HIPAA Compliance News

Compliancy Group Helps SAR Technology Group Achieve HIPAA Compliance

Posted by HIPAA Journal

SAR Technology Group has been confirmed as having achieved HIPAA compliance after successfully completing Compliancy Group’s proprietary 6-Stage HIPAA Risk Analysis and remediation process.

The regulatory standards of the Health Insurance Portability and Accountability Act ensure the confidentiality, integrity, and availability of healthcare data and protect the privacy of patients.

Vendors that serve healthcare clients must ensure they are fully compliant with HIPAA laws, but meeting all of the requirements of HIPAA can be a challenge. There is also no margin for error. Stiff fines can be imposed on business associates if they are found not to have complied with any aspect of HIPAA.

When SAR Technology Group moved into the healthcare sphere it soon became apparent that it was necessary to achieve HIPAA compliance internally. “Originally, we were planning to go through the process ourselves without external help. Soon it became evident this was not feasible as we lacked the expertise and knowledge to navigate the complex HIPAA laws,” explained SAR Technology Group. “After performing extensive research on companies providing HIPAA compliance services, and speaking to a few, we chose Compliancy Group as a partner. Their solution by far was the most comprehensive and easy to use and it was built with the end user in mind.”

Compliancy Group has developed a proprietary HIPAA compliance tracking solution called The Guard that partners can use to guide them through creating an effective HIPAA compliance program. The Guard simplifies the compliance process and ensures no aspect of HIPAA is missed. Compliancy Group’s compliance coaches are also available to help partners with their compliance efforts and answer any questions they have about any aspect of HIPAA law.

“[Compliancy Group] simplified the process and most importantly provided a solution to a problem we had in an affordable and truly achievable way,” explained SAR Technology Group. 

After implementing an effective compliance program, Compliancy Group’s compliance experts assessed SAR Technology Group’s good faith efforts to comply with HIPAA. After confirming all aspects of HIPAA laws had been satisfied, SAR Technology Group was awarded Compliancy Group’s ‘Seal of Compliance’.

The Seal of Compliance is helping SAR Technology Group to attract new customers and expand its offerings to healthcare organizations. “We have combined the services Compliancy Group offers with a full and comprehensive suite of IT services which meet and exceed HIPAA requirements, extending Compliancy Group’s offer of Compliance-as-a-Service to add IT-as-a-service.”

The post Compliancy Group Helps SAR Technology Group Achieve HIPAA Compliance appeared first on HIPAA Journal.

HHS Releases Final Interoperability and Information Blocking Rules

Posted by HIPAA Journal

On March 6, 2020, the Office of Information and Regulatory Affairs’ Office of Management and Budget announced it has completed its review of the rules proposed by two HHS agencies in February 2019 to tackle interoperability and information blocking.

On March 9, 2020 the HHS’ Centers for Medicare and Medicaid Services (CMS) and the HHS’ Office of the National Coordinator of Health Information Technology (ONC) released their final rules which change how healthcare delivery organizations, health insurers, and patients exchange health data.

The interoperability and information blocking rules were required by the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) and the 21st Century Cures Act of 2016. They are intended to make it easier for healthcare data to be exchanged between providers, insurers, and patients and are a key part of creating a patient-centric healthcare system and put patients in control of their own health records.

“These rules are the start of a new chapter in how patients experience American healthcare, opening up countless new opportunities for them to improve their own health, find the providers that meet their needs, and drive quality through greater coordination,” explained HHS Secretary, Alex Azar.

Easy Access to Patient Records Through APIs

One of the ways that patients are given easy access to their health data is through the use of application programming interfaces (APIs). APIs can be leveraged to connect different IT systems and software solutions to allow data to be easily transferred from one to the other. The use of APIs has driven innovation in many sectors, but they have not been adopted in healthcare to give patients easy access to their medical records. The final rules will ensure that changes.

