4
New York & Washington 3
Connecticut, Florida, Massachusetts, New Jersey, North Carolina & Tennessee 2
Alabama, Arkansas, Kansas, Kentucky, Minnesota, Mississippi, Nebraska, Ohio, South Carolina, Utah, Virginia, & West Virginia 1

HIPAA Enforcement Activity in October 2021

There was only one HIPAA enforcement action announced in October. The New Jersey Attorney General agreed to settle an investigation into a data breach reported by Diamond Institute for Infertility and Menopause that resulted in the exposure of the PHI of 14,663 New Jersey residents.

The New Jersey Department of Law and Public Safety Division of Consumer Affairs uncovered violations of 29 provisions of the HIPAA Privacy and Security Rules, and violations of the New Jersey Consumer Fraud Act. In addition to paying $495,000 in civil monetary penalties and investigation costs, Diamond agreed to implement additional measures to improve data security.

The post October 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

New Jersey Fines Two Printing Companies $130,000 for HIPAA and CFA Violations

Posted by HIPAA Journal

The New Jersey Attorney General and has fined two printing firms $130,000 over alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) and the New Jersey Consumer Fraud Act (CFA) which contributed to a breach of the protected health information (PHI) of 55,715 New Jersey residents.

Command Marketing Innovations, LLC (CMI) and Strategic Content Imaging, LLC (SCI) provided services to a leading New Jersey-based managed healthcare organization that involved printing and mailing benefits statements. Between October 31, 2016, and November 2, 2016, a printing error resulted in PHI such as claims numbers, dates of service, provider names, facility names, and descriptions of services being mailed to incorrect recipients.

When printing firms or other vendors provide services to HIPAA-covered entities that require access to PHI, they are required to enter into a business associate agreement with the covered entity and must comply with the requirements of the HIPAA Security Rule. The responsibilities of HIPAA business associates include implementing safeguards to ensure the confidentiality, integrity, and availability of any PHI they are provided with.

The New Jersey Division of Consumer Affairs (DCA) launched an investigation into the printing firms and determined printing processes were changed in 2016 which resulted in an error being introduced that saw the final page of one member’s statement being added to the first page of another member’s statement. Procedures should have been implemented to check the benefits statements prior to mailing.

The DCA determined impermissible disclosure of PHI was in violation of HIPAA and the CFA. Specifically, the companies violated HIPAA by failing to ensure the confidentiality of PHI, failing to protect against a reasonably anticipated unauthorized disclosure of PHI, and failing to review and modify security measures to ensure reasonable and appropriate protections were in place to ensure the confidentiality of PHI.

The printing firms disputed the findings of the DCA investigation but agreed to a consent order which requires them to change their business practices and implement new safeguards to protect sensitive data.

The consent order requires a comprehensive security information program to be implemented and the use of an event management tool to identify and track potential vulnerabilities and threats to the confidentiality of PHI. Each company is required to appoint an employee as Chief Information Security Officer. That individual must have sufficient expertise in information security to implement, maintain, and monitor the information security program.

An employee with expertise in HIPAA compliance must be appointed as Chief Privacy Officer, a security awareness and anti-phishing training program must be implemented for the workforce, and policies and procedures must be put in place that require approval to be obtained from clients that store or transmit PHI prior to making material changes to printing processes. $65,000 of the penalty amount will be suspended and will not have to be paid if the companies comply with the terms of the consent order.

“Companies that handle sensitive personal and health information have a duty to protect patient privacy,” said Acting Attorney General Bruck. “Inadequate protective measures are unacceptable, and we will hold companies accountable if they bypass our laws, cut corners, and put privacy and security at risk.”

This is the second financial penalty for violations of HIPAA and the CFA to be announced by New Jersey in as many months. In October, Diamond Institute for Infertility and Menopause was fined $495,000 to resolve HIPAA and CFA violations that led to a breach of the PHI of 14,663 New Jersey residents.

The post New Jersey Fines Two Printing Companies $130,000 for HIPAA and CFA Violations appeared first on HIPAA Journal.

