HIPAA Compliance News

TigerConnect Survey Finds 89% of Healthcare Providers Still Use Fax Machines and 39% are Still Using Pagers

Posted by HIPAA Journal

TigerConnect has released its 2019 State of Healthcare Communications Report, which shows that continuing reliance on decades-old, inefficient communications technology is negatively impacting patients and is contributing to the increasing cost of healthcare provision.

For the report, TigerConnect surveyed more than 2,000 patients and 200 healthcare employees to assess the current state of communications in healthcare and gain insights into areas where communication inefficiencies are causing problems.

The responses clearly show that communication in healthcare is broken. 52% of healthcare organizations are experiencing communication disconnects that impact patients on a daily basis or several times a week. Those communication inefficiencies are proving frustrating for healthcare employees and patients alike.

The report reveals most hospitals are still heavily reliant on communications technology from the 1970s. 89% of hospitals still use faxes and 39% are still using pagers in some departments, roles, or even across the entire organization. The world may have moved on, but healthcare hasn’t, even though healthcare is the industry that stands to benefit most from the adoption of mobile technology.

The HHS’ Centers for Medicaid and Medicare Services (CMS) is pushing for fax machines to be eliminated by the end of 2020 and for healthcare organizations to instead use more secure, reliable, and efficient communications methods. Given the extensive use of fax machines, that target may be difficult to achieve.

“Adoption of modern communication solutions has occurred in every other industry but healthcare,” said Brad Brooks, chief executive officer and co-founder of TigerConnect. “Despite the fact that quality healthcare is vital to the well-being and functioning of a society, the shocking lack of communication innovation comes at a steep price, resulting in chronic delays, increased operational costs that are often passed down to the public, preventable medical errors, physician burnout, and in the worst cases, can even lead to death.”

The cost of communication inefficiencies in healthcare is considerable. According to NCBI, a 500-bed hospital loses more than $4 million each year as a result of communication inefficiencies and communication errors are the root cause of 70% of all medical error deaths.

The communication problems are certainly felt by healthcare employees, who waste valuable time battling with inefficient systems. The report reveals 55% of healthcare organizations believe the healthcare industry is behind the times in terms of communication technology compared to other consumer industries.

One of the main issues faced by healthcare professionals is not being able to get in touch with members of the care team when they need to. 39% of healthcare professionals said it was difficult or very difficult communicating with one or more groups of care team members.

Fast communication is critical for providing high quality care to patients and improvements are being made, albeit slowly. Secure messaging is now the primary method of communication overall for nurses (45%) and physicians (39%), although landlines are the main form of communication for allied health professionals (32%) and staff outside hospitals (37%), even though secure messaging platforms can be used by all groups in all locations.

Even though there is an increasing mobile workforce in healthcare, healthcare organizations are still heavily reliant on landlines. Landlines are still the top method of communication when secure messaging is not available. Landlines are also used 25% of the time at organizations that have implemented secure messaging.

Healthcare organizations that have taken steps to improve communication and have implemented secure messaging platforms are failing to get the full benefits of the technology. All too often, secure messaging technology is implemented in silos, with different groups using different methods and tools to communicate with each other. When secure messaging is not used, such as when the platform is only used by certain roles, communication is much more difficult.

The communications problems are also felt by patients. Nearly three quarters (74%) of surveyed patients who had spent at least some time in hospital in the past two years, either receiving treatment or visiting an immediate family member, said they were frustrated by inefficient processes.

The most common complaints were slow discharge/transfer times (31%), ED time with doctors (22%), long waiting room times (22%), the ability to communicate with a doctor (22%), and the length of time it takes to get lab test results back (15%). Many of these issues could be eased through improved communication between members of the care team. The survey also revealed hospital staff tend to underestimate the level of frustration that patients experience.

Communication problems play a large part in the bottlenecks that often occur in healthcare. Communication problems were cited as causing delayed discharges (50%), consult delays (40%), long ED wait times (38%), transport delays (33%) and slow inter-facility transfers (30%). There is a 50% greater chance of daily communication disconnects negatively impacting patients when secure messaging is not used.

Hospitals that communicate with patients by SMS/text or messaging apps are far more likely to rate their communication methods as effective or extremely effective. 75% of hospitals that use text/SMS and 73% that use messaging apps rate communication with patients as effective or very effective, compared to 62% that primarily use the telephone and 53% whose primary method of communicating with patients is patient portals. The survey also showed that only 20% of patients want to communicate via patient portals.

It has been established that secure messaging can improve communication and the quality of healthcare delivery, but healthcare communication is often not a strategic priority. 69% of surveyed healthcare professionals that are not using a secure messaging platform said this was due to budget constraints, 38% said money was spent on other IT priorities, and 34% cited concerns about patient data security, even though secure messaging platforms offer afar greater security than legacy communications systems.

TigerConnect has made several recommendations on how communication in healthcare needs to be improved.