The use of APIs will allow healthcare providers to easily share a patients’ electronic health records with other healthcare organizations with different EHR systems. It will also allow patients to have their healthcare data, including medical records, sent to a third-party health app if thy so wish. The rules also include provisions to ensure that patient data contained in electronic health records is provided to patients at no additional cost when it is accessed electronically.

Improving Interoperability of Health Data

The CMS Interoperability and Patient Access final rule, part of the Trump Administration’s MyHealthEData initiative, is aimed at improving interoperability and patient access to healthcare data. “[The] final rule is focused on driving interoperability and patient access to health information by liberating patient data using CMS authority to regulate Medicare Advantage (MA), Medicaid, CHIP, and Qualified Health Plan (QHP) issuers on the Federally-facilitated Exchanges (FFEs),” explained CMS in the Interoperability and Patient Fact Sheet, published on March 9, 2020.

The lack of effective exchange of healthcare data has had a negative effect on patient outcomes and is also contributing to high healthcare costs. The CMS final rule removes barriers to information sharing to give patients easy access to their healthcare data, it will improve interoperability, drive innovation, and reduce the burden on payers and providers. When patient health information moves freely, patient care can be coordinated easily, costs can be reduced, and patient outcomes are likely to improve.

“Delivering interoperability actually gives patients the ability to manage their healthcare the same way they manage their finances, travel and every other component of their lives. This requires using modern computing standards and APIs that give patients access to their health information and gives them the ability to use the tools they want to shop for and coordinate their own care on their smartphones,” said Don Rucker, M.D., national coordinator for health information technology.

Final Rules Will Drive Innovation

In addition to requiring healthcare providers to share medical records with third party apps at the request of patients, the CMS rule also calls for health insurers to share cost information with third-party apps. This will give patients information about the out-of-pocket expenses they are likely to incur. This will allow patients to plan and budget for medical bills.

“The days of patients being kept in the dark are over,” said CMS Administrator Seema Verma. “These rules begin a new chapter by requiring insurance plans to share health data with their patients in a format suitable for their phones or other device of their choice. We are holding payers to a higher standard while protecting patient privacy through secure access to their health information. Patients can expect improved quality and better outcomes at a lower cost.”

The CMS final rule also requires CMS-regulated payers to make provider directory information available publicly via a standards-based API. This will encourage innovation and will allow third-party app developers to create services that allow patients to find providers that can offer care and treatment. These apps could also be used by clinicians to find other providers to help with care coordination.

The CMS rule also calls for payer-to-payer clinical health data exchange to allow patients to take their data with them when they change payers and to create a cumulative health record with their current payer. “Having a patient’s health information in one place will facilitate informed decision-making, efficient care, and ultimately can lead to better health outcomes,” explained the CMS.

Preventing Information Blocking

The ONC’s 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule details information blocking practices such as anti-competitive behavior which are prohibited and reasonable and necessary activities that are not classed as information blocking and are permitted. One area where problems will be eased is the sharing of screenshots and videos related to EHR use. Many EHR providers prohibit the use screenshots and videos, when these are important for communicating about usability, the user experience, and interoperability.

The CMS has confirmed that starting in late 2020, using data collected for the 2019 performance year data, the CMS will be reporting clinicians, hospitals, and critical access hospitals that are believed to be engaging in information blocking practices based on how they attested to certain Promoting Interoperability Program requirements.

Patient Privacy and Data Security

The proposed rules will improve interoperability and reduce information blocking, but there has been fierce criticism of the rules by some groups, mostly in relation to patient privacy. Both the American Hospital Association (AHA) and the American Medical Association (AMA) have been vocal critics of the rules criticized the rules, with one of the main issues related to the sharing of health records with third-party apps.

Healthcare providers are required to comply with HIPAA and must ensure safeguards are implemented to ensure patient data is protected. Health app developers and other entities not required to comply with HIPAA, may not have appropriate privacy protections in place. There is also considerable potential for secondary uses of patient health information without the knowledge of patients.

The AHA and AMA are not alone. Many privacy advocates and health systems have expressed concern about the proposed rules and patient privacy. Last year, Epic wrote to the HHS Secretary voicing concern and even threatened legal action if patient privacy was not protected. The letter was signed by 60 healthcare systems.

The CMS and ONC have made patient privacy a key priority. Both the CMS and ONC want to ensure patient data flows freely, but also that patient privacy is protected. To ensure the privacy and security of patient data in transit, the ONC and CMS have adopted the Health Level 7® (HL7) Fast Healthcare Interoperability Resources® (FHIR) Release 4.0.1 as the standard to support data exchange via APIs.

That standard ensures patient privacy and security for the transfer of health data but does not cover patient data once it has been transferred to a third party. To address risks after data has been transferred, healthcare organizations are permitted to ask third-party app developers to attest to certain privacy provisions, such as whether there will be any secondary uses of patient data and to make sure patients are informed about what those secondary uses will be.

The post HHS Releases Final Interoperability and Information Blocking Rules appeared first on HIPAA Journal.

Protecting Jessica Grubbs Legacy Act Reintroduced by Sens. Manchin and Capito

Posted by HIPAA Journal

The Protecting Jessica Grubbs Legacy Act (S. 3374) has been reintroduced by Senators Joe Manchin (D-W.V.) and Shelley Moore Capito (R-W.V.). The Protecting Jessica Grubbs Legacy Act aims to modernize the 45 CRF Part 2 regulations to support the sharing of substance abuse disorder treatment records and improve care coordination.

42 CFR Part 2 regulations restrict the sharing of addiction records, which makes it very difficult for information to be shared about patients who are recovering from substance abuse disorder. Currently 45 CFR Part 2 regulations only permit substance abuse patients themselves to decide who has access to their full medical history. While the sharing of highly sensitive information about a patient’s history of substance abuse disorder and treatment is intended to protect the privacy of patients and ensure they are protected against discrimination, not making that information available to doctors can have catastrophic consequences, as happened with Jessica Grubbs.

Jessica Grubbs was recovering from substance abuse disorder when she underwent surgery. The discharging doctor prescribed oxycodone and Grubbs returned home with 50 oxycodone pills. She later died of an overdose. If the discharging doctor was made aware that Grubbs had a history of substance abuse disorder, a different medication could have been prescribed.

Medical providers are responsible for providing care to patients, but without access to their full medical histories, they are doing so blind. It is difficult for medical providers to make correct decisions about patients’ care if they only have access to incomplete medical records.

The Protecting Jessica Grubbs Legacy Act was introduced to ensure medical providers have access to all the necessary information, so they do not accidentally give opioid drugs to patients in recovery from substance abuse disorder. The Protecting Jessica Grubbs Legacy Act will help to ensure tragedies such as the death of Jessica Grubbs are prevented.

“No family or community should ever have to go through the senseless and preventable tragedy that Jessica Grubbs and her family had to endure,” said Sen. Manchin. “This bipartisan bill is essential to combating the opioid epidemic and ensuring that these painful deaths are prevented.”

Healthcare industry stakeholders have been pushing for changes to 42 CFR Part 2 regulations for several years and Congress has been petitioned to make changes to the regulations. In 2019, the National Association of Attorneys General wrote to House and Senate leaders calling for changes to the regulations, which were called cumbersome and out of date. 39 state attorneys general signed the letter. The HHS also proposed changes to 45 CFR Part 2 last year to align the regulations more closely with HIPAA.

The reintroduced Protecting Jessica Grubbs Legacy Act includes several revisions to the original act, S. 1012, which was introduced in April 2019. The language of the bill has been changed to require a patient to give their affirmative, written consent to opt-in before their information may be shared. An educational component has also been added that requires patients to be informed about exactly what they are consenting to before a final determination. An opt-out clause has also been added that allows patients to opt out and rescind their consent at any time. The revised Protecting Jessica Grubbs Legacy Act also calls for Part 2 regulations to be aligned more closely with HIPAA.

To ensure the privacy of patients is protected, enhancements have been made to current protections to prevent discrimination in relation to access to treatment, termination of employment, receipt of worker’s compensation, rental housing, and federal, state, and local government social services benefits.

The Secretary of the Department of Health and Human Services will be directed to consult with appropriate legal, clinical, privacy, and civil rights experts when updates are made to the Code of Federal Regulations to implement the changes proposed in the bill.

“This is an ideal compromise that alleviates the roadblocks to care coordination, while providing strong protections, and more importantly providing those suffering with substance use disorder, more comfortable in knowing they can share medical records in a protected manner and enforced with real penalties to prevent misuse of sensitive medical information,” said Sen. Manchin in a statement.

The revised bill has received considerable support from industry stakeholders and the bill has been co-sponsored by Sens. Sheldon Whitehouse (D-R.I), Kevin Cramer (R-N.D.), Dianne Feinstein (D-Calif.), Doug Jones (D-Ala.), Chris Murphy (D-Conn.), Thom Tillis (R-N.C.), Susan Collins (R-Maine), Kamala Harris (D-Calif.), Bill Cassidy (R-La.), Amy Klobuchar (D-Minn.), and Jeff Merkley (D-Ore.).

The post Protecting Jessica Grubbs Legacy Act Reintroduced by Sens. Manchin and Capito appeared first on HIPAA Journal.

Senators Demand Answers from Ascension About Project Nightingale as Google’s Response was Deemed Incomplete

Posted by HIPAA Journal

Following the revelation that a considerable volume of patient data had been shared with Google by the Catholic health system Ascension, the second largest health system in the United States, concern was raised about the nature of the partnership.

Ascension operates 150 hospitals and more than 2,600 care facilities in 20 states and the District of Columbia and has more than 10 million patients. In November 2019, a whistleblower at Google passed information to the Wall Street Journal on the nature of the collaboration and claimed that patient data, including patient names, dates of birth, lab test results, diagnoses, health histories and other protected health information, had been shared with Google and was accessible by more than 150 Google employees.

In response to the story, Google announced that the partnership, named Project Nightingale, was a cloud migration and data sharing initiative. Ascension is migrating its data warehouse and analytics infrastructure to the Google Cloud and will be using Google’s G Suite productivity suite. Patient data was being used by Google’s AI and machine learning technologies with the purpose of improving clinical quality and patient safety.

Google and Ascension both unissued statements confirming that there was a business associate agreement in place and data was being shared in a manner compliant with Health Insurance Portability and Accountability Act (HIPAA) Rules and health data was not being used for purposes other than those stated in its BAA. Several investigations were launched to determine the nature of the agreement between both companies, with the HHS’ Office for Civil Rights opening an investigation into both companies to determine whether HIPAA Rules were being adhered to.

Three U.S. senators – Sen. Bill Cassidy, M.D., (R-LA), Elizabeth Warren (D-MA), and Richard Blumenthal (D-CT) – wrote to Google demanding answers about the collaboration. Google responded and explained that data was shared in accordance with HIPAA Rules, that only a limited number of employees have access to that data, that access controls are in place to prevent unauthorized access, and any individual required to access health data is set permissions based on their role and job function.

Google also explained that Ascension’s data is logically isolated from other customers and confirmed that the data was only being used for an EHR search pilot program that would provide physicians and nurses with a unified view of patient data from multiple EHR systems. The EHR search tool will allow medical staff to search data in EHRs faster and effectively query medical records using words and abbreviations commonly used in healthcare. Google confirmed that medical records were not being used for secondary purposes, such as identifying services for specific individuals or to send them targeted advertisements.

The senators believe the answers provided by Google are incomplete. On Monday, they wrote to Ascension demanding answers about Project Nightingale and the patient data shared with Google. “Google’s response did not answer a number of our questions pertaining to Ascension’s involvement, we are requesting additional details from Ascension to help us better understand how Project Nightingale protects the sensitive health information of American patients,” explained the senators.

The senators want to know how many records have been shared with Google, the exact nature of the information that was shared, if there have been any breaches of the shared data, and whether patients were notified that their PHI would be shared with Google and if they were given the opportunity to opt out.

“It’s critical lawmakers receive comprehensive information about Project Nightingale, which serves as a case study of Google’s more extensive foray into electronic health records,” explained the senators in the letter. “While improving the sharing, accessibility, and searchability of health data for providers could almost certainly lead to improvements in care, the role of Google in developing such a tool warrants scrutiny.”

The post Senators Demand Answers from Ascension About Project Nightingale as Google’s Response was Deemed Incomplete appeared first on HIPAA Journal.

HHS’ Office for Civil Rights Announces First HIPAA Penalty of 2020

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its first HIPAA penalty of 2020. The practice of Steven A. Porter, M.D., has agreed to pay a financial penalty of $100,000 to resolve potential violations of the HIPAA Security Rule and will adopt a corrective action plan to address all areas of noncompliance discovered during the compliance investigation.

Dr. Porter’s practice in Ogden, UT provides gastroenterological services to more than 3,000 patients. OCR launched an investigation following a report of a data breach in November 13, 2013. The breach concerned a business associate of Dr. Porter’s electronic medical record (EHR) company which was allegedly impermissibly using patients’ electronic medical records by blocking the practice’s access to ePHI until Dr. Porter paid the company $50,000.

The breach investigation uncovered serious violations of the HIPAA Security Rule at the practice. At the time of the audit, Dr. Porter had never conducted a risk analysis to identify risks to the confidentiality, integrity, and availability of ePHI, in violation of 45 C.F.R. § 164.308(a)(1)(i), the practice had not reduced risks to a reasonable and appropriate level, and had not implemented policies and procedures to prevent, detect, contain, and correct security violations.

Since at least 2013, the practice had allowed Dr. Porter’s EHR company to create, receive, maintain, or transmit ePHI on behalf of the practice, without first receiving satisfactory assurances that the company would implement safeguards to ensure the confidentiality, integrity, and availability of ePHI, in violation of 45 C.F.R. § 164.308(b).

Throughout the course of the investigation, OCR provided significant technical assistance, yet a risk analysis was not conducted after the breach and appropriate security measures were not implemented to reduce risks to a reasonable and appropriate level.

The financial penalty shows that healthcare providers of all sizes must take their responsibilities under HIPAA seriously. “The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry,” said OCR Director, Roger Severino.

The post HHS’ Office for Civil Rights Announces First HIPAA Penalty of 2020 appeared first on HIPAA Journal.

American Medical Association Publishes Playbook Dispelling Common HIPAA Right of Access Myths

Posted by HIPAA Journal

The American Medical Association (AMA) has published a new HIPAA playbook to help physicians and their practices understand the HIPAA Right of Access and ensure compliance with this important requirement of HIPAA.

Misunderstandings about the HIPAA Right of Access can result in financial penalties for noncompliance. The HHS’ Office for Civil Rights launched a new HIPAA Right of Access enforcement initiative in 2019 and has already taken action against two healthcare organizations that were not providing patients with copies of their medical records in a timely manner. Both cases started with a single complaint from a patient who was not provided with a copy of the requested records and ended with a $85,000 financial penalty.

Patients need to be able to access their healthcare data to be able to make informed decisions about their own health. HIPAA gives patients the right to obtain a copy of their health records, but healthcare providers can face challenges complying with all of the legal requirements of HIPAA. These challenges, together with misunderstandings about the HIPAA Right of Access, have prevented some providers from complying with patient requests for copies of their health information.

The Patient Records Electronic Access Playbook was released to educate physicians and their practices about the need to provide patients with access to their medical records and the legal requirements related to medical record access and the sharing of records with patients.

The 104-page document is divided into four parts and covers the legal requirements of HIPAA and patient access laws and the challenges physician practices face complying with the HIPAA Right of Access. The playbook includes guidance to help physicians overcome challenges and best practices for operationalizing records access fulfillment.

The document also dispels some of the common myths about providing patients and third parties with health records, the health information that can and cannot be shared, the amount that healthcare providers can change for providing copies of medical records, and how medical records must be provided.

The playbook explains that even when patient portals are in use compliance with the HIPAA Right of Access is far from guaranteed. Patient portals do not typically allow patients to access all of their health information and copies of medical records will still need to be provided to patients. AMA recommends giving patients the opportunity to access their health data over several different media. The playbook also covers providing health records to third parties at the request of a patient and requests originating from third parties, which are two aspects of the HIPAA Right of Access that have caused confusion for many physician practices.

AMA says in the playbook that healthcare providers need to learn about the capabilities of their EHRs, and discover how patient records can be sent to other healthcare providers, how information can be fed into patient portals, and how to export patient records to USB drives or CDs.

Healthcare providers should also actively encourage patients to take a greater interest in their healthcare and obtain a copy of their health records and check those records for errors. “Most importantly, encourage each patient to use apps and access to health information to become an active champion of his or her health,” says AMA. “Patients can better manage their health by understanding and managing all of their health information.”

The post American Medical Association Publishes Playbook Dispelling Common HIPAA Right of Access Myths appeared first on HIPAA Journal.

Webinar 03/18/20: Discover the Untold Benefits of HIPAA Compliance

Posted by HIPAA Journal

If you are a HIPAA-covered entity, current business associate, or you are looking to start providing services to healthcare organizations, you will need to ensure that your business is fully compliant with Health Insurance Portability and Accountability Act Rules.

In the event of a compliance audit or data breach investigation you will need to demonstrate that you have implemented an effective compliance program and are compliant with the HIPAA Privacy, Security, Omnibus, and Breach Notification Rules. However, there are many more benefits to HIPAA compliance than simply being able to pass a compliance audit.

On March 18, 2020, HIPAA Journal sponsor, Compliancy Group, will be hosting a free webinar to explain the full benefits of HIPAA compliance and the lasting positive impact HIPAA compliance can have on your organization, from protecting your reputation to differentiating your business from the competition.

During the webinar you will be provided with tips on how your organization can start leveraging the true benefits of HIPAA compliance and by the end of the session you will have learned how you can start using compliance to grow your business!

Webinar Details:

Date: Wednesday, March 18, 2020

Time: 2:00 pm ET / 11:oo am PT

Register for the Webinar

About Compliancy Group

Compliancy Group is the industry leader in HIPAA compliance. The company offers an affordable service to help your business meet all its obligations under the HIPAA Rules.

The company was founded in 2005 by former compliance auditors who found there were few options available to small-to medium-sized businesses to effectively address compliance without having to use incomplete solutions or hire expensive lawyers.

Compliance Group developed a software solution, The Guard, that steers businesses through the compliance process. Compliancy Group is the only compliance company that provides guided support to simplify the compliance process.

In the event of a compliance audit, help will be provided to ensure it runs as smoothly as possible. No Compliancy Group client has ever failed a compliance audit.

The post Webinar 03/18/20: Discover the Untold Benefits of HIPAA Compliance appeared first on HIPAA Journal.

January 2020 Healthcare Data Breach Report

Posted by HIPAA Journal

In January, healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights at a rate of more than one a day.

As our 2019 Healthcare Data Breach Report showed, 2019 was a particularly bad year for healthcare data breaches with 510 data breaches reported by HIPAA-covered entities and their business associates. That equates to a rate of 42.5 data breaches per month. January’s figures are an improvement, with a reporting rate of 1.03 breaches per day. There was also a 15.78% decrease in reported breaches compared to December 2019.

healthcare data breaches February 2019 to January 2020

Healthcare data breaches in January

While the number of breaches was down, the number of breached records increased by 17.71% month-over-month. 462,856 healthcare records were exposed, stolen, or impermissibly disclosed across 32 reported data breaches. As the graph below shows, the severity of data breaches has increased in recent years.

Largest Healthcare Data Breaches in January 2020

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
PIH Health CA Healthcare Provider 199,548 Hacking/IT Incident Email
Douglas County Hospital d/b/a Alomere Health MN Healthcare Provider 49,351 Hacking/IT Incident Email
InterMed, PA ME Healthcare Provider 33,000 Hacking/IT Incident Email
Fondren Orthopedic Group L.L.P. TX Healthcare Provider 30,049 Hacking/IT Incident Network Server
Native American Rehabilitation Association of the Northwest, Inc. OR Healthcare Provider 25,187 Hacking/IT Incident Email
Central Kansas Orthopedic Group, LLC KS Healthcare Provider 17,214 Hacking/IT Incident Network Server
Hospital Sisters Health System IL Healthcare Provider 16,167 Hacking/IT Incident Email
Spectrum Healthcare Partners ME Healthcare Provider 11,308 Hacking/IT Incident Email
Original Medicare MD Health Plan 9,965 Unauthorized Access/Disclosure Other
Lawrenceville Internal Medicine Assoc, LLC NJ Healthcare Provider 8,031 Unauthorized Access/Disclosure Email

Causes of January 2020 Healthcare Data Breaches

2019 saw a major increase in healthcare data breaches caused by hacking/IT incidents. In 2019, more than 59% of data breaches reported to the HHS’ Office for Civil Rights were the result of hacking, malware, ransomware, phishing attacks, and other IT security breaches.

Causes of January 2020 Healthcare Data Breaches

Hacking/IT incidents continued to dominate the breach reports in January and accounted for 59.38% of all breaches reported (19 incidents). 28.13% of reported breaches were classified as unauthorized access/disclosure data breaches (9 incidents), there were two reported theft incidents, both involving physical records, and 2 cases of improper disposal of physical records. Ransomware attacks continue to plague the healthcare industry, but phishing attacks are by far the biggest cause of healthcare data breaches. As the above table shows, these attacks can see the PHI of tens of thousands or even hundreds of thousands of patients exposed or stolen.


Hacking/IT incidents tend to be the most damaging type of breach and involve more healthcare records than other breach types. In January, 416,275 records were breached in hacking/IT incidents. The average breach size was 21,909 records and the median breach size was 6,524 records. 26,450 records were breaches as a result of unauthorized access/disclosure incidents. The average breach size was 26,450 records and the median breach size was 2,939 records.

11,284 records were stolen in theft incidents with an average breach size of 5,642 records. The two improper disposal incidents saw 2,812 records discarded without first rendering documents unreadable and undecipherable. The average breach size was  1,406 records. 
Location of breached protected health information

Regular security awareness training for employees has been shown to reduce susceptibility to phishing attacks, but threat actors are conducting increasingly sophisticated attacks. It is often hard to distinguish a phishing email from a genuine message, especially in the case of business email compromise scams.

What is needed to block these attacks is a defense in depth approach and no one technical solution will be effective at blocking all phishing attacks. Defenses should include an advanced spam filter to block phishing messages at source, a web filter to block access to websites hosting phishing kits, DMARC to identify email impersonation attacks, and multi-factor authentication to prevent compromised credentials from being used to access email accounts.

Healthcare Data Breaches by Covered Entity

Healthcare providers were the worst affected by data breaches in January with 25 reported breaches of 500 or more healthcare records. Five breaches were reported by health plans, and two breaches were reported by business associates of HIPAA-covered entities. There were a further three data breaches reported by covered entities that had some business associate involvement.

January 2020 Healthcare Data Breaches by Covered Entity

January 2020 Healthcare Data Breaches records exposed covered entity

Healthcare Data Breaches by State

HIPAA covered entities and business associates in 23 states reported data breaches in January. California and Texas were the worst affected with three reported breaches in each state. There were two breaches reported in each of Florida, Illinois, Maine, Minnesota, and New York, and one breach was reported in each of Alabama, Arizona, Colorado, Connecticut, Georgia, Iowa, Indiana, Kansas, Maryland, Michigan, North Carolina, New Jersey, Oregon, Pennsylvania, South Carolina, and Virginia.

HIPAA Enforcement in January 2020

There were no financial penalties imposed on HIPAA covered entities or business associates by the HHS’ Office for Civil Rights or state attorneys general in January.

There was a notable increase in the number of lawsuits filed against healthcare organizations that have experienced data breaches related to phishing and ransomware attacks.

January saw a lawsuit filed against Health Quest over a July 2018 phishing attack, Tidelands Health is being sued over a December 2019 ransomware attack, and a second lawsuit was filed against DCH Health System over a malware attack involving the Emotet and TrickBot Trojans that occurred in October 2019. These lawsuits follow legal action against Kalispell Regional Healthcare and Solara Medical Supplies in December.

The trend has continued in February with several law firms racing to be the first to file lawsuits against PIH Health in California over a 2019 phishing attack that exposed the data of more than 200,000 individuals.

These lawsuits may cite HIPAA violations, but since there is no private cause of action under HIPAA, legal action is taken over violations of state laws.

The post January 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

Criminal HIPAA Violation Case Sees Healthcare Worker Charged on 415 Counts

Posted by HIPAA Journal

A former employee of ACM Global Laboratories, part of Rochester Regional Health, has been accused of accessing the medical records of a patient, without authorization, on hundreds of occasions in an attempt to find information that could be used in a child custody battle.

A criminal investigation was launched into the alleged HIPAA violations by Jessica Meier, 41, of Hamlin, NY, when it was suspected that she had been abusing her access rights to patient information for malicious purposes.

Kristina Ciaccia was previously in a relationship with Meier’s half brother and has been in a lengthy child custody battle. In court, Ciaccia heard about a historic visit by her own brother to the emergency room at Rochester Regional Health, when she herself was unaware of the visit. Suspecting snooping on her family’s medical records, Ciaccia reported the matter to Rochester Regional Health.

According to court documents, the Rochester Regional Health audit revealed Meier had accessed the private medical records of Ciaccia on more than 200 occasions between March 2017 and August 2019, without any legitimate work purpose for doing so. It was also confirmed that Meier had accessed the medical records of members of Ciaccia’s family.

Ciaccia reported the criminal HIPAA violations to the police and an investigation was launched. Meier was arraigned in Gates Town Court on Tuesday, February 11, 2019 on 215 felony counts of computer trespass and 215 counts of misdemeanor unauthorized use of a computer. Meier pleaded not guilty to all counts and the case is expected to go before a grand jury.

“If you go in somebody’s medical records, you deserve to be charged. You deserve to be held accountable,” Ciaccia told News 10 NBC. Ciaccia also believes Rochester Regional Health should be held accountable, not for the breach itself, but for the failure to identify an ongoing privacy violation that spanned more than two years.

The unauthorized medical record access was only discovered after Ciaccia reported the potential privacy violation to Rochester Regional Health. “I feel like Rochester Regional pay her all year to go in my medical records, said Ciaccia.” Upon discovery of unauthorized access, Rochester Regional Health took disciplinary action against Meier.

HIPAA requires healthcare organizations to implement safeguards to ensure the confidentiality, integrity, and availability of patient information. Even if access controls and other measures are implemented, it is not possible to prevent all cases of improper accessing of medical records by employees. However, when instances occur, they should be identified quickly.

HIPAA requires audit logs to be maintained to track access to protected health information. Those logs allow audits to take place, as was the case when the matter was brought to the attention of Rochester Regional Health by Ciaccia.

HIPAA also requires audit logs to be regularly checked to identify unauthorized accessing of PHI. Had the audit logs been monitored more closely, the privacy violation could have been identified and sanctions could have been applied against Meier sooner.

The post Criminal HIPAA Violation Case Sees Healthcare Worker Charged on 415 Counts appeared first on HIPAA Journal.