OSHA and HIPAA Compliance

Posted by HIPAA Journal

In healthcare, OSHA and HIPAA compliance are both essential. There are separate standards that must be adhered to for compliance, but there are broad similarities in terms of reporting, recordkeeping, and enforcement.

The Occupational Safety and Health Act (OSH Act)

The Occupational Safety and Health Act (OSH Act) was signed into law more than 50 years ago and remains as relevant today as it was when President Nixon added his signature to the bill on December 29, 1970. The OSH Act covers the private sector and the federal government and requires employers to create and maintain a safe and healthful working environment, and ensure employees are protected from hazards in the workplace.

The OSH Act created the Occupational Safety and Health Administration (OHSA) within the Department of Labor, which is responsible for outreach, education, assistance, and is also the enforcer of compliance with the OSH Act. OHSA sets health and safety standards against which employers are measured. Those standards are published in Title 29 of the Code of Federal Regulations (29 U.S.C. §§ 651 to 678), and there are standards that apply to different industry sectors. The construction, maritime, and agriculture sectors each have their own set of standards due to the unique hazards and risks in those sectors, with separate standards set for general industry, which includes medical and dental offices.

OSHA standards have been set for a variety of health and safety areas, including fire safety, electrical safety, blood-borne pathogens, ionization radiation, hazardous materials, medical and first aid, personal protective equipment, emergency preparedness, and the general working environment.

OHSA conducts inspections of workplaces to ensure compliance and has the authority to impose financial penalties and sanctions. There is a tiered penalty structure of minimum and maximum penalties, although State Plans exist where states have control of OSHA regulations and can implement their own penalty structures.

The Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA) has been in effect for half the time of the OSH Act, with HIPAA signed into law by President Clinton on August 21, 1996. HIPAA set standards for the healthcare industry that must be followed by HIPAA-covered entities (healthcare providers, health plans, and healthcare clearinghouses) that conduct transactions involving protected health information electronically. HIPAA also applies to business associates of HIPAA-covered entities that are required to interact with protected health information.

When HIPAA was signed into law, the main aims of the legislation were to ensure individuals could retain health insurance coverage when between jobs, to introduce standards to reduce wastage in healthcare, and to help prevent healthcare fraud. Updates to the legislation over the years have seen HIPAA expanded to include standards covering the privacy and security of healthcare data and to give individuals rights over their healthcare data.

The Department of Health and Human Services is responsible for outreach, providing training materials and guidance, and enforcing HIPAA compliance, with the administrative standards regulated by the HHS’ Centers for Medicare and Medicaid Services (CMS) and the HIPAA Privacy, Security and Breach Notification Rules Regulated by the HHS’ Office for Civil Rights. State Attorneys General also play a role in HIPAA enforcement.

Each of those regulators can impose financial penalties and sanctions for non-compliance, in accordance with a tiered penalty structure based on the level of culpability.

OSHA and HIPAA Compliance

OSHA and HIPAA compliance is policed by different federal agencies and each set of regulations has different requirements for covered organizations, but there are some similarities between OSHA and HIPAA compliance.

OSHA and HIPAA compliance programs require all compliance efforts to be documented. Documentation may be requested during investigations and audits as proof of compliance. OSHA requires deaths, serious injuries, time off work due to injury or illness, medical treatment beyond first aid, restricted work and transfers to other jobs, loss of consciousness, and other issues to be recorded, and for all OHSA compliance documentation to be maintained. Employers must also update and maintain medical records for their employees. HIPAA requires all compliance efforts such as policies, procedures, and training to be recorded, along with records of any identified HIPAA violations and data breaches. HIPAA does not cover employee medical records but does cover the medical records of patients. There are minimum retention periods for documentation, although OHSA and HHS retention periods differ.

Both sets of legislation have strict reporting requirements. OHSA requires deaths and serious workplace injuries to be reported, while HIPAA requires breaches of protected health information to be reported. There are strict time frames for reporting in both the OSHA and HIPAA standards.

Ongoing OSHA and HIPAA compliance programs must be established that ensure working practices remain compliant. The failure of covered entities to ensure OSHA and HIPAA compliance can both result in substantial financial penalties. If there is an apparent violation of the HIPAA Rules or OSHA standards, individuals are permitted to file a complaint with regulators, but since there is no private cause of action in HIPAA or the OSH Act, it is not possible for individuals to sue for violations.

Federal and state regulators are responsible for investigating complaints, determining if there has been non-compliance, and deciding if financial penalties or sanctions are appropriate.

The post OSHA and HIPAA Compliance appeared first on HIPAA Journal.

OCR: Ensure Legacy Systems and Devices are Secured for HIPAA Compliance

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has advised HIPAA-covered entities to assess the protections that they have implemented to secure their legacy IT systems and devices.

A legacy system is any system that has one or more components that have been supplanted by newer technology and reached end-of-life. When software and devices reach end-of-life, support comes to an end, and patches are no longer issued to correct known vulnerabilities. That makes legacy systems and devices vulnerable to cyberattacks.

Healthcare organizations should be aware of the date when support will no longer be provided, and a plan should be developed to replace outdated software and devices; however, there are often valid reasons for continuing to use outdated systems and devices.

Legacy systems may work well and be well-tailored to an organization’s business model, so there may be a reluctance to upgrade to new systems that are supported. Upgrading to a newer system may require time, funds, and human resources that are not available, or it may not be possible to replace a legacy system without disrupting critical services, compromising data integrity, or preventing ePHI from being available.

HIPAA-covered entities should ensure that all software, systems, and devices are kept fully patched and up to date, but in healthcare, there are often competing priorities and obligations. If the decision is made to continue using legacy systems and devices, it is essential for security to be considered and for safeguards to be implemented to ensure those systems and devices cannot be hacked. That is especially important if legacy systems and devices can be used to access, store, create, maintain, receive, or transmit electronic protected health information (ePHI).

It is not a violation of the HIPAA Rules to continue using software and devices that have reached the end of life, provided compensating controls are implemented to ensure ePHI is protected. “Despite their common use, the unique security considerations applicable to legacy systems in an organization’s IT environment are often overlooked,” said OCR in its cybersecurity newsletter, which would violate the HIPAA Rules.

In healthcare, there may be many legacy systems and devices in use that need to be protected. Healthcare organizations need to have full visibility into the legacy systems that reside in their organization, as if the IT department is unaware that legacy systems are in use, compensating controls will not be implemented to ensure they are appropriately protected.

It is vital for a comprehensive inventory to be created that includes all legacy systems and devices and for a security risk assessment to be performed on each system and device. “The HIPAA Security Rule requires covered entities and their business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI throughout their environment, including ePHI used by legacy systems,” explained OCR in its recent cybersecurity newsletter.

Risks must be identified, prioritized, and mitigated to reduce them to a low and acceptable level. Mitigations include upgrading to a supported version or system, contracting with a vendor to provide extended support, migrating the system to a supported cloud-based solution, or segregating the system from the network.

If HIPAA-covered entities choose to continue maintaining a legacy system existing security controls should be strengthened or compensating controls should be implemented. OCR says consideration should be given to the burdens of maintenance, as they may outweigh the benefits of continuing to use the legacy system and plans should be made for the eventual removal and replacement of the legacy system.

In the meantime, OCR suggests the following controls for improving security:

  • Enhance system activity reviews and audit logging to detect unauthorized activity, with special attention paid to security configurations, authentication events, and access to ePHI.
  • Restrict access to the legacy system to a reduced number of users.
  • Strengthen authentication requirements and access controls.
  • Restrict the legacy system from performing functions or operations that are not strictly necessary
  • Ensure backups of the legacy system are performed, especially if strengthened or compensating controls impact prior backup solutions.
  • Develop contingency plans that contemplate a higher likelihood of failure.
  • Implement aggressive firewall rules.
  • Implement supported anti-malware solutions.

The post OCR: Ensure Legacy Systems and Devices are Secured for HIPAA Compliance appeared first on HIPAA Journal.