  • Prioritize communication as a strategy
  • Focus on improving communication to ease major bottlenecks
  • Integrate communication platforms with EHRs to get the greatest value
  • Standardize communication across the entire organization
  • Include clinical leadership in solution design
  • Stop using patient portals to communicate with patients and start using patient messaging in the overall communication strategy.

The survey provides valuable insights into the state of communication in healthcare and clearly shows where improvements need to be made. The full TigerConnect 2019 State of Communication in Healthcare Report is available free of charge on this link (registration required).

The post TigerConnect Survey Finds 89% of Healthcare Providers Still Use Fax Machines and 39% are Still Using Pagers appeared first on HIPAA Journal.

51% of Healthcare Providers Still Not Fully Complying with HIPAA Right of Access

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights is cracking down on noncompliance with the HIPAA Right of Access and for good reason. A recent report from Ciitizen has revealed more than half of healthcare providers (51%) are not fully compliant with this aspect of HIPAA.

This is the second such report from Ciitizen, the first having been released on August 14, 2019. For the latest report, an additional 169 healthcare providers were assessed for Right of Access compliance, bringing the total assessed providers to 210.

Acting with authorization from patients, Ciitizen made requests for copies of patients records. Each healthcare provider was then given a rating based on their response, from 5 stars being fully compliant and responding within 5 days, down to 1 or 2 stars. A 1- or 2-star rating meant that were it not for multiple escalation calls to supervisors, the provider would not have been compliant.

There is some good news in the report. More providers are complying and there is less inconsistency from employee to employee. A growing number of healthcare providers are also now providing seamless access to patient records, with the percentage having increased from 30% to 40%.

The high figure or noncompliance is not because of the failure to provide patients with copies of their medical records on request, it is mostly because there needs to be “significant intervention” before requests are processed in a compliant manner.

For instance, the main reason for a 1-star rating is patients are not being provided with copies of their medical records in the digital format of their choosing. Inconsistency is also an issue. Many patients will be provided with copies of their records within 30 days, but a significant percentage will experience problems, such as having to make contact by phone on multiple occasions.

The findings from the first report were found to be broadly comparable to the second, although a far higher percentage of providers received a 1-star rating in the second report. In Cohort I (n=51), 27% received a 1-star rating and 24% received 2 stars. In Cohort II (n-169), 51% received a 1-star rating and 5% received a 2-star rating.

This can be explained by the fact that fewer escalation attempts were made by telephone after the initial request was submitted with Cohort II. That meant that the 30-day time limit for providing records was exceeded on occasion.

For Cohort II, out of the providers that were given a 1-star rating, 86% failed to provide the records in the requested format, 20% exceeded the 30-day time frame for providing records, and 1% attempted to charge excessive fees. In Cohort I, the figures were 86% format failures, 2% fee issues, and 2% failed to send the records to the designee. All requests were processed within 30 days.

It is important to point out that copies of records were requested in a specific digital format. Ciitizen said 76% of providers receiving a 1-star rating would have received a 4- or 5-star rating if they had been allowed to send records in any digital format (CD, fax, or encrypted email).

Ciitizen chose to request a specific digital format to assess compliance and better reflect real world scenarios. For instance, many patients do not have access to a fax machine and may not have a laptop/computer with a CD drive.

Ciitizen believes the use of standard open APIs would help to ensure that records could easily be provided in the format requested by the patient.

Ciitizen points out that providers are now accepting request forms by mail, email, and fax, which makes it far easier for patients to obtain a copy of their records. To date, excessive fees have not been an issue but, in some cases, this was only due to Ciitizen successfully resolving attempts by providers to charge fees that are not permitted under HIPAA by escalating the issue to supervisors.

The detailed Ciitizen report can be viewed and downloaded on this link.

Penalties for Noncompliance with HIPAA Right of Access

The penalties for noncompliance are can be severe. Willful neglect of HIPAA Rules now carries a minimum penalty of $58,490 per violation, if no corrective action has been taken, and a maximum penalty of $1,754,698 per violation, per year. OCR calculates penalties based on the number of days the organization has not been in compliance, so the maximum possible penalty is substantial.

OCR has stated on multiple occasions that HIPAA Right of Access failures are one of its main enforcement priorities. Already this year, OCR has issued one financial penalty for noncompliance with this important aspect of HIPAA and it will not be the last.

Bayfront Health St Petersburg was fined $85,000 for HIPAA Right of Access failures in September 2019 and in 2011, Cignet Health of Prince George’s County was ordered to pay a civil monetary penalty of $4,300,000 for denying patients access to their medical records.

It doesn’t take a data breach for an investigation into patient rights violations to be initiated by OCR. The Bayfront Health St Petersburg financial penalty was in response to a single complaint from a patient who had not been provided with her medical records in a timely manner.

The post 51% of Healthcare Providers Still Not Fully Complying with HIPAA Right of Access appeared first on HIPAA Journal.

Google Confirms it has Legitimate Access to Millions of Ascension Patients’ Health Records

Posted by HIPAA Journal

Following a report in the Wall Street Journal, Google has confirmed it is collaborating with one of the largest healthcare systems in the United States, which gives it access to a huge volume of patient data.

