HIPAA Compliance News

Arizona High Court Revives Privacy Lawsuit Stemming from Pharmacy ED Medication Disclosure

Posted by HIPAA Journal

This week, the Arizona Supreme Court revived a HIPAA violation lawsuit filed by a Phoenix man over a privacy violation by a pharmacy employee related to an erectile dysfunction medication prescription.

Greg Shepherd, 50, had visited his doctor for a routine medical appointment in January 2016 and his doctor provided him with a erectile dysfunction medication sample. He received a call from the Costco pharmacy later and was told that the full prescription for the ED medication was available to collect. Shepherd explained that he did not want the medication and cancelled the prescription.

Shepherd called the pharmacy a month later to check whether an unrelated prescription was ready to collect, and the pharmacy informed again him that his ED prescription was still waiting to be collected. Shepherd declined the medication a second time and told the pharmacy to cancel the prescription for the second time.

Shepherd, who had been trying to reconcile with his ex-wife, authorized her to collect an unrelated, regular prescription refill from the pharmacy. When she visited the pharmacy, the pharmacy worker provided both prescriptions to Shepherd’s ex-wife, and the pharmacy worker and his ex-wife allegedly joked about the ED medication. The ED medication was refused by his ex-wife, and when she returned to Shepherd and gave him his regular medication, she informed him that she knew about the ED medication and told him there was no chance of reconciliation. The lawsuit also alleges his ex-wife discussed the ED medication with Shepherd’s children and her friends.

Shepherd filed a complaint with Costco about the privacy violation, and Costco responded and admitted that the discussion between the pharmacy worker and Shepherd’s ex-wife about the ED medication was in violation of the HIPAA Privacy Rule and company policies and issued an apology. Shepherd then took legal action over the privacy violation, with the lawsuit citing a violation of the HIPAA Privacy Rule.

There is no private cause of action in the Federal HIPAA legislation, which means individuals do not have the right to sue for a HIPAA violation. Only the HHS’ Office for Civil Rights and state Attorneys General can take legal action against HIPAA-covered entities for violations of the Health Insurance Portability and Accountability Act Rules.

The lawsuit was dismissed by the Maricopa County Superior Court, as HIPAA does not permit private lawsuits and because state laws provide immunity for healthcare providers over privacy violations that occur when they are acting in good faith. Shepherd appealed, but the Court of Appeals affirmed the dismissal of Shepherd’s claims, aside from the claim of negligent disclosure of medical information.

While there is no private cause of action in HIPAA, Supreme Court Justice William G. Montgomery ruled that the standards of HIPAA can be used in state court to establish privacy violations have occurred in negligence claims. Costco had sought to dismiss the lawsuit based on the lack of a private cause of action, but Montgomery said in his ruling that Shepherd’s lawsuit was not solely filed over violations of the HIPAA Privacy Rule. The lawsuit also alleged violations of regulations governing pharmacies, therefore Superior Court Judge Aimee L. Anderson had dismissed the lawsuit in error.

Costco argued that state laws provide protection for companies acting in good faith, and that without a claim of bad faith it is not possible to show negligence. Montgomery ruled that the lawsuit did not have to include a claim of bad faith, as Shepherd was not aware that Costco would claim immunity under state law.

The case has now been returned to the lower court for further proceedings. While the case has been revived, Shepherd must provide clear and convincing evidence that the pharmacy and the pharmacy worker acted in bad faith by making the disclosure about the ED medication to his ex-wife.

Shepherd’s attorney, Joshua Carden, believes it is possible to demonstrate that this was a bad faith disclosure, as the prescription was cancelled twice by Shepherd and it can be proven that the Costco pharmacy was aware that Shepherd did not want the prescription.

The post Arizona High Court Revives Privacy Lawsuit Stemming from Pharmacy ED Medication Disclosure appeared first on HIPAA Journal.

Two Employees Fired for Impermissible PHI Disclosures to Third Parties

Posted by HIPAA Journal

Humana has discovered an employee of a subcontractor of a business associate impermissibly disclosed the protected health information of approximately 65,000 of its members to a third-party for training purposes.

Cotiviti was contracted by Humana to provide assistance requesting medical records and used a subcontractor to review the requested medical records. Under HIPAA, subcontractors used by business associates are also required to comply with HIPAA.

The privacy violations occurred between October 12, 2020 and December 16, 2020 and Cotiviti notified Humana about the HIPAA violation on December 22, 2020. Cotiviti has worked with Humana to ensure that safeguards are implemented to prevent similar privacy breaches in the future, and that those safeguards are put in place at any subcontractors it uses. The individual who disclosed the data is no longer employed by the subcontractor.

The types of data disclosed includes member names’, addresses, phone numbers, email addresses, dates of birth, full or partial Social Security Numbers, insurance identification numbers, provider names, dates of service, medical record numbers, treatment information, and medical images.

While the disclosures were not made for malicious purposes and further disclosures of the PHI are not believed to have occurred, Humana is offering affected individuals 2 years of complimentary credit monitoring and identity theft protection services.

UPMC St. Margaret Fires Employee for Impermissible PHI Disclosure

UPMC St. Margaret has discovered an employee impermissibly disclosed the protected health information of certain patients to a third-party organization without authorization.

On August 2020, UPMC, St. Margaret discovered a medication administration report had been sent to an organization when there was no legitimate work purpose for doing so. The report contained information such as names, UPMC identification numbers, and medication administration data, including drug name, dose, time/date of administration, and the reason for providing medication.

Following the discovery of the impermissible disclosure, the employee’s access to UPMC systems was terminated, as was the individual’s employment with UPMC after the investigation was completed. Affected individuals were notified about the privacy breach on March 5, 2021. No reason was provided as to the notification delay.

The post Two Employees Fired for Impermissible PHI Disclosures to Third Parties appeared first on HIPAA Journal.

March 1, 2021: Deadline for Reporting 2020 Small Healthcare Data Breaches

Posted by HIPAA Journal

The deadline for reporting healthcare data breaches of fewer than 500 records that were discovered in 2020 is fast approaching. HIPAA covered entities and business associates have until March 1, 2021 to submit breach reports to the Department of Health and Human Services’ Office for Civil Rights (OCR)that were discovered between January 1, 2020 and December 31, 2020.

HIPAA defines a breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.  An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.” A risk assessment should be conducted to determine the probability that PHI has been compromised, that must include the nature and extent of PHI involved, the probability of identification of individuals; the person who used/disclosed the PHI; whether PHI was viewed or acquired by an unauthorized individual; and the extent to which risk has been mitigated.

The HIPAA Breach Notification Rule requires notifications to be issued to affected individuals within 60 days of the discovery of a breach. All breaches must be reported OCR , including security incidents and privacy breaches affecting a single patient. If the breach affects 500 or more individuals, OCR must also be notified within 60 days. When there is a smaller breach, patients must still be notified within 60 days, but OCR does not need to be notified until 60 days from the end of the calendar year when the breach was discovered.

Breach reports should be submitted to OCR electronically via the OCR breach reporting portal. While smaller breaches can be reported ‘together’ ahead of the deadline via the portal, each incident must be submitted individually. Since details of the breach must be provided, including contact information, the nature of the incident, and the actions taken following the breach, adding these breach reports can take some time. The best practice is to report the breaches throughout the year when sufficient information about the nature, scope, and cause of the breaches are known, rather than wait until the last minute.

The failure to report small healthcare data breaches before the deadline could result in sanctions and penalties against the covered entity or business associate.

The post March 1, 2021: Deadline for Reporting 2020 Small Healthcare Data Breaches appeared first on HIPAA Journal.

Whistleblower Who Falsely Claimed Nurse Violated HIPAA Jailed for 6 Months

Posted by HIPAA Journal

A Georgia man who falsely claimed a former acquaintance had violated patient privacy and breached the HIPAA Rules has been fined $1,200 and sentenced to 6 months in jail.

In October 2019, Jeffrey Parker, 44, of Rincon, GA, claimed to be a HIPAA whistleblower and alerted the authorities about serious privacy violations by a nurse at a Savannah, GA hospital, including emailing graphic pictures of traumatic injuries of hospital patients internally and externally.

According to court documents, Parker “engaged in an intricate scheme” to frame a former acquaintance for violations of the Federal Health Insurance Portability and Accountability Act’s Privacy Rule. To back up the fake claims, Parker created multiple email accounts in the names of real patients and used those accounts to send false accusations of privacy violations. Emails were sent to the hospital where the nurse worked, the Federal Bureau of Investigation (FBI), and the Department of Justice (DOJ).

Parker also alleged that he had been threatened for his actions as a whistleblower and law enforcement took steps to ensure his safety. When questioned about the threats and the HIPAA violations, an FBI agent identified irregularities in his story and upon further questioning, Parker admitted making fake accusations to frame the former acquaintance for fictional HIPAA violations.

“Falsely accusing others of criminal activity is illegal, and it hinders justice system personnel with the pursuit of unnecessary investigations,” said U.S. Attorney Bobby L. Christine, when Parker was charged. “This fake complaint caused a diversion of resources by federal investigators, as well as an unnecessary distraction for an important health care institution in our community.”

Parker pleaded guilty to one case of making false statements and potentially faced a 5-year jail term. He was sentenced to serve 6 months in jail by U.S. District Court Judge Lisa Godbey Wood.

“Many hours of investigation and resources were wasted determining that Parker’s whistleblower complaints were fake, meant to do harm to another citizen,” said Chris Hacker, Special Agent in Charge of FBI Atlanta. “Before he could do more damage, his elaborate scheme was uncovered by a perceptive agent and now he will serve time for his deliberate transgression.”

Parker is not eligible for parole and will serve the full term, followed by 3 years of supervised release.

The post Whistleblower Who Falsely Claimed Nurse Violated HIPAA Jailed for 6 Months appeared first on HIPAA Journal.

January 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

January saw a 48% month-over-month reduction in the number of healthcare data breaches of 500 or more records, falling from 62 incidents in December to just 32 in January. While this is well below the average number of data breaches reported each month over the past 12 months (38), it is still more than 1 data breach per day.

January 2021 Healthcare Data Breaches

There would have been a significant decline in the number of breached records were it not for a major data breach discovered by Florida Healthy Kids Corporation that affected 3.5 million individuals. With that breach included, 4,467,098 records were reported as breached in January, which exceeded December’s total by more than 225,000 records.

January 2021 Healthcare Data Breaches - Records Exposed

Largest Healthcare Data Breaches Reported in January 2021

The breach reported by Florida Healthy Kids Corporation was one of the largest healthcare data breaches of all time. The breach was reported by the health plan, but actually occurred at one of its business associates. The health plan used an IT company for hosting its website and an application for applications for insurance coverage. The company failed to apply patches for 7 years, which allowed unauthorized individuals to exploit the flaws and gain access to sensitive data.

Hendrick Health had a major data breach due to a ransomware attack; one of many reported by healthcare providers since September 2020 when ransomware actors stepped up their attacks on the healthcare sector. The County of Ramsey breach was also due to a ransomware attack at one of its technology vendors.

Email-based attacks such as business email compromise (BEC) and phishing attacks were common in January, and were the cause of 4 of the top ten breaches.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
Florida Healthy Kids Corporation Health Plan* 3,500,000 Hacking/IT Incident:

Website and Web Application Hack

 Network Server
Hendrick Health Healthcare Provider 640,436 Hacking/IT Incident:

Ransomware

 Network Server
Roper St. Francis Healthcare Healthcare Provider 189,761 Hacking/IT Incident:

Phishing attack

 Email
Precision Spine Care Healthcare Provider 20,787 Hacking/IT Incident:

BEC attack

 Email
Walgreen Co. Healthcare Provider 16,089 Unauthorized Access/Disclosure:

Unknown

 Email
The Richards Group Business Associate 15,429 Hacking/IT Incident:

Phishing attack

 Email
Florida Hospital Physician Group Inc. Healthcare Provider 13,759 Hacking/IT Incident:

EHR System

 Electronic Medical Record
Managed Health Services Health Plan* 11,988 Unauthorized Access/Disclosure:

Unconfirmed

 Paper/Films
Bethesda Hospital Healthcare Provider 9,148 Unauthorized Access of EMR by employee Electronic Medical Record
County of Ramsey Healthcare Provider* 8,687 Hacking/IT Incident:

Ransomware

 Network Server

*Breach reported by covered entity but occurred at a business associate.

