HIPAA Compliance News

Lisa J. Pino Named New Director of HHS’ Office for Civil Rights

OCR Director, Lisa J. Pino

Lisa J. Pino has been named Director of the Department of Health and Human Services’ Office for Civil Rights (OCR) and replaces Robinsue Frohboese, who has served as acting OCR Director since President Trump-appointed Roger Severino resigned from the post in mid-January.

OCR is the main enforcer of compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, the Patient Safety and Quality Improvement Act, and Patient Safety Rule, as well as as well as enforcing federal civil rights, conscience and religious freedom laws.

Pino is from New York City, a fluent Spanish speaker, and the first-generation daughter of immigrant parents. She completed a B.A., M.A., and J.D. at Arizona State University with honors, and Harvard Kennedy School leadership program as a National Hispana Leadership Institute Fellow.

Pino has served as legal aid attorney in the Southwest, fighting to protect the rights of migrant farm workers. Her civil rights activities carried on while working for the United States Department of Agriculture (USDA) where she served as USDA Deputy Administrator of the Supplemental Nutrition Assistance Program (SNAP) and USDA Deputy Assistant Secretary for Civil Rights.

While at the USDA, Pino drafted and championed USDA’s first gender identity anti-discrimination program regulation along with its first USDA limited English proficiency guidance. Pino played a key role in ensuring minority farmers had access to benefits awarded through class action settlements through her direction of USDA’s outreach and engagement activities.

Pino is a former senior executive service who was also appointed by President Barack Obama and served at the U.S. Department of Homeland Security (DHS) as Senior Counselor. There she played a key role in the mitigation of the largest federal data breach in history, the 2015 hacking of the data of 4 million federal personnel and 22 million surrogate profiles, by renegotiating 700 vendor procurements and establishing new cybersecurity regulatory protections.

Most recently, Pino served as Executive Deputy Commissioner of the New York State Department of Health, the agency’s second-highest executive position. During her time in the role, Pino spearheaded the state’s operational response to the COVID-19 pandemic and programming for Medicaid, Medicare, Nutrition Program for Women, Infants, and Children (WIC), Hospital and Alternative Care Facility, Wadsworth Laboratories, Center for Environmental Health, Center for Community Health, and AIDS Institute.

“Lisa is an exceptional public servant, and I am delighted to welcome her to the role of the Director of the Office for Civil Rights at HHS,” said HHS Secretary Xavier Becerra. “Her breadth of experience and management expertise, particularly her hand in advancing civil rights regulations and policy at the U.S. Department of Agriculture (USDA) during the Obama-Biden Administration, will help ensure that we protect the rights of every person across the country as we work to build a healthier America.”

The post Lisa J. Pino Named New Director of HHS’ Office for Civil Rights appeared first on HIPAA Journal.

OCR Announces 20th Financial Penalty Under HIPAA Right of Access Enforcement Initiative

The Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed its 20th financial penalty under the HIPAA Right of Access enforcement initiative that was launched in late 2019.

Children’s Hospital & Medical Center (CHMC), a pediatric care provider in Omaha, Nebraska, has been ordered to pay a penalty of $80,000 to resolve the alleged HIPAA Right of Access violation, is required to adopt a corrective action plan to address the noncompliance discovered by OCR, and will be monitored for compliance by OCR for a period of one year.

The Privacy Rule of the Health Insurance Portability and Accountability Act gave individuals the right to obtain a copy of their protected health information held by a HIPAA covered entity, and for parents and legal guardians to obtain a copy of the medical records of their minor children. HIPAA covered entities must provide the requested records within 30 days and are only permitted to charge a reasonable cost-based fee for providing copies. In certain circumstances, covered entities can apply for a 30-day extension, making the maximum time for providing records 60 days from the date the written request for access is received.

When individuals feel their HIPAA rights have been violated, they cannot take legal action against a HIPAA-covered entity for a HIPAA violation, but they can file a complaint with OCR. In this case, OCR received a complaint from a parent who alleged CHMC had not provided her with timely access to her minor daughter’s medical records.

CHMC received the parent’s request and provided some of her with some of her daughter’s medical records but did not provide all the requested information. The parent also made several follow-up requests to CHMC. OCR investigated and confirmed the parent requested a copy of her late daughter’s medical records in writing on January 3, 2020. Some of the requested records were provided; however, the remainder of the records needed to be obtained from a different CHMC division. Some of the remaining records were provided on June 20, 2020, with the rest provided on July 16, 2020. OCR determined this was in violation of the HIPAA Right of Access – 45 C.F.R. § 164.524(b).

In addition to the financial penalty, CHMC must review and update its policies and procedures related to the HIPAA Right of Access, provide the policies to OCR for assessment, and distribute the approved policies to the workforce and ensure training is provided.

“Generally, HIPAA requires covered entities to give parents timely access to their minor children’s medical records, when the parent is the child’s personal representative,” said Acting OCR Director Robinsue Frohboese. “OCR’s Right of Access Initiative supports patients’ and personal representatives’ fundamental right to their health information and underscores the importance of all covered entities’ compliance with this essential right.”

The post OCR Announces 20th Financial Penalty Under HIPAA Right of Access Enforcement Initiative appeared first on HIPAA Journal.