Google has partnered Ascension, the world’s largest catholic health system and the second largest non-profit health system in the United States. Ascension operates more than 2,600 healthcare facilities in 21 states, including 150 hospitals and over 50 senior living facilities.

The collaboration has given Google access to patient health information such as names, dates of birth, medical test results, diagnoses, treatment information, service dates, and other personal and clinical information.

The project – code name Project Nightingale – had been kept under the radar prior to the WSJ Report, which claimed that at least 150 Google employees have allegedly been able to access patient data as part of the project and that access to patient data had been granted without patients or physicians being informed. Both Google and Ascension made announcements about the Project Nightingale collaboration after the WSJ story was published.

In a November 11 press release, Ascension said it “is working with Google to optimize the health and wellness of individuals and communities, and deliver a comprehensive portfolio of digital capabilities that enhance the experience of Ascension consumers, patients and clinical providers across the continuum of care.”

Google explained in its announcement that it had previously mentioned the collaboration in July 2019 in its Q2 earnings call, in which it stated, “Google Cloud’s AI and ML solutions are helping healthcare organizations like Ascension improve the healthcare experience and outcomes.”

Google explained in its November 11 blog post that collaboration with Ascension is focused on A) Shifting Ascension’s infrastructure to the Google Cloud platform; B) Helping Ascension implement G Suite productivity tools and; C) Extending tools to doctors and nurses to improve care. Google also stated that some of the tools it is working on are not yet active in clinical development and are still in the early testing stage, hence the code name, Project Nightingale.

Another goal of the collaboration is to use Google’s considerable computing capabilities to analyze patient data with a view to developing software that leverages its AI and machine learning technology to deliver more targeted care to patients.

Ascension said the it will be “Exploring artificial intelligence/machine learning applications that will have the potential to support improvements in clinical quality and effectiveness, patient safety, and advocacy on behalf of vulnerable populations, as well as increase consumer and provider satisfaction.”

As a business associate of Ascension, Google has confirmed that access to patient data is legitimate and in full compliance with Health insurance Portability and Accountability Act (HIPAA) Rules. Google has signed a BAA with Ascension and has implemented appropriate safeguards to keep patient information secure and is in full compliance with all requirements of HIPAA.

Ascension has also confirmed that the partnership is “underpinned by a robust data security and protection effort and adherence to Ascension’s strict requirements for data handling.”

While patients may be concerned that Google now has access to some of their most sensitive data, it is not standard practice for healthcare organizations to announce collaborations with third-party companies that provide services that require access to protected health information. However, a proactive announcement rather than a reactive press release may have helped allay fears and concerns.

The post Google Confirms it has Legitimate Access to Millions of Ascension Patients’ Health Records appeared first on HIPAA Journal.

Sen. Warner Demands Answers from HHS Over Apparent Lack of Response to Major PACS Data Breach

Posted by HIPAA Journal

U.S. Senator, Mark. R. Warner (D-VA) has written to the Director of the HHS’ Office for Civil Rights, Roger Severino, expressing concern over the HHS response to the mass exposure of medical images by U.S. healthcare organizations.

Sen. Warner is the Vice Chairman of the Senate Intelligence Committee and co-founder of the Senate Cybersecurity Caucus. This is the latest in a series of communications in which he has voiced concerns about cybersecurity failures that have compromised the personal and private information of Americans. In February, Sen. Warner demanded answers from HHS agencies, NIST, and healthcare associations about healthcare cybersecurity following the continued increase in healthcare data breaches.

His recent letter to OCR was in response to a September 17, 2019 report about the exposure of millions of Americans’ medical images that were stored in unsecured picture archiving and communications systems (PACS).

The report detailed the findings of an investigation by ProPublica, German public broadcaster Bayerischer Rundfunk, and vulnerability and analysis firm, Greenbone Networks, which revealed almost 400 million medical images could be freely downloaded from the internet without authentication.  Sen. Warner pointed out that at the time of writing the letter, “for all U.S. territories there are 114.5 million images accessible, 22.1 million patient records, and 400,000 Social Security numbers, impacting an estimated 5 million patients in 22 states.”

Sen. Warner stated in the letter that the exposure of the medical images not only has potential to cause harm to individuals, it is also damaging to national security. The types of exposed information could potentially be used by cybercriminals in phishing campaigns and for other malicious attacks, such as those aimed at spreading malware. Flaws in the DICOM protocol could be exploited to incorporate malicious code into medical images. Nation state actors or cybercriminal groups could have downloaded the images, inserted malicious code, and then uploaded the images without being detected.

One of the U.S. firms implicated in the ProPublica report was TridentUSA Health Services and one of its affiliates, MobileX USA. In September 2019, following publication of the report, Sen. Warner wrote to TridentUSA Health Services demanding answers about its cybersecurity practices and how the data of millions of Americans, which the company was responsible for keeping private, came to be exposed online and required no password or other means of authentication to access.

In his letter to OCR, Sen. Warner explained that TridentUSA Health Services, a HIPAA-covered entