HIPAA Compliance News

OIG Audit Reveals Widespread Improper Use of Medicare Part D Eligibility Verification Transactions

Posted by HIPAA Journal

An audit conducted by the Department of Health and Human Services’ Office of Inspector General (OIG) has revealed many pharmacies and other healthcare providers are improperly using Medicare beneficiaries’ data.

OIG conducted the audit at the request of the HHS’ Centers for Medicare and Medicaid Services (CMS) to determine whether there was inappropriate access and use of Medicare recipients’ data by mail-order and retail pharmacies and other healthcare providers, such as doctors’ offices, clinics, long-term care facilities, and hospitals.

CMS was concerned that a mail order pharmacy and other healthcare providers were misusing Medicare Part D Eligibility Verification Transactions (E1 transactions), which should be only be used to verify Medicare recipients’ eligibility for certain coverage benefits.

OIG conducted the audit to determine whether E1 transactions were only being used for their intended purpose. Since E1 transactions contain Medicare beneficiaries’ protected health information (PHI), they could potentially be used for fraud or other malicious or inappropriate purposes.

An E1 transaction consists of two parts – a request and a response. The healthcare provider submits an E1 request that contains an NCPDP provider ID number or NPI, along with basic patient demographic data.  The request is forwarded onto the transaction facilitator which matches the E1 request data with the data contained in the CMS Eligibility file. A response is then issued, which contains a beneficiary’s Part D coverage information.

The audit was conducted on one mail-order pharmacy and 29 providers selected by CMS. Out of 30 entities audited, 25 used E1 transactions for a purpose other than billing for prescriptions or to determine drug coverage order when beneficiaries are covered by more than one insurance plan. 98% of those 25 providers’ E1 transactions were not associated with prescriptions.

OIG found providers were obtaining coverage information for beneficiaries without prescriptions, E1 transactions were being used to evaluate marketing leads, some providers had allowed marketing companies to submit E1 transactions for marketing purposes, providers were obtaining information about private insurance coverage for items not covered under Part D, long term care facilities had obtained Part D coverage using batch transactions, and E1 transactions had been submitted by 2 non-pharmacy providers.

E1 transactions are covered transactions under HIPAA, PHI must be protected against unauthorized access while it is being electronically stored or transmitted between covered entities, and the minimum necessary standard applies. The findings suggest HIPAA is being violated and that this could well be a nationwide problem. Based on the findings of the audit and apparent widespread improper access and use of PHI, OIG will be expanding the audits nationwide.

OIG believes these issues have arisen because CMS has not yet fully implemented controls to monitor providers who are submitting high numbers of E1 transactions relative to prescriptions provided; CMS has yet to issue clear guidance that E1 transactions must not be used for marketing purposes; and CMS has not limited non-pharmacy access.

Following the audit, CMS took further steps to monitor for abuse of the eligibility verification system and will be taking appropriate enforcement actions when cases of misuse are discovered. OIG has recommended CMS issue clear guidance on E1 transactions and ensure that only pharmacies and other authorized entities submit E1 transactions.

The post OIG Audit Reveals Widespread Improper Use of Medicare Part D Eligibility Verification Transactions appeared first on HIPAA Journal.

2019 Healthcare Data Breach Report

Posted by HIPAA Journal

Figures from the Department of Health and Human Services’ Office for Civil Rights breach portal show a major increase in healthcare data breaches in 2019. Last year, 510 healthcare data breaches of 500 or more records were reported, which represents a 196% increase from 2018.

As the graph below shows, aside from 2015, healthcare data breaches have increased every year since the HHS’ Office for Civil Rights first started publishing breach summaries in October 2009.

37.47% more records were breached in 2019 than 2018, increasing from 13,947,909 records in 2018 to 41,335,889 records in 2019.

Last year saw more data breaches reported than any other year in history and 2019 was the second worst year in terms of the number of breached records. More healthcare records were breached in 2019 than in the six years from 2009 to 2014. In 2019, the healthcare records of 12.55% of the population of the United States were exposed, impermissibly disclosed, or stolen.

Largest Healthcare Data Breaches of 2019

The table below shows the largest healthcare data breaches of 2019, based on the entity that reported the breach.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
1 Optum360, LLC Business Associate 11500000 Hacking/IT Incident Network Server
2 Laboratory Corporation of America Holdings dba LabCorp Healthcare Provider 10251784 Hacking/IT Incident Network Server
3 Dominion Dental Services, Inc., Dominion National Insurance Company, and Dominion Dental Services USA, Inc. Health Plan 2964778 Hacking/IT Incident Network Server
4 Clinical Pathology Laboratories, Inc. Healthcare Provider 1733836 Unauthorized Access/Disclosure Network Server
5 Inmediata Health Group, Corp. Healthcare Clearing House 1565338 Unauthorized Access/Disclosure Network Server
6 UW Medicine Healthcare Provider 973024 Hacking/IT Incident Network Server
7 Women’s Care Florida, LLC Healthcare Provider 528188 Hacking/IT Incident Network Server
8 CareCentrix, Inc. Healthcare Provider 467621 Hacking/IT Incident Network Server
9 Intramural Practice Plan – Medical Sciences Campus – University of Puerto Rico Healthcare Provider 439753 Hacking/IT Incident Network Server
10 BioReference Laboratories Inc. Healthcare Provider 425749 Hacking/IT Incident Other
11 Bayamon Medical Center Corp. Healthcare Provider 422496 Hacking/IT Incident Network Server
12 Memphis Pathology Laboratory d/b/a American Esoteric Laboratories Healthcare Provider 409789 Unauthorized Access/Disclosure Network Server
13 Sunrise Medical Laboratories, Inc. Healthcare Provider 401901 Hacking/IT Incident Network Server
14 Columbia Surgical Specialist of Spokane Healthcare Provider 400000 Hacking/IT Incident Network Server
15 Sarrell Dental Healthcare Provider 391472 Hacking/IT Incident Network Server
16 UConn Health Healthcare Provider 326629 Hacking/IT Incident Email
17 Premier Family Medical Healthcare Provider 320000 Hacking/IT Incident Network Server
18 Metro Santurce, Inc. d/b/a Hospital Pavia Santurce and Metro Hato Rey, Inc. d/b/a Hospital Pavia Hato Rey Healthcare Provider 305737 Hacking/IT Incident Network Server
19 Navicent Health, Inc. Healthcare Provider 278016 Hacking/IT Incident Email
20 ZOLL Services LLC Healthcare Provider 277319 Hacking/IT Incident Network Server

 

The above table does not tell the full story. When a business associate experiences a data breach, it is not always reported by the business associate. Sometimes a breach is experienced by a business associate and the covered entities that they work with report the breaches separately, as was the case with American Medical Collection Agency (AMCA), a collection agency used by several HIPAA covered entities.

In 2019, hackers gained access to AMCA systems and stole sensitive client data. The breach was the second largest healthcare data breach ever reported, with only the Anthem Inc. data breach of 2015 having impacted more individuals.

HIPAA Journal tracked the breach reports submitted to OCR by each affected covered entity. At least 24 organizations are known to have had data exposed/stolen as a result of the hack.

Organizations Affected by the 2019 AMCA Data Breach

Healthcare Organization Confirmed Victim Count
Quest Diagnostics/Optum360 11,500,000
LabCorp 10,251,784
Clinical Pathology Associates 1,733,836
Carecentrix 467,621
BioReference Laboratories/Opko Health 425,749
American Esoteric Laboratories 409,789
Sunrise Medical Laboratories 401,901
Inform Diagnostics 173,617
CBLPath Inc. 141,956
Laboratory Medicine Consultants 140,590
Wisconsin Diagnostic Laboratories 114,985
CompuNet Clinical Laboratories 111,555
Austin Pathology Associates 43,676
Mount Sinai Hospital 33,730
Integrated Regional Laboratories 29,644
Penobscot Community Health Center 13,299
Pathology Solutions 13,270
West Hills Hospital and Medical Center / United WestLabs 10,650
Seacoast Pathology, Inc 8,992
Arizona Dermatopathology 5,903
Laboratory of Dermatology ADX, LLC 4,082
Western Pathology Consultants 4,079
Natera 3,035
South Texas Dermatopathology LLC 15,982
Total Records Breached 26,059,725

Causes of 2019 Healthcare Data Breaches

The HHS’ Office for Civil Rights assigns breaches to one of five different categories:

  • Hacking/IT incidents
  • Unauthorized access/disclosures
  • Theft
  • Loss
  • Improper disposal

59.41% of healthcare data breaches in 2019 were classified as hacking/IT incidents and involved 87.60% of all breached records. 28.82% of data breaches were classed as unauthorized access/disclosure incidents and involved 11.27% of all records breached in 2019.

10.59% of breaches were classed as loss and theft incidents involving electronic devices containing unencrypted electronic protected health information or physical records. Those incidents accounted for 1.07% of breached records in 2019.

1.18% of breaches and 0.06% of breached records were due to improper disposal of physical records and devices containing electronic protected health information.

Breach Cause Incidents Breached Records Mean Breach Size Median Breach Size
Hacking/IT Incident 303 36,210,097 119,505 6,000
Unauthorized Access/Disclosure 147 4,657,932 31,687 1,950
Theft 39 367,508 9,423 2,477
Loss 15 74,271 4,951 3,135
Improper Disposal 6 26,081 4,347 4,177

We have not tracked the cause of each breach reported in 2019, but the table below provides an indication of the biggest problem area for healthcare organizations – Securing email systems and blocking phishing attacks. The email incidents include misdirected emails, but the majority of email incidents were phishing and spear phishing attacks.

Healthcare Data Breaches by Covered Entity

77.65% of 2019 data breaches were reported by healthcare providers (369 incidents), 11.57% of breaches were reported by health plans (59 incidents), and 0.39% of data breaches were reported by healthcare clearinghouses (2 incidents).

23.33% of the year’s breaches involved business associates to some extent. 10.39% of data breaches were reported by business associates (53 incidents) and 66 data breaches were reported by a covered entity which stated there was some business associate involvement.

States Worst Affected by Healthcare Data Breaches

Data breaches were reported by HIPAA-covered entities or business associates in 48 states, Washington DC, and Puerto Rico. The worst affected state was Texas with 60 data breaches reported. California was the second most badly hit with 42 reported data breaches.

The only states where no data breaches of 500 or more records were reported were North Dakota and Hawaii.

State Breaches State Breaches State Breaches State Breaches State Breaches
Texas 60 Maryland 14 Arkansas 9 Alabama 4 Mississippi 2
California 42 Washington 14 South Carolina 9 Alaska 4 Montana 2
Illinois 26 Georgia 13 New Jersey 8 Iowa 4 South Dakota 2
New York 25 North Carolina 13 Massachusetts 7 Kentucky 4 Washington DC 2
Ohio 25 Tennessee 11 Puerto Rico 7 Nebraska 4 West Virginia 2
Minnesota 23 Arizona 10 Virginia 7 Oklahoma 4 Delaware 1
Florida 22 Colorado 10 Louisiana 6 Utah 4 Kansas 1
Pennsylvania 19 Connecticut 10 New Mexico 6 Wyoming 3 New Hampshire 1
Missouri 17 Indiana 10 Wisconsin 6 Idaho 2 Rhode Island 1
Michigan 16 Oregon 10 Nevada 5 Maine 2 Vermont 1

HIPAA Enforcement in 2019

The HHS’ Office for Civil Rights continued to enforce compliance with HIPAA at a similar level to the previous three years.

In 2019, there were 10 HIPAA enforcement actions that resulted in financial penalties. 2 civil monetary penalties were imposed and 8 covered entities/business associates agreed settlements with OCR to resolve HIPAA violations.

In total, $12,274,000 was paid to OCR in fines and settlements. The largest financial penalties of the year resulted from investigations of potential HIPAA violations by University of Rochester Medical Center and Touchstone Medical Imaging. Both cases were settled for £3,000,000.

OCR uncovered multiple violations of HIPAA Rules while investigating separate loss/theft incidents reported by University of Rochester Medical Center. OCR discovered risk analysis and risk management failures, a lack of encryption on portable electronic devices, and insufficient device and media controls.

Touchstone Medical Imaging experienced a data breach that resulted in the impermissible disclosure of 307,839 individuals’ PHI due to the exposure of an FTP server over the internet. OCR investigated and determined there had been risk analysis failures, business associate agreements failures, insufficient access rights, a failure to respond to a security incident, and violations of the HIPAA Breach Notification Rule.

Sentara Hospitals agreed to a $2.175 million settlement stemming from a 577-record data breach that was reported to OCR as only affecting 8 individuals. OCR told Sentara Hospitals that the breach notification needed to be updated to include the other individuals affected by the mailing error, but Sentara Hospitals refused. OCR determined a financial penalty was appropriate for the breach notification reporting failure and the lack of a business associate agreement with one of its vendors.

A civil monetary penalty of $2.154 million was imposed on the Miami, FL-based nonprofit academic medical system, Jackson Health System (JHS). Following a data breach, OCR investigated and found a compliance program that had been in disarray for several years. The CMP resolved multiple violations of HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

A civil monetary penalty of $1,600,000 was imposed on Texas Department of Aging and Disability Services for multiple violations of HIPAA Rules discovered during the investigation of breach involving an exposed internal application. OCR discovered there had been risk analysis failures, access control failures, and information system activity monitoring failures, which contributed to the impermissible disclosure of 6,617 patients’ ePHI.

Medical Informatics Engineering, an Indiana-based provider of electronic medical record software and services, experienced a major data breach in 2015 at its NoMoreClipboard subsidiary. Hackers used a compromised username and password to gain access to a server that contained the protected health information (PHI) of 3.5 million individuals. OCR determined there had been a risk analysis failure and the case was settled for $100,000. MIE also settled a multi-state action with state attorneys general over the same breach and settled that case for $900,000.

The Carroll County, GA ambulance company, West Georgia Ambulance, was investigated over the reported loss of an unencrypted laptop computer that contained the PHI of 500 patients. OCR found there had been a risk analysis failure, there was no security awareness training program for staff, and HIPAA Security Rule policies and procedures had not been implemented. The case was settled for $65,000.

There was one financial penalty for a social media HIPAA violation. Elite Dental Associates respondents to patient reviews on Yelp, and in doing so impermissibly disclosed PHI. OCR determined a financial penalty was appropriate and the case was settled for $10,000.

OCR also launched a new HIPAA enforcement initiative in 2019, under which two settlements were reached with covered entities over HIPAA Right of Access failures. Korunda Medical and Bayfront Health St. Petersburg had both failed to respond to patient requests for copies of their health information within a reasonable time frame. Both covered entities settled their HIPAA violation cases with OCR for $85,000.

OCR HIPAA Settlements and Civil Monetary Penalties in 2019

HIPAA Enforcement by State Attorneys General in 2019

State attorneys general can also take action over violations of HIPAA Rules. There were three cases against covered entities and business associates in 2019. As previously mentioned, Medical Informatics Engineering settled a multi-state lawsuit and paid a financial penalty of $900,000.

A second multi-state action was settled by Premera Blue Cross. The lawsuit pertained to a 2015 hacking incident that resulted in the theft of 10.4 million records. The investigation uncovered multiple violations of violations of HIPAA Rules and resulted in a $10 million financial penalty.

The California attorney general also took legal action over a data breach that affected 1,991 California residents. The health insurer Aetna had sent two mailings to its members in which highly sensitive information relating to HIV and Afib diagnoses was visible through the windows of the envelopes. The case was settled for $935,000.

The post 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Deadline for Reporting 2019 Healthcare Data Breaches of Fewer than 500 Records

Posted by HIPAA Journal

The HIPAA Breach Notification Rule requires data breaches of 500 or more records to be reported to the Secretary of the Department of Health and Human Services no later than 60 days after the discovery of a breach. Breaches of fewer than 500 records can be reported to the Secretary at any time, but no later than 60 days from the end of the calendar year in which the data breach was experienced – 45 C.F.R. § 164.408.

That means smaller healthcare data breaches must usually be reported to the HHS no later than March 1 each year, but this year is a leap year so there is an extra day in February. That means the deadline for reporting smaller breaches is one day earlier. All breaches that have affected fewer than 500 individuals must therefore be reported to OCR no later than February 29, 2020.

All breaches must be submitted to the Secretary of the HHS via the Office for Civil Rights breach portal. Each data breach must be reported separately and full information about each breach should be submitted. If several small data breaches have been experienced in the 2020 calendar year, reporting the breaches can take some time. It is therefore advisable not to leave the reporting of data breaches to the last minute to ensure the deadline is not missed. If data breaches are reported later than the 60-day deadline, financial penalties can be imposed.

If a breach has been experienced and the number of individuals affected by the breach has not yet been determined, the breach report should include an estimate of the number of people affected. It is not permissible to delay reporting the breach. When the actual number of affected individuals is known, an addendum can be submitted. Addenda should also be used to update breach reports when further information about the breach becomes available.

The post Deadline for Reporting 2019 Healthcare Data Breaches of Fewer than 500 Records appeared first on HIPAA Journal.

Center for Counseling & Family Relationships Confirmed as HIPAA Compliant

Posted by HIPAA Journal

Center for Counseling & Family Relationships (CCFAM), a large group counseling private practice based in Fort Worth, TX, has announced the company has demonstrated compliance with Health Insurance Portability and Accountability Act (HIPAA) Rules after completing Compliancy Group’s 6-Stage HIPAA risk analysis and remediation process.

Using Compliancy Group’s proprietary HIPAA compliance tracking solution, The Guard, and assisted by its compliance coaches, CCFAM has demonstrated its policies and procedures are in line with HIPAA and the company has implemented an effective HIPAA compliance program.

CCFAM was founded in 2007 with just one counselor and office staff member and has now grown into a large practice offering more than 1,000 sessions a month. Privacy and confidentiality are critical to CCFAM and the children, teenagers, and adults the company serves.

CCFAM already complies with Texas licensure board rules and every effort was made to comply with HIPAA, but CCFAM owner, Dr. Rhonda Johnson, recognized the fact that staff HIPAA training had not changed much in the past 5 years, even though the company had grown considerably over the years and was now a large group private practice of administrative staff and counselors with many specialties.

“Along with being the owner of Center for Counseling & Family Relationships, I am also the owner of CCFAM Training, which provides CEUs for mental health professionals. I recognized the need in my field for a Telehealth, HIPAA, and PCI Compliance continuing education training,” explained Dr. Johnson. “As I began to develop and prepare the training, I was introduced to a Compliancy Group video that I used during the CEU training I provided. I reached out to Compliancy Group to find out what made them unique and different than the service I had been using.”

What CCFAM needed was a service that would help the practice ensure continued compliance with HIPAA Rules and would provide a more intensive, hands on approach to that would ensure continued compliance.

“What made the decision for me was hearing the heart behind how Compliancy Group began, their desire to provide effective training for small business practices like mine, their step by step process, and coaching throughout the process to earn our HIPAA Compliance Seal with Compliancy Group,” said Dr. Johnson. “I can without hesitation state that the process was more thorough and in depth across every aspect of HIPAA than any other HIPAA assistance service on the market.”

Successful completion of the 6-stage HIPAA Risk Analysis and remediation process has seen CCFAM awarded Compliancy’ Group’s HIPAA Seal of Compliance. The HIPAA Seal of Compliance demonstrates CCFAM’s good faith effort toward HIPAA compliance and that the company has implemented an effective HIPAA compliance program.

The Seal of Compliance demonstrates to current and future clients that CCFAM is committed to ensuring patient privacy and that the company has implemented appropriate safeguards to keep patient information protected.

The post Center for Counseling & Family Relationships Confirmed as HIPAA Compliant appeared first on HIPAA Journal.

HHS Issues Final Rule Requiring Pharmacies to Track Partially Filled Prescriptions of Schedule II Drugs

Posted by HIPAA Journal

The Department of Health and Human Services has issued a final rule modifying the HIPAA National Council for Prescription Drug Programs (NCPDP) D.0 Telecommunication Standard to require pharmacies to track partially filled prescriptions for Schedule II drugs. The modification is part of HHS efforts to curb opioid abuse in the United States and will provide a greater quantum of data that may help prevent impermissible refills of Schedule II drugs.

The final rule takes effect on March 24, 2020. The compliance date is September 21, 2020.

By September 21, 2020, pharmacies will be required to use the Quantity Prescribed (460-ET) field for retail pharmacy transactions for all Schedule II drugs. Pharmacies must distinguish in retail pharmacy transactions whether the full prescribed amount of a Schedule II drug has been dispensed in a refill, or if the prescription has only been partially filled.

Background

The NCPDP Telecommunication Standard was adopted by the Secretary of the HHS in January 2009 for pharmacy transactions (health care claims or equivalent encounter information, referral certification and authorization, and coordination of benefits).

Under the Controlled Substances Act, the refilling of Schedule II drugs is prohibited, but partial fills are permitted if a pharmacist has less than the prescribed amount in stock, for patients in long-term care facilities, and for patients with terminal illnesses.

An analysis of prescription drug refill records by the HHS’ Office of Inspector General in 2012 revealed that in 2009, $25 million has been inappropriately paid by Medicare Part D plan sponsors for 397,203 Schedule II drug refills. 75% of those refills were billed by long-term care facilities. There was considerable concern that these prohibited refills could contribute to the diversion of Schedule II drugs and their being resold on the street.

The HHS’ Centers for Medicare and Medicaid services believed the OIG figures were incorrect due to a misinterpretation of the data in the Fill Number (403-D3) field, which resulted in partial fills being confused with refills dispensed to patients in long-term care facilities. A CMS review confirmed pharmacies could not distinguish between partial fills of Schedule II drugs and refills for billing purposes without using the Fill Number (403-D3) field.

The NCPDP D.0 standard was then updated to include the Quantity Prescribed (460-ET) field for claims, which should include the actual quantity supplied. That data could then be used to determine whether inappropriate fills had been made over and above the amount prescribed.

The change was detailed in the November 2012 publication of Version D.0 which required the Quantity Prescribed (460–ET) field to be completed when submitting claims to Medicare Part D for Schedule II drugs. However, since the HHS has not adopted the November 2012 publication, pharmacies could not use the Quantity Prescribed field for HIPAA transactions. The final rule addresses this issue.

The Administrative Simplification: Modification of the Requirements for the Use of Health Insurance Portability and Accountability Act of 1996 (HIPAA) National Council for Prescription Drug Programs (NCPDP) D.0 Standard has been published in the federal register on January 24, 2020 and can be viewed on this link.

The post HHS Issues Final Rule Requiring Pharmacies to Track Partially Filled Prescriptions of Schedule II Drugs appeared first on HIPAA Journal.

HHS Reminds Covered Entities of Data Sharing in Light of Novel Coronavirus Outbreak

Posted by HIPAA Journal

The Department of Health and Human Services has issued a bulletin reminding HIPAA covered entities about the ways that patient information can be shared during outbreaks of infectious disease and other emergency situations, in light of the recent Novel Coronavirus (2019-nCoV) outbreak.

In the bulletin, the HHS confirms that in such situations, the protections of the HIPAA Privacy Rule still apply and healthcare organizations must continue to apply administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI).

Under the HIPAA Privacy Rule, covered entities are permitted to disclose patient information without authorization for treatment purposes, care coordination, consultations, and referrals of patients for treatment.

In situations when patients have contracted an infectious disease such as 2019-nCoV, there is a legitimate need for information to be shared with public health authorities and others responsible for ensuring public health and safety. Those entities may need to be provided with PHI to allow them to carry out their public health missions. In such cases, the HIPAA Privacy Rule allows covered entities to share PHI with those entities and individual authorizations are not required.

That includes sharing information with the Centers for Disease Control and Prevention (CDC) and state and health departments authorized by law to receive such information to prevent or control disease and injury. Directed by a public health authority, PHI may also be shared with foreign government agencies that are working with public health authorities. Information can also be shared with individuals believed to be at risk of contracting or spreading disease, if other law, such as state law authorizes the covered entity to notify such persons to help prevent the spread of disease or to carry out public health investigations.

Information can also be shared with friends, family members, and other individuals involved in the care of a patient, including sharing information about a patient, as necessary, to identify, locate, and notify family members, guardians, and others responsible for the patient’s care, of the patient’s location, general condition, or death.

In such cases, verbal permission should be obtained from the patient or it can be reasonably inferred that the patient does not object. If a patient is incapacitated, then professional judgement should be used as to whether the sharing of information is in the patient’s best interest.

Patient information may also be shared to prevent or lessen a serious or imminent threat to the health and safety of a person or the public, consistent with applicable laws. Generally speaking, providing specific information about an identifiable patient to the media or public at large is not permitted.

All permitted disclosures of patient information are subject to the minimum necessary rule. Shared information should be limited to the minimum necessary amount to accomplish the purpose for which information is disclosed.

The post HHS Reminds Covered Entities of Data Sharing in Light of Novel Coronavirus Outbreak appeared first on HIPAA Journal.

HHS’ Office for Civil Rights Makes Changes to Individuals’ Right of Access to Health Records

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has announced that certain legislative changes made in the HIPAA Omnibus Final Rule of 2013 – Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act, and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Ruleshave been reversed.

The reversal applies to a portion of the rule that expanded the third-party directive within the individual right of access (45 C.F.R. §164.524) “beyond requests for a copy of an electronic health record with respect to

Member Login

of an individual … in an electronic format” and guidance issued in 2016 confirming fee limitations for providing a copy of an individual’s PHI – 45 C.F.R. § 164.524(c)(4) – also apply to an individual’s request to send health records to a third party for legal or commercial reasons. Those fee limitations will now only apply to an individual’s request for access to their own records, not for an individual’s request to send a copy of their PHI to a third party such as a lawyer or insurance company.

The reversal followed the conclusion of legal action by the medical records provider, Ciox Health, challenging the changes. Ciox Health contracts with healthcare providers to maintain, retrieve, and produce individuals’ PHI. Ciox Health handles requests from healthcare providers to supply individuals’ PHI for treatment purposes, along with requests from patients exercising their rights under the HIPAA individual right of access, and requests to send PHI to legal and commercial entities. Ciox Health handles tens of millions of requests for PHI each year.

Ciox Health understood the fee limitations only applied to requests from individuals for access to their own PHI, and not to requests to send PHI to legal and commercial entities. However, in 2016, the Department of Health and Human Services (HHS) issued a guidance document in which it was made clear that the fee limitations had been expanded to include requests for PHI from legal and commercial entities. According to the lawsuit, that change resulted in Ciox Health and other medical records companies losing millions in revenue. The change was challenged as it was seen to be violative of the procedural and substantive protections of the Administrative Procedure Act (“APA”).

Ciox also challenged the types of labor costs that are recoverable under the fee limitation, the three methods for calculating fees for providing the records, and the 2013 change requiring medical records companies “to send PHI to third parties regardless of the format in which the PHI is contained and in the format specified by the patient.” The HHS filed a motion to dismiss and the cross-motions went before a federal court for summary judgment.

The HHS motion to dismiss was granted in part and denied in part, and the cross-motions were also granted in part and dismissed in part. The HHS motions to dismiss were denied in all cases apart from the three methods for calculating fees.

The court held that the rule requiring PHI to be delivered to third parties regardless of the records’ format was ‘arbitrary and capricious’ as it went beyond the requirements of the HITECH Act. The court also ruled in favor of the plaintiff on the challenge to the 2016 expansion of fee limitations, as this was a legislative change and the HHS failed to subject the change to notice and comment, in violation of the ACA. The 2016 explanation of what labor costs can be recovered was determined to be an interpretive rule and was therefore not subject to notice and comment.

The court declared the changes unlawful and vacated the 2016 expansion of fee limitations and the 2013 mandate broadening PHI delivery to third parties regardless of format. The Ciox Health, LLC v. Azar, et al court order can be viewed on this link.

The post HHS’ Office for Civil Rights Makes Changes to Individuals’ Right of Access to Health Records appeared first on HIPAA Journal.

December 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

There were 38 healthcare data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights in December 2019, an increase of 8.57% from November 2019.

While the number of breaches increased, there was a major reduction in the number of exposed healthcare records, falling from 607,728 records in November 2019 to 393,189 records in December 2019 – A drop of 35.30%. In December the mean breach size was 10,347 records and the median breach size was 3,650 records.