California DOJ Must Be Notified About Breaches of the Health Data of 500 or More California Residents

The Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities and business associates to sent notifications to the HHS’ Office for Civil Rights (OCR) about data breaches, but healthcare organizations are also required to comply with state data breach notification laws.

Many states have introduced their own data privacy laws, which typically require notifications to be sent to appropriate state Attorneys General if a data breach exceeds a certain threshold. States have the authority to bring civil actions against healthcare organizations that fail to issue breach notifications under both HIPAA and state laws. In California, the threshold for reporting breaches is in line with HIPAA. If a data breach is experienced that impacts 500 or more California residents, the California Department of Justice (DOJ) must be notified.

Recently, there have been several instances where the California DOJ has not been notified about ransomware attacks on California healthcare facilities, even though the personal and protected health information of California residents has likely been compromised in the attack.

California Attorney General Rob Bonta has recently issued a bulletin reminding all entities that house the confidential health-related information of California residents of their data breach reporting responsibilities under California law (Civil Code section 1798.82). Whenever there has been a breach of the health data of 500 or more California residents, a breach report must be submitted to the Office of the Attorney General. The California DOJ then publishes the breach notice on its website to ensure the public is made aware of the breach to allow victims to take appropriate action to protect themselves against identity theft and fraud. Individual notifications must also be issued to affected individuals.

“Timely breach notification helps affected consumers mitigate the potential losses that could result from the fraudulent use of their personal information obtained from a breach of health data,” said Attorney General Bonta. “Therefore, it is important for providers of healthcare to be proactive and vigilant about reducing their risk for ransomware attacks and to meet their health data breach notification obligations to protect the public.”

In the bulletin, Attorney General Bonta also urged healthcare organizations to take proactive steps to protect patient data against ransomware attacks.

“State and federal health data privacy frameworks, like the Confidentiality of Medical Information Act (CMIA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), obligate healthcare entities and organizations that deal in health data to establish appropriate procedures to ensure the confidentiality of health-related information, including security measures that can help prevent the introduction of malware, including ransomware, to protect consumers’ healthcare-related information from unauthorized use and disclosure,” explained AG Bonta.

Healthcare organizations are encouraged to take the following proactive steps:

  • Keep operating systems and software housing health data current
  • Apply security patches promptly
  • Install and maintain antivirus software
  • Provide regular data security training to employees, including education about phishing attacks
  • Restrict users from downloading, installing, and running unapproved software
  • Maintain and regularly test the data backup and recovery plan for all critical information 

The post California DOJ Must Be Notified About Breaches of the Health Data of 500 or More California Residents appeared first on HIPAA Journal.

July 2021 Healthcare Data Breach Report

High numbers of healthcare data breaches continued to be reported by HIPAA-covered entities and their business associates. In July, there were 70 reported data breaches of 500 or more records, making it the fifth consecutive month where data breaches have been reported at a rate of 2 or more per day.

Healthcare data Breaches Past 12 months (Aug 20-July21)

The number of breaches was slightly lower than June, but the number of records exposed or compromised in those breaches jumped sharply, increasing by 331.5% month-over-month to 5,570,662 records.

Healthcare records breached Aug20 to July 21

Over the past 12 months, from the start of August 2020 to the end of July 2021, there have been 706 reported healthcare data breaches of 500 or more records and the healthcare data of 44,369,781 individuals has been exposed or compromised. That’s an average of 58.8 data breaches and around 3.70 million records per month!

Largest Healthcare Data Breaches in July 2021

Two healthcare data breaches stand out due to the sheer number of healthcare records that were exposed – and potentially stolen. The largest healthcare data breach to be reported in July was a hacking/IT incident reported by the Wisconsin healthcare provider Forefront Dermatology. The exact nature of the attack was not disclosed so it is unclear if ransomware was used. Hackers gained access to parts of its network that contained the protected health information of 2.4 million individuals. The second largest data breach was reported by Practicefirst, a New York business associate of multiple HIPAA-covered entities. Ransomware was used in the attack and the healthcare data of 1.2 million individuals was potentially exfiltrated.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Breach Cause Business Associate Present
Forefront Dermatology, S.C. Healthcare Provider 2,413,553 Hacking/IT Incident Unspecified hacking incident Yes
Professional Business Systems, Inc., d/b/a Practicefirst Medical Management Solutions/PBS Medcode Corp Business Associate 1,210,688 Hacking/IT Incident Ransomware attack Yes
UF Health Central Florida Healthcare Provider 700,981 Hacking/IT Incident Ransomware attack No
Orlando Family Physicians, LLC Healthcare Provider 447,426 Hacking/IT Incident Phishing attack No
HealthReach Community Health Centers Healthcare Provider 122,340 Improper Disposal Improper disposal of electronic medical records No
Guidehouse Business Associate 84,220 Hacking/IT Incident Ransomware attack (Accellion FTA) Yes
Advocate Aurora Health Healthcare Provider 68,707 Hacking/IT Incident Ransomware attack (Elekta) Yes
McLaren Health Care Corporation Healthcare Provider 64,600 Hacking/IT Incident Ransomware attack (Elekta) Yes
Coastal Family Health Center, Inc Healthcare Provider 62,342 Hacking/IT Incident Ransomware attack No
Florida Heart Associates Healthcare Provider 45,148 Hacking/IT Incident Ransomware attack No
A2Z Diagnostics, LLC Healthcare Provider 35,587 Hacking/IT Incident Phishing attack No
University of Maryland, Baltimore Business Associate 30,468 Hacking/IT Incident Unspecified hacking incident Yes
Florida Blue Health Plan 30,063 Hacking/IT Incident Brute force attack (Member portal) No
Intermountain Healthcare Healthcare Provider 28,628 Hacking/IT Incident Ransomware attack (Elekta) Yes

Causes of July 2021 Healthcare Data Breaches

As the table above shows, ransomware continues to be extensively used in cyberattacks on healthcare organizations and their business associates. Those attacks can easily result in the theft of large amounts of healthcare data. The majority of ransomware gangs (and their RaaS affiliates) are now exfiltrating sensitive data prior to using ransomware to encrypt files. Victims are required to pay to prevent the publication or sale of the stolen data as well as a payment to obtain the keys to decrypt files.

To help combat this rise in double extortion ransomware attacks, new guidance has been released by the Cybersecurity and Infrastructure Security Agency. The National Institute of Standards and Technology (NIST) has also updated its cybersecurity guidance on building resilient computer networks, with the emphasis now shifting away from perimeter defenses to assuming attackers have already gained access to the network. Mechanisms therefore need to be implemented to reduce the harm that can be caused.

Causes of July 2021 Healthcare Data Breaches

Hacking/IT incidents, of which ransomware accounts for a many, dominate the month’s breach reports. There were 52 reported hacking/IT incidents in which the protected health information of 5,393,331 individuals was potentially compromised. That’s 96.82% of all records breached in July. The mean breach size was 103,718 records and the median breach size was 4,185 records.

There were 13 reported unauthorized access/disclosure incidents, which include misdirected emails, mailing errors, and snooping by healthcare employees. 52,676 healthcare records were impermissibly viewed or disclosed to unauthorized individuals across those incidents. The mean breach size was 4,052 records and the median breach size was 1,038 records. There were two theft incidents reported involving a total of 2,275 records and one improper disposal incident involving 122,340 electronic health records.

The vast majority of incidents involved the hacking of network servers; however, email accounts continue to be compromised at high rates. 21 breaches involved protected health information stored in email accounts. The majority of the email incidents involved the theft of employee credentials in phishing attacks.

Location of breached protected health information (July 2021)

Data Breaches by Covered Entity Type

Healthcare providers reported 47 data breaches in July, with 11 breaches reported by business associates and 10 breaches reported by health plans; however, the reporting entity is not the best gauge of where these breaches occurred. In many cases, the breach was experienced at a business associate, but was reported by the covered entity.

When this is taken into account, the figures show that healthcare provider and business associate data breaches are on a par, with 30 breaches each for July 2021, as shown in the pie chart below.

July 2021 healthcare data breaches by covered entity type

July 2021 Healthcare Data Breaches by State

July saw healthcare data breaches reported by HIPAA-covered entities and business associates based in 32 states and the District of Columbia.

State Number of Reported Healthcare Data Breaches
Florida 6
California, New York & Texas 5
Illinois & North Carolina 4
Connecticut, Minnesota, Nebraska & New Jersey 3
Mississippi, Oklahoma, Washington & Wisconsin 2
Alabama, Georgia, Iowa, Indiana, Kansas, Kentucky, Maine, Maryland, Massachusetts, Michigan, Missouri, Montana, Ohio, Pennsylvania, South Carolina, Utah, Virginia, West Virginia & the District of Columbia 1

HIPAA Enforcement Activity in July 2021

The HHS’ Office for Civil Rights (OCR), the primary enforcer of HIPAA compliance, did not announce any new enforcement actions against HIPAA-covered entities or business associates in July, nor were there any enforcement actions announced by state Attorneys General.

The OCR year-to-date total still stands at 8 financial penalties totaling $5,570,100, with just the one financial penalty imposed by state attorneys general – A multi-state action that saw American Medical Collection Agency (AMCA) fined $21 million.

Data for this report came from the HHS’ Office for Civil Rights breach portal.

The post July 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

Future of HIPAA: Reflections at the 25th Anniversary of HIPAA

The Health Insurance Portability and Accountability Act is now 25 years old. How effective has this healthcare law been and what is the future of HIPAA?

It is now exactly 25 years to the day since the Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Clinton. On August 21, 1996, when President Clinton added his signature to the legislation, few people would have realized how HIPAA would evolve and grow into the comprehensive national health privacy law that it is today.

It is difficult to argue that HIPAA has not been an overall success, but the legislation has attracted a fair amount of criticism over the years, especially initially due to the considerable administrative burden it placed on healthcare organizations. On balance, the improvements to healthcare that have come from compliance with HIPAA more than outweigh the negatives.

The biggest successes are the improvements to patient privacy and data security, the rights given to patients with respect to their healthcare data, greater efficiency in the healthcare system, and changes that have helped to reduce waste and healthcare fraud. The improvements have generally been made for relatively little cost.

HIPAA certainly has its strengths, but there are also limitations that have become increasingly apparent in recent years and even now, 25 years after the legislation was first introduced, there is still confusion about what compliance entails.

In this article we will explore the strengths and limitations of HIPAA, assess how effective HIPAA has been, and will explore the future of HIPAA and what can be expected in terms of updates to the legislation. First, however, it is useful to provide a brief recap of the history of HIPAA and how the legislation has evolved over the years.

A Brief History of HIPAA

HIPAA was initially introduced to improve the portability of health insurance coverage for employees between jobs, to combat waste, fraud and abuse in health insurance and healthcare delivery, to promote the use of medical savings accounts by introducing tax breaks, and to simplify the administration of health insurance. The legislation was later augmented with new Rules covering the privacy and security of healthcare data.

Initially, HIPAA only applied to a limited number of entities in the healthcare industry – healthcare providers, health plans, and healthcare clearinghouses, and only those that transmit healthcare data in electronic form for certain transactions for which the HHS maintains standards. The Health Information Technology for Economic and Clinical Health (HITECH) Act expanded the scope of HIPAA to cover business associates of HIPAA covered entities – third-party firms that require access to protected health information (PHI) to provide services or products to covered entities.

Important updates to HIPAA are detailed below:

  • HIPAA Signed into Law by President Bill Clinton – August 1996
  • Effective Date of the HIPAA Privacy Rule – April 2003
  • Effective Date of the HIPAA Security Rule – April 2005
  • Effective Date of the HIPAA Enforcement Rule – March 2006
  • Effective date of HITECH and the Breach Notification Rule – September 2009
  • Effective Date of the Final Omnibus Rule – March 2013

HIPAA’s Strengths and Weaknesses

There are many positives that have come from HIPAA, the best known of which are improving privacy protections for patients and improving the security of healthcare data. HIPAA limits the uses and disclosures of patient data to those related to treatment, payment, or healthcare operations and all covered entities and business associates must implement appropriate administrative, physical, and technical safeguards to ensure patient data are appropriately protected from internal and external threats.

Importantly, HIPAA gave individuals new rights with respect to their healthcare data. Prior to the introduction of the HIPAA Privacy Rule, patients were not even permitted to see their medical files. HIPAA gave individuals the right to obtain and inspect a copy of their healthcare data and request errors be corrected. HIPAA made sure patients are informed about how their healthcare data will be used and disclosed, gave patients the right to further limit disclosures of their health data, and also allowed them to view an “accounting of disclosures” to see who has been provided with their healthcare data.

HIPAA has improved the portability of health insurance for employees between jobs and has helped to prevent discrimination against people with pre-existing conditions when receiving health insurance coverage. Efficiency in healthcare has been improved by standardizing transactions through the use of standard code sets and has helped to significantly reduce waste and fraud in healthcare.

However, it has not all been plain sailing. One of the initial requirements of HIPAA was to create a national patient identifier system, but 25 years on and that requirement has still failed to be implemented. Without a national patient identifier system, it can be difficult identifying patients which can result in medical record mismatching. One ONC study in 2014 suggested between 50% and 60% of records are mismatched when shared between different healthcare providers.

Another weakness of HIPAA is its coverage of healthcare data, which is limited to healthcare data collected, held, processed, stored, or transmitted by HIPAA-covered entities and business associates. If a non-HIPAA-covered entity or non-business associate collects the exact same data, HIPAA protections do not apply.

The HIPAA Rules are not clear in places due to the flexibility built into the legislation, so there is potential for misinterpretation of the requirements and there is still confusion among some HIPAA covered entities and business associates when it comes to compliance.

One criticism often made by patients is the lack of a private cause of action. It is not possible to sue for a HIPAA violation, even if the HIPAA Rules have clearly been violated and harm has been suffered. Legal action can only be taken under state laws.

Has HIPAA Been Effective?

In the early years following the introduction of the HIPAA Privacy and Security Rules, questions were asked about how effective the legislation has been. HIPAA certainly looked good on paper but was less effective in practice and noncompliance was widespread. Even the introduction of the HIPAA Enforcement Rule in 2006, which gave the HHS’ Office for Civil Rights the authority to impose financial penalties and sanctions for noncompliance, failed to have a major effect at spurring covered entities into compliance. Enforcement was also very slow at first. It took until 2008 for the first enforcement action to result in a financial penalty, then there was only one financial penalty in 2009 and just two in 2010.

The first phase of HIPAA compliance audits conducted in 2011/2012 highlighted just how many covered entities had ineffective HIPAA compliance programs. The audits uncovered many violations of both the HIPAA Privacy and Security Rules. Even those violations, some of which were serious, did not result in any financial penalties. Some of the fiercest criticism of HIPAA in the early years was it was all bark and no bite.

The introduction of the HITECH Act was a major turning point in the history of HIPAA. Prior to the HITECH Act, business associates were not covered to a large extent by HIPAA, even though they were frequently provided with PHI. The HITECH Act made the HIPAA Rules directly applicable to business associates, which could then be fined directly if they did not also comply with the HIPAA Rules. Business associates include a huge range of third-party companies such as accountants, attorneys, billing companies, collection agencies, consultants, data analysts, and IT firms, so the HITECH Act, and subsequent Omnibus Rule, addressed that major gap.

The introduction of the HITECH Act also saw the penalties for noncompliance significantly increased and OCR also increased its HIPAA enforcement activities. With major fines issued for HIPAA violations, HIPAA compliance became a major focus for HIPAA-covered entities and business associates.

Enforcement of compliance has been critical to the success of HIPAA and while there are still many cases each year of noncompliance, on the whole the requirements of HIPAA have been largely implemented and the benefits of HIPAA are being realized.

Issues with Patient Access to PHI

Since the 2000 HIPAA Privacy Rule was introduced, patients have been given the right to obtain a copy of their own healthcare data, or to have that data sent to their nominated representative. The HITECH Act updated that right and helped individuals obtain a copy of their health data in electronic form, due to the increasing use of electronic health record systems.

While healthcare organizations have implemented policies that allow patients to exercise their access rights, many patients have experienced problems obtaining a copy of their healthcare data. They have either been refused access, requests have been delayed, and patients have been charged excessive fees for exercising their access rights – HIPAA only permits covered entities to charge a reasonable, cost-based fee for providing records.

One of the requirements of the 21st Century Cures Act, introduced in 2016, was to call on the Government Accountability Office to report on the barriers to patient medical record access and following assessments the HHS’ Office for Civil Rights launched a new HIPAA enforcement initiative targeting violations of the HIPAA Right of Access of the HIPAA Privacy Rule in the fall of 2019. That enforcement initiative is still active and, up until the end of July 2021, OCR has imposed 19 financial penalties on healthcare providers found to have been in violation of the HIPAA Right of Access.

Prior to the OCR enforcement initiative, only one financial penalty had been imposed for violations of this important right and that was the $4,300,000 financial penalty imposed on Cignet Health of Prince George’s County in 2011 for denying 741 patients access to their medical records.

HIPAA has Improved Healthcare Data Security

Prior to the introduction of the HIPAA Security Rule, healthcare organizations only had to comply with state laws covering data security. The Security Rule set new minimum standards for data security to ensure the confidentiality, integrity, and availability of electronic PHI. The Security Rule requires risk analyses to be conducted and risks reduced to a reasonable and acceptable level. Access controls are required to prevent unauthorized access to healthcare data, logs must be maintained and checked to identify unauthorized access, backups of data must be made, measures must be implemented to protect against reasonably anticipated, impermissible uses or disclosures, and staff must be provided with security awareness training.

Data security has improved, but data breaches are now occurring at records levels. For the past 5 months, data breaches have been reported by healthcare organizations and business associates at a rate of over 2 per day, but without the Security Rule requirements, far more breaches would be likely to occur.

The HIPAA Security Rule does have weaknesses. To remain relevant the HIPAA Security Rule had to be technology agnostic, so specific measures for security are generally not stipulated. It is left to the discretion of each entity to determine what constitutes “reasonable” protections. If the Security Rule was more specific with regard to required security protections, many more data breaches could be prevented.

The Security Rule also only applies to HIPAA covered entities and business associates, not to any other entity. It therefore has limited reach, and does not cover health data collected by health apps, or the huge volumes of data collected and sold by data brokers. There is therefore considerable scope for improvement to better protect all health data.

The HIPAA Security Rule also calls for security awareness training for staff but does not stipulate how frequently it should be provided. With the threat landscape constantly changing, regular training must be provided to the workforce to ensure employees are kept aware of the latest threats and are taught how to avoid them. Many covered entities and business associates are compliant with this requirement yet fail to provide training regularly enough to prevent cyberattacks and the associated privacy violations.

How Has HIPAA Fared with Changing Technology?

No legislative act will be able to maintain pace with the pace at which technology has evolved, especially one covering the healthcare industry. This is why HIPAA provided a framework rather than specifics and incorporated flexibility to accommodate for changes to healthcare technology and evolving privacy and security best practices.

Updates have been made over the years which have amended HIPAA to maintain relevance, such as the 2008 Genetic Information Non-discrimination Act (GINA) which restricts the use of individuals’ genetic data by health insurers and employers and the American Recovery and Reinvestment Act, of which the HITECH Act was part, which strengthened HIPAA in relation to the adoption of EHRs.

However, many new technologies have emerged over the years that are not covered by HIPAA. Personal electronic devices are extensively used which can collect huge amounts of personal and health data, such as fitness trackers and other wearable devices and smartphones have made it much easier for individuals to obtain, use, and share healthcare data.

Many of these devices collect data that would fall under the category of PHI if created or collected by a HIPAA-covered entity but are not within the scope of HIPAA, even though the same data are often collected by those devices. The extent to which these devices are now being used, and the sheer volume of digital health and wellness data being generated outside the healthcare system by individuals, is a growing cause of concern. Without the protections of HIPAA, healthcare data may not be properly protected and could be shared extensively or sold on with ease.

The HIPAA Privacy Rule does not adequately cover the collection of healthcare data, as it only covers uses and disclosures by certain entities. It does not apply to health data itself, and this could be argued is one of the biggest failures of HIPAA. The same is true of the HIPAA Security Rule, which also has a restrictive scope and only calls for administrative, physical, and technical safeguards for the healthcare data held, received, or transmitted by HIPAA-covered entities and their business associates.

Healthcare data is extremely valuable, and not only to bad actors such as cybercriminals. Cybercriminals can use healthcare data for fraud and identity theft, but it also has tremendous value to a wide range of businesses. Healthcare and wellness data can be used by insurers to gauge risk – which can affect insurance premiums. Employers can use health data to make decisions about potential new hires, and all manner of other businesses can use the data to make decisions about individuals that could have significant consequences for the data subjects.

The question about whether HIPAA should be updated to cover all healthcare data has yet to be fully answered. Many attempts have been made to introduce legislation to cover all healthcare data, but each has failed to make it through the Senate.

The scope of HIPAA could be expanded to include individually identifiable health information collected, used, transmitted, or maintained by non-HIPAA covered entities and non-business associates. Alternatively, new separate legislation is required to cover healthcare data not currently regulated by HIPAA. The solution could well be to leave HIPAA as it is and to instead introduce a national privacy law akin to the EU’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA).

HIPAA Training and Education Need to Improve

HIPAA is not perfect and there are still significant gaps in the legislation, something that the coronavirus pandemic has highlighted. HIPAA doesn’t extend to the army of contact tracers and the data they collect, nor does it adequately cover exposure notification apps and may disclosures of COVID-19 related data. This is an area, like personal health apps, that needs to be addressed as there is considerable potential for privacy violations.

Vaccination programs have highlighted several areas where education needs to be improved. There have been many cases of HIPAA being cited as a reason not to disclose or share vaccination data, when HIPAA does not place restrictions on disclosures of vaccination information by individuals to employers or others.

Training remains a key issue with HIPAA and is often a much bigger weakness than technology or the HIPAA text itself. It is often uninformed people, and not healthcare technology and privacy and security controls, that are the reason for security breaches and privacy violations. While updates to HIPAA are needed, improvements need to be made to training programs to ensure all individuals with access to PHI or systems containing PHI are aware of their responsibilities and are trained how to be HIPAA-compliant employees.

Training needs to be appropriate to the role of each individual and training needs to be reinforced. Regular training sessions need to be provided to the workforce to make sure that the requirements of HIPAA are fully understood and are not forgotten over time. At many covered entities and business associates, employee training on HIPAA is not provided frequently enough.

Proposed Updates to the HIPAA Privacy Rule

Ahead of the 25-year anniversary of the HIPAA Privacy Rule, a significant update was proposed by the HHS. The proposed update published by the HHS in 2020 is intended to address several aspects of the Privacy Rule that are hampering care coordination and adding an unnecessary administrative burden on healthcare providers.

One of the main reasons for the update, according to then HHS Secretary Alex Azar, was to “break down barriers that have stood in the way of common sense care coordination and value-based arrangements for far too long.” The proposed update will improve care coordination and case management for patients, allow families and caregivers to become more involved in the provision of care to individuals, improve patients’ access to their health data, and will introduce new flexibilities covering disclosures of PHI in emergency and threatening situations, while also reducing the administrative burden on healthcare organizations. These updates have been long overdue but there has been criticism that the updates do not go far enough, and that some of the suggested updates are ill-advised.

One of the aspects addressed in the update will make it easier for patients to obtain a copy of their electronic healthcare data, but there are potential privacy and security risks with the change. Patients will be given the “right to direct the transmission of certain protected health information in an electronic format to a third party.” This right will help patients share their healthcare data with research organizations, but there are concerns that this change could have a negative impact on patients. Patients could request their health data be sent to anyone they choose, when the transmission of data to an entity not covered by the protections of HIPAA carries a security risk. The new right will certainly give patients much greater access and control over their personal data, but potentially it increases the risks that PHI may fall into the hands of bad actors.

The Future of HIPAA

HIPAA has been a great success, but it is far from perfect. There are still areas that require tweaking to improve usability and remove some of the administrative burden placed on HIPAA-covered entities. Proposed updates to the HIPAA Privacy Rule go some way to addressing some of the issues, but for many, the new HIPAA regulations that have been proposed do not go nearly far enough and some of the proposed changes have potential to cause privacy issues.

Overall, for legislation that is 25 years old, HIPAA has, with its various amendments, survived the test of time and is even more relevant and useful now than it was when it was first signed into law in 1996. HIPAA should be viewed as a work in progress though, and as far as the Future of HIPAA is concerned, there are likely to need to be further updates to ensure it remains relevant and effective.

Future of HIPAA FAQs

Does HIPAA cover all healthcare data?

HIPAA covers identifiable healthcare data, which is any healthcare data created, collected, transmitted, or maintained by a HIPAA-covered entity or business associate for treatment, payment for healthcare, or healthcare operations relating to the past, present, or future health status of an individual. Health data is not covered by HIPAA if it is created, stored, or transmitted by a non-HIPAA-covered entity or non-business associate.

Who does HIPAA apply to?

HIPAA applies to HIPAA-covered entities and their business associates. HIPAA-covered entities are healthcare providers, health plans, and healthcare clearinghouses that conduct electronic transactions involving PHI for which the HHS has developed standards. Business associates are vendors that provide products or services to HIPAA-covered entities that requires contact with PHI. HIPAA does not apply to other entities such as reporters, senators, individuals, and most employers.

Are there privacy risks associated with health apps?

Health apps, fitness trackers, and other wearable devices are not generally covered by HIPAA, nor are the data they collect or transmit. Without the protection of HIPAA, health app developers may use, disclose, or sell health data collected through the apps, and the security measures implemented may not meet HIPAA standards. There may be privacy and security risks associated with the use of these apps and devices.

Does HIPAA prevent disclosures of COVID-19 vaccination information?

Many people hide behind HIPAA and use the regulation as an excuse not to answer questions. One of the most notable recent examples, of which there are many, came from Marjorie Taylor Greene when asked about her vaccination status and cited HIPAA as the reason she could not disclose the information. HIPAA does not prevent such discloses. It only places restrictions on uses and disclosures by healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities.

How often does HIPAA training need to be provided?

HIPAA training must be provided to all healthcare employees within a reasonable period of time after the person joins the covered entity’s workforce, as well as when functions are affected by a material change in policies or procedures and following any updates to the HIPAA Rules. HIPAA refresher training should also be provided at least annually, and no later than every two years. Annual training is the best practice.

The post Future of HIPAA: Reflections at the 25th Anniversary of HIPAA appeared first on HIPAA Journal.

Former Scripps Health Worker Charged Over HIPAA Violation in COVID-19 Unemployment Benefit Fraud Case

The Department of Justice has announced nine San Diego residents have been charged in two separate indictments in connection with the theft of patients’ protected information and the submission of fraudulent pandemic unemployment insurance claims.

Under the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020, new unemployment benefits were offered to individuals affected by the COVID-19 pandemic, who would not, under normal circumstances, qualify for payments.

In one of the cases, Matthew Lombardo, a former Scripps Health employee, was charged with felony HIPAA violations for obtaining and disclosing the protected health information of patients to his alleged co-conspirators. Lombardo was also charged with conspiracy to commit wire fraud, along with three alleged co-conspirators – Konrad Piekos, Ryan Genetti, and Dobrila Milosavljevic. Piekos, Genetti, and Milosavljevic were also charged with aggravated identity theft and are alleged to have used the stolen information to submit fraudulent pandemic unemployment insurance claims.

The San Diego Sheriff’s’ Department had initiated a traffic stop on Konrad Piekos for driving without a license plate. When police officers approached the vehicle, they saw an assault rifle in plain sight in his vehicle. Piekos admitted possessing an unregistered assault rifle, and the subsequent vehicle search revealed several loaded firearms and ammunition. A warrant was obtained to search Piekos’ properties and police officers found several other firearms and ammunition, quantities of heroin and fentanyl, and mobile phones. After obtaining warrants to search the phones, detectives identified text messages between Piekos, Genetti, and Lombardo discussing the illicit distribution of narcotics, firearms, and a scheme to obtain unemployment benefits using other persons’ personal identifying information (PII).

Piekos and Genetti had conspired together to fraudulently obtain PUA benefits in July 2020, with Lombardo joining the scheme in August 2020. Lombardo is alleged to have used his position as a patient financial service representative to access patients’ PII, which he then distributed to Piekos, Genetti, and Milosavljevic starting on August 15,2020, according to the indictment. Scripps Health terminated Lombardo on April 14, 2021.

In a separate case, Genetti and three other defendants – Lindsay Renee Henning, Garrett Carl Tuggle, and Salvatore Compilati – were charged with conspiracy to commit wire fraud. Henning and Tuggle were also charged with aggravated identity theft, and Henning, Tuggle, and a fourth defendant, Juan Landon, were charged with possession of methamphetamine, cocaine, and heroin with intent to distribute. The defendants had submitted more than 108 separate claims for PUB benefits, totaling $1,615,000.

Lombardo faces a maximum jail term of 10 years in prison for the HIPAA violation along with a fine and penalty assessment. The conspiracy to commit wire fraud charges carry a maximum jail term of 20 years in prison with a fine and penalty assessment, and there is a mandatory minimum 2-year jail term for the aggravated identity theft charges, with the aggravated identity theft jail term consecutive to any other sentences.

“Pandemic unemployment insurance programs are a critical part of our safety net designed to support hardworking citizens who are suffering during an unprecedented economic downturn,” said Acting U.S. Attorney Randy Grossman. “Our office and our law enforcement partners will investigate and prosecute individuals who attempt to steal from these programs designed to assist deserving recipients.”

The post Former Scripps Health Worker Charged Over HIPAA Violation in COVID-19 Unemployment Benefit Fraud Case appeared first on HIPAA Journal.

Webinar Today July 8, 2021: All Your HIPAA Questions Answered

In recent years, the Department of Health and Human Services’ Office for Civil Rights has issued guidance on the Health Insurance Portability and Accountability Act (HIPAA) Rules and how they apply in certain situations. Even with this guidance, there is still considerable confusion around HIPAA and how the HIPAA Privacy, Security, and Breach Notification Rules and the Omnibus Rule HIPAA updates apply to covered entities and their business associates.

All HIPAA covered entities and business associates must ensure they are compliant with all appropriate provisions of the HIPAA Rules and there are severe penalties for noncompliance. Over the past few years, OCR has stepped up enforcement and regularly imposes financial penalties on covered entities and business associates that are discovered not to have complied with the provisions of HIPAA.

OCR investigates breaches of protected health information, and they are now being reported at record rates. In 2010, the first full year after OCR started publishing summaries of healthcare data breaches on its website, there were 199 reported healthcare data breaches of 500 or more records. In 2020, there were 642 reported breaches… a rise of 222%. The first half of 2021 has just come to an end and there have already been 327 reported breaches this year. There is now a much greater chance of HIPAA violations being discovered. HIPAA compliance has never been more important.

HIPAA Journal regularly receives questions about HIPAA compliance and how the HIPAA Rules apply in certain situations. To help clear up confusion, HIPAA Journal has partnered with Compliancy Group, a leader in the compliance space that educates healthcare providers and their business associates and helps them become and remain HIPAA compliant.

On Thursday, July 8, 2021, you will have an opportunity to have your questions about HIPAA compliance answered in an interactive webinar.

Webinar Today: Thursday July 8, 2021: All Your HIPAA Questions Answered

| 2:00 p.m. ET | 1:00 p.m. CT | 12:00 p.m. MT |11:00 a.m. PT |

“Our goal is to help eliminate any HIPAA stress or concerns you may have. Get quick responses to your questions and gain confidence in compliance today.”

Use the form below to register for the webinar.

The post Webinar Today July 8, 2021: All Your HIPAA Questions Answered appeared first on HIPAA Journal.

No Private Cause of Action Under HIPAA, but Possible Cause of Action for 14th Amendment Violation

The U.S. Court of Appeals for the Fourth Circuit has ruled that there is no private cause of action in the Health Insurance Portability and Accountability Act (HIPAA) to address improper disclosures of protected health information; however, the ruling suggests there is potentially a cause of action under the 14th amendment when an individual’s privacy is violated.

The case, Payne v. Taslimi, named Christopher N. Payne as plaintiff and Jahal Taslimi as the defendant. Payne was a Deep Meadow Correctional Center inmate and Taslimi a prison doctor. Payne took legal action against Taslimi over an alleged improper disclosure of his confidential medical information. Payne alleged Taslimi had approached his bed and stated in a voice loud enough for others to hear that the plaintiff had not taken his HIV medication. Payne alleged staff members, other inmates, and civilians had heard the doctor.

In the lawsuit, Payne claimed his medical records were confidential and his HIPAA rights had been violated at Deep Meadow Correctional Center by Taslimi, as well as his right to privacy under the 14th Amendment. The district court dismissed Payne’s claims, but the decision was appealed.

The Court of Appeals for the Fourth Circuit affirmed the decision of the district court and confirmed there was no private cause of action under HIPAA. The court also affirmed the decision of the district court to dismiss the claim of a violation of the 14th Amendment.

In the decision, the Court of Appeals said the violation of the 14th Amendment hinged on whether Payne had “a reasonable expectation of privacy” with regards to information about his HIV medications. Since Payne was a Deep Meadow Correctional Center prisoner, the court ruled that Payne lacked a reasonable expectation of privacy concerning his diagnosis and treatment plan, especially since the information was about a communicable disease.

The court ruled that the test in such cases is whether there is a compelling government interest that outweighs the plaintiff’s privacy interest. The ruling suggests there may be a cause of action under the 14th Amendment where there has been a disclosure of private medical information and no compelling government interest.

The post No Private Cause of Action Under HIPAA, but Possible Cause of Action for 14th Amendment Violation appeared first on HIPAA Journal.

Former Mayo Clinic Doctor Charged Over Improper Medical Record Access

In October 2020, Mayo Clinic announced a former employee was discovered to have impermissibly accessed the medical records of approximately 1,600 patients. According to a statement issued by the Mayo Clinic, the former employee viewed demographic information, date of birth, medical record number, clinical notes, and in some cases images. Mayo Clinic said its investigation uncovered no evidence to suggest any patient data was copied or retained. All affected patients were notified about the breach by mail.

The employee in question was Ahmad Maher Abdel-Munim Alsughayer, 28, of Saginaw, MI, who was a doctor at Mayo Clinic. Alsughayer ended his employment with Mayo Clinic in August 2020, around the time that the privacy violation was discovered.

A criminal case has now been opened by the Olmsted County Attorney’s Office. Alsughayer has been charged with gross misdemeanor unauthorized computer access and has been scheduled to appear in court on July 8, 2021. The criminal case stems from allegations that Alsughayer had abused his access rights to view medical records when there was no need to do so to fulfil his role as a doctor and hospital employee. Alsughayer’s legal team filed a motion to dismiss the lawsuit on June 1, 2021 “”on the grounds that there does not exist probable cause to believe the defendant committed the offense(s) charged therein.”

Allegations had previously been made against Alsughayer in three lawsuits, the latest of which was filed against Alsughayer and Mayo Clinic on May 29, 2021. In December 2020, a female patient, named as K.M.M in the lawsuit, contacted Rochester police after receiving a breach notification letter from Mayo Clinic.

She had learned that her medical records had been accessed by a hospital worker, which included nude images that were taken on three separate occasions. After requesting to view her medical records, the woman discovered the dates of inappropriate access coincided with the dates that the images were taken. She alleged the hospital employee referred to in the breach notification letter had accessed her medical records specifically to view her nude images.

According to the lawsuit, the doctor “was at an off-campus, private location” when her medical records were accessed and “Alsughayer did not need photographic images of plaintiff’s breasts and genitals to do his job.” A court hearing has been scheduled in August.

In addition to that lawsuit, two class action lawsuits had already been filed in Olmsted County Court in connection to the breach. Amanda Bloxton-Kippola (MI) and Chelsea Turner (MN) are named as the plaintiffs in one of those lawsuits against Alsughayer and Mayo Clinic, with the second lawsuit naming Olga Ryabchuk (MN) as the plaintiff and John Doe and Mayo Clinic as defendants. One of the lawsuits alleges medical records accessed that included nude photographs taken by Mayo Clinic as part of the healthcare services provided. Both lawsuits have been scheduled for trial next year.

The post Former Mayo Clinic Doctor Charged Over Improper Medical Record Access appeared first on HIPAA Journal.