Causes of January 2021 Healthcare Data Breaches

Hacking and other IT incidents continue to cause the majority of healthcare data breaches. January saw 20 hacking/IT incidents reported, which accounted for 62.5% of the month’s data breaches. The protected health information of 4,413,762 individuals was compromised or exposed in those breaches – 98.8% of all breached records in January. The average breach size was 220,688 records and the median breach size was 2,464 records.

There were 11 reported unauthorized access and disclosure incidents involving 50,996 records. The average breach size was 4,636 records and the median breach size was 1,680 records.

There was one reported incident involving the loss of an unencrypted laptop computer containing 2,340 records, but no theft or improper disposal incidents.

Causes of January 2021 Healthcare Data Breaches

As the bar chart below shows, email is the most common location of breached PHI, mostly due to the high number of phishing attacks. This was closely followed by network server incidents, which mostly involve malware or ransomware.

Location of PHI in January 2021 Healthcare Data Breaches

January 2021 Healthcare Data Breaches by Entity Type

Healthcare providers were the worst affected covered entity type with 23 reported data breaches followed by health plans with 6 reported breaches. Three data breaches were reported by business associates of HIPAA covered entities, although a further 7 occurred at business associates but were reported by the covered entity, including the largest data breach of the month.

The number of breaches reported by business associates have been increasing in recent months. These incidents often involve multiple covered entities, such as the data breach at Blackbaud in 2020 which resulted involved the data of more than 10 million individuals across around four dozen healthcare organizations. A study by CI Security found 75% of all breached healthcare records in the second half of 2020 were due to data breaches at business associates.

January 2021 healthcare data breaches by covered entity type

Where Did the Data Breaches Occur?

January’s 32 data breaches were spread across 18 states, with Florida the worst affected with 6 reported breaches. There were 3 breaches reported by entities in Texas and Wyoming, and 2 reported in each of Louisiana, Massachusetts, and Minnesota.

Illinois, Indiana, Maryland, Missouri, Nevada, North Carolina, Ohio, Pennsylvania, South Carolina, Vermont, Virginia, and Washington each had 1 breach reported.

HIPAA Enforcement Activity in January 2021

2020 was a record year for HIPAA enforcement actions with 19 settlements reached to resolve HIPAA cases, and the enforcement actions continued in January with two settlements reached with HIPAA covered entities to resolve violations of the HIPAA Rules.

Excellus Health Plan settled a HIPAA compliance investigation that was initiated following a report of a breach of 9,358,891 records in 2015. OCR investigators identified multiple potential violations of the HIPAA Rules, including a risk analysis failure, risk management failure, lack of information system activity reviews, and insufficient technical policies to prevent unauthorized ePHI access. Excellus Health Plan settled the case with no admission of liability and paid a $5,100,000 financial penalty.

OCR continued with its crackdown of noncompliance with the HIPAA Right of Access with a $200,000 financial penalty for Banner Health. OCR found two Banner Health affiliated covered entities had failed to provide a patient with timely access to medical records, with both patients having to wait several months to receive their requested records.

The post January 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

HHS Secretary Announces Limited HIPAA Waiver in Texas Due to the Winter Storm

Posted by HIPAA Journal

Following President Joseph R. Biden’s declaration of an emergency in the State of Texas, Norris Cochran, Acting Secretary of the Department of Health and Human Services, declared a public health emergency due to the consequences of the winter storm in the state of Texas.

Pursuant to Section 1135(b)(7) of the Social Security Act, the HHS Secretary announced a limited waiver of sanctions and penalties arising from noncompliance with certain provisions of the HIPAA Privacy Rule.

For the period of the waiver, sanctions and penalties will not be imposed for noncompliance with the following HIPAA Privacy Rule requirements:

  • The requirement to obtain a patient’s agreement to speak with family members of friends – 45 C.F.R. § 164.510(a);
  • The requirement to honor a patient’s request to opt out of the facility directory – 45 C.F.R. § 164.510(b);
  • The requirement to distribute a notice of privacy practices – 45 C.F.R. § 164.520;
  • The patient’s right to request privacy restrictions – 45 C.F.R. § 164.522(a);
  • The patient’s right to request confidential communications – 45 C.F.R. § 164.522(b).

The waiver will become effective on February 19, 2021 and will be retroactive to February 11, 2021.

The waiver only covers hospitals in the geographic areas covered by the public health emergency, and only for hospitals that implemented their disaster protocols during the time that the waiver is in effect. The waiver lasts for up to 72 hours from the time a hospital implements its disaster protocol.

When either the Presidential or Secretarial declaration terminates, hospitals must then comply with the above requirements of the HIPAA Privacy Rule or face sanctions and penalties. That applies to patients still under the care of the hospital, even if the 72-hour time period has not elapsed.

Further information on the HIPAA waiver and HIPAA Privacy and Disclosures in Emergency situations can be found in the HHS HIPAA Bulletin – https://www.hhs.gov/sites/default/files/2021-texas-winter-storm-hipaa-bulletin.pdf

The post HHS Secretary Announces Limited HIPAA Waiver in Texas Due to the Winter Storm appeared first on HIPAA Journal.

Sharp HealthCare Pays $70,000 to Resolve HIPAA Right of Access Violation

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) has fined Sharp HealthCare $70,000 for failing to provide a patient with timely access to his medical records. This is the sixteenth financial penalty to be agreed with OCR under the HIPAA Right of Access enforcement initiative that was launched in late 2019.

OCR received a complaint from a patient on June 11, 2019 that alleged Sharp Healthcare, doing business as Sharp Rees-Stealy Medical Centers (SRMC), failed to provide him with a copy of his medical records within 30 days, as is required by the HIPAA Privacy Rule.

The patient claimed to have made a request in writing on April 2, 2019 but had not been provided with the requested records after waiting more than 2 months. OCR investigated and provided technical assistance to SRMC on the HIPAA Right of Access provision of the HIPAA Privacy Rule and the requirement to send medical records to a third party if requested by a patient. OCR closed the complaint on June 25, 2019.

The same patient filed a second complaint with OCR on August 19, 2019 when the requested medical records had still not been provided. The complainant finally received the requested records on October 15, 2019, more than 6 months after the record request was initially made.

OCR determined the long delay in providing the requested records was in violation of 45 C.F.R. § 164.524 and the HIPAA violation warranted a financial penalty. Had the records been provided in a timely manner after receiving technical assistance, a financial penalty could have been avoided.

In addition to paying the $70,000 penalty, Sharp HealthCare has agreed to adopt a corrective action plan and will be monitored closely for compliance by OCR for 2 years. The corrective action plan requires Sharp HealthCare to develop, maintain, and revise, as necessary, policies and procedures covering patient requests for access to their medical records and training must be provided to the workforce on individuals’ right to access their own PHI.

In an announcement about the latest settlement, Acting OCR Director Robinsue Frohboese said, “Patients are entitled to timely access to their medical records. OCR created the Right of Access Initiative to enforce and support this critical right.”

The post Sharp HealthCare Pays $70,000 to Resolve HIPAA Right of Access Violation appeared first on HIPAA Journal.

Renown Health Pays $75,000 to Settle HIPAA Right of Access Case

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) is continuing to crackdown on noncompliance with the HIPAA Right of Access. This week, OCR announced its fifteenth settlement to resolve a HIPAA Right of Access enforcement action.

Renown Health, a not-for-profit healthcare network in Northern Nevada, agreed to settle its HIPAA case with OCR to resolve potential violations of the HIPAA Right of Access and has agreed to pay a financial penalty of $75,000.

OCR launched an investigation after receiving a complaint from a Renown Health patient who had not been provided with an electronic copy of her protected health information. In January 2019, the patient submitted a request to Renown Health and asked for her medical and billing records to be sent to her attorney. After waiting more than a month for the records to be provided, the patient filed a complaint with OCR. It took Renown Health until December 27, 2019 to provide the requested records, almost a year after the initial request was made.

The HIPAA Privacy Rule (45 C.F.R. § 164.524) requires medical records to be provided to individuals within 30 days of a request being made. OCR determined that the delay in providing the requested records was in violation of this Privacy Rule provision.

In addition to paying the financial penalty, Renown Health has agreed to adopt a corrective action plan that requires written policies and procedures to be developed, maintained, and revised, as necessary, covering the HIPAA Right of Access. Training must be provided to the workforce on the policies and procedures, and a sanctions policy must be implemented and applied when workforce members fail to comply with the policies and procedures. OCR will monitor Renown Health for compliance with the HIPAA Right of Access for 2 years.

“Access to one’s health records is an essential HIPAA right and health care providers have a legal obligation to their patients to provide access to their health information on a timely basis,” said Acting OCR Director Robinsue Frohboese.

The settlement is the third to be announced by OCR in 2021 and follows a $200,000 settlement with Banner Health for similar HIPAA Right of Access violations and a $5,100,000 settlement with Excellus Health Plan to resolve multiple HIPAA violations that contributed to a 2015 data breach of 9,358,891 records.

The post Renown Health Pays $75,000 to Settle HIPAA Right of Access Case appeared first on HIPAA Journal.

Micky Tripathi and Robinsue Frohboese Head ONC and OCR at the HHS

Posted by HIPAA Journal

The Biden administration has appointed Micky Tripathi as the National Coordinator for Health IT at the Department of Health and Human Services’ Office.

Tripathi will head the Office of the National Coordinator for Health IT, which is tasked with coordinating efforts to implement advanced health information technology to ensure the secure exchange of health information. The ONC is currently overseeing efforts to provide Americans with easy access to their health records through their smartphones and is implementing 21st Century Cures Act provisions that promote health IT interoperability and prohibit information blocking.

Tripathi has a wealth of experience in secure health information exchange and is aware of the current interoperability issues in the healthcare industry. Prior to joining the ONC, Tripathi was most recently the chief alliance officer at the healthcare analytics and software company Arcadia, where he was responsible for developing partnerships to enhance healthcare with advanced IT technology.

Tripathi has also served as manager of the strategy and management consulting firm Boston Consulting Group (BCG), CEO of the Massachusetts eHealth Collaborative, was the founding president and CEO of the Indiana Health information Exchange, and has served on the boards of the HL7 FHIR Foundation, Datica, Sequoia Project, CommonWell Health Alliance, and the CARIN Alliance.

“I can personally attest to Micky’s industry-wide leadership on healthcare interoperability and to his vision for the value that shared, timely, and accurate data provides for improving healthcare delivery and reducing costs. No one is better suited for this absolutely critical mission,” said Sean Carroll, CEO, Arcadia.

Tripathi replaces former President Trump appointment Donald Rucker, M.D., who held the position for the previous 4 years.

The HHS has also confirmed that Robinsue Frohboese has taken on the role of Acting Director of the HHS’ Office for Civil Rights, the main enforcer of HIPAA compliance. Frohboese previously served as principal deputy director of OCR and takes over from acting director March Bell, who replaced the former OCR Director Roger Severino on January 15, 2020.

Frohboese has played a key role in many civil rights initiatives and OCR’s implementation of the HIPAA Privacy Rule.

Prior to taking on the role of principal deputy at OCR, Frohboese worked for 17 years in the Special Litigation Section of the Civil Rights Division of the U.S. Department of Justice, first as Senior Trial Attorney and subsequently as Deputy Chief.

The post Micky Tripathi and Robinsue Frohboese Head ONC and OCR at the HHS appeared first on HIPAA Journal.