It has been a particularly bad year for healthcare data breaches. 2019 was the second worst ever year for healthcare data breaches in terms of the number of patients impacted by breaches. 41,232,527 healthcare records were exposed, stolen, or impermissibly disclosed in 2019. That’s 195.61% more than 2018. More healthcare records were breached in 2019 than in the previous three years combined.

healthcare records exposed by year

The number of reported data breaches also increased 36.12% year-over-year, from 371 breaches in 2018 to 505 breaches in 2019. That makes 2019 the worst every year in terms of the number of reported healthcare data breaches.

Healthcare data breaches in 2019

Largest Healthcare Data Breaches in December 2019

The largest healthcare data breach reported in December affected Truman Medical Center in Kansas City, MO and involved the protected health information of 114,466 patients. The records were stored on a company-owned laptop computer that was stolen from the vehicle of an employee. The laptop was password-protected but was not encrypted.

8 of the top 10 breaches in December were hacking/IT incidents. The Adventist Health Simi Valley, Healthcare Administrative Partners, Cheyenne Regional Medical Center, SEES Group, and Sinai Health System breaches were due to phishing attacks. Roosevelt General Hospital discovered malware on an imaging server and Children’s Choice Pediatrics experienced a ransomware attack.

The Colorado Department of Human Services breach was due to a coding error on a mailing and Texas Family Psychology Associates discovered an unauthorized individual had accessed its electronic medical record system.

Name of Covered Entity Covered Entity Type Type of Breach Individuals Affected
Truman Medical Center, Incorporated Healthcare Provider Theft 114,466
Adventist Health Simi Valley Healthcare Provider Hacking/IT Incident 62,000
Roosevelt General Hospital Healthcare Provider Hacking/IT Incident 28,847
Healthcare Administrative Partners Business Associate Hacking/IT Incident 17,693
Cheyenne Regional Medical Center Healthcare Provider Hacking/IT Incident 17,549
SEES Group, LLC Healthcare Provider Hacking/IT Incident 13,000
PediHEalth, PLLC, dba Children’s Choice Pediatrics Healthcare Provider Hacking/IT Incident 12,689
Sinai Health System Healthcare Provider Hacking/IT Incident 12,578
Colorado Department of Human Services Healthcare Provider Hacking/IT Incident 12,230
Texas Family Psychology Associates, P.C. Healthcare Provider Unauthorized Access/Disclosure 12,000

 

Entities Affected by December 2019 Healthcare Data Breaches

28 healthcare providers reported breaches of 500 or more healthcare records in December. Four health plans were affected by data breaches and 6 business associates of covered entities reported a breach. One additional breach had some business associate involvement, but the breach was reported by the covered entity.

December 2019 Healthcare Data Breaches by Covered Entity

Causes of December 2019 Healthcare Data Breaches

There were 21 hacking/IT incidents reported by HIPAA-covered entities and business associates in December. 226,774 healthcare records were exposed or stolen in those incidents. The mean breach size was 10,798 records and the median breach size was 5,991 records. The incidents mostly consisted of phishing attacks, ransomware and malware infections, and coding errors.

There were 11 cases of unauthorized accessing of healthcare data and impermissible disclosures of protected health information due to a mix of insider errors and malicious actions by employees. These incidents involved 46,364 healthcare records. The mean breach size was 4,214 records and the median breach size was 3,500 records.

There were two theft incidents reported and three incidents involving lost electronic devices and paperwork containing protected health information. 118,877 records were lost or stolen in those incidents. The mean breach size was 23,775 records and the median breach size was 1,100 records. There was also one case of incorrect disposal of paperwork involving documents containing the PHI of 1,174 patients.

Causes of December 2019 healthcare data breaches

Location of Breached Protected Health Information

The chart below clearly indicates the difficulty healthcare organizations have securing their email systems and protecting them against unauthorized access. The majority of the email incidents in December 2019 were phishing attacks in which unauthorized individuals obtained the login credentials of employees and used them to remotely access their email accounts.

Email security solutions can block the majority of phishing and malware-laced emails, but some phishing emails will slip through the net. It is therefore important – and a requirement of HIPAA – to provide regular security awareness training to employees to help them identify malicious emails. Multi-factor authentication should also be implemented. In the event to email credentials being obtained by unauthorized individuals, in the vast majority of cases, MFA will prevent those credentials from being used to remotely access email accounts.

Location of Breached PHI - December 2019

December 2019 Healthcare Data Breaches by State

December data breaches were reported by HIPAA-covered entities and business associates in 22 states and the District of Columbia. Texas was the worst affected with 4 breaches, 4 breaches were reported by entities based in California and Illinois, Florida experienced 3 breaches, and two breaches were reported by entities based in Colorado, Georgia, and Tennessee.

A single breach was reported by entities based in Alaska, Connecticut, Louisiana, Maryland, Michigan, Missouri, New Mexico, New York, Ohio, Oklahoma, Pennsylvania, North Carolina, South Carolina, Washington, Wyoming, and District of Columbia.

HIPAA Enforcement Activity in December 2019

The Department of Health and Human Services’ Office for Civil Right closed December with two further enforcement actions against covered entities that were discovered to have violated the HIPAA Rules.

The first financial penalty of the month to be announced was a settlement with Korunda Medical LLC. This was the second financial penalty imposed on a HIPAA-covered entity under OCR’s HIPAA Right of Access Initiative. OCR investigated Korunda Medical following receipt of a complaint from a patient who had not been provided with a copy of her medical records. OCR issued technical assistance, but a further patient submitted a similar complaint a few days later and a financial penalty was determined to be appropriate. Korunda Medical settled the case for $85,000.

The second penalty was imposed on West Georgia Ambulance for multiple violations of HIPAA Rules. OCR launched an investigation following receipt of a breach notification about the loss of an unencrypted laptop computer. OCR discovered longstanding noncompliance with several aspects of the HIPAA Rules. A risk analysis had not been conducted, there was no security awareness training program for employees, and West Georgia Ambulance had failed to implement HIPAA Security Rule policies and procedures. West Georgia Ambulance settled the case for $65,000.

2019 HIPAA Enforcement Actions

In total, there were 10 financial penalties were imposed on covered entities and business associates in 2019, comprising 2 Civil Monetary Penalties and 8 settlements totaling $12,274,000.

Entity Penalty Penalty Type
West Georgia Ambulance $65,000 Settlement
Korunda Medical, LLC $85,000 Settlement
Sentara Hospitals $2,175,000 Settlement
Texas Department of Aging and Disability Services $1,600,000 Civil Monetary Penalty
University of Rochester Medical Center $3,000,000 Settlement
Jackson Health System $2,154,000 Civil Monetary Penalty
Elite Dental Associates $10,000 Settlement
Bayfront Health St Petersburg $85,000 Settlement
Medical Informatics Engineering $100,000 Settlement
Touchstone Medical imaging $3,000,000 Settlement

Figures for this report were calculated from the U.S. Department of Health and Human Services’ Office for Civil Rights Research Report on January 21, 2020.

The post December 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

California Bill Proposes Further Health Data Exemptions for CCPA

Posted by HIPAA Journal

On January 1, 2020, the California Consumer Protection Act (CCPA) came into effect. CCPA enhanced privacy protections for state residents and gave Californians new rights over their personal data.

Healthcare data covered by the Health Insurance Portability and Accountability Act (HIPAA) Rules and California’s Confidentiality of Medical Information Act (CMIA) were exempted from CCPA but there is still potential for CCPA to cause compliance headaches for healthcare organizations.

A new bill – AB 713 – has now been introduced which aims to simplify compliance by adding further categories of data to the CCPA exemptions, specifically health data that has been de-identified in accordance with HIPAA Rules, personal information used for public health and safety purposes, medical research data, and health information collected, maintained, or used by business associates of HIPAA-covered entities. The bill was unanimously approved by the State Senate Health Committee this month.

The change to the exemption for deidentified health data is required as the definitions of deidentified data differ under HIPAA and CCPA and data de-identified in accordance with HIPAA could still contain data covered by CCPA. HIPAA only require identifiers to be removed that could be used to identify patients. It does not require the removal of identifiers for workforce members or providers, which is covered by CCPA.

AB 713 adds a new exemption for health data that is deidentified in accordance with HIPAA, provided the following three conditions are met:

Data is deidentified through either the safe harbor or expert determination method detailed in 45 CFR § 164.514 (b); data is derived from protected health information, medical information, individually identifiable health information, or identifiable private information, consistent with the Federal Policy for the Protection of Human Subjects (Common Rule); the business or business associate does not try to or actually re-identify individuals from the data.

The exemption applies to information deidentified in accordance with HIPAA. This exemption would therefore also apply to entities not covered by HIPAA.

While AB 713 would exempt deidentified information, a business will be required to disclose, via a consumer-facing public notice, if deidentified information will be provided to third parties and the method used to deidentify the data.

CCPA does not cover certain types of personal information used for research, such as data collected for clinical trials subject to the Common Rule. AB 713 adds further exemptions for personal information collected or used in biomedical research studies subject to institutional review board standards, the ethics and privacy requirements of the Common Rule, the International Council for Harmonization’s good clinical practice guidelines, or the FDA’s human subject protection requirements. An exemption is also added for personal information collected for or used in research, subject to all applicable ethics and privacy laws, if the information is either individually identifiable health information (45 CFR § 160.103) or medical information governed by the California Confidentiality of Medical Information Act (CMIA).

AB 713 also adds an exemption for personal information that is only used for the following purposes, provided the information is protected in accordance with all confidentiality and privacy provisions applicable under federal or state law:

  • Product registration and tracking consistent with applicable FDA regulations and guidelines.
  • Public health activities and purposes detailed in 45 CFR § 164.512
  • FDA-regulated quality, safety, and effectiveness activities

The post California Bill Proposes Further Health Data Exemptions for CCPA appeared first on HIPAA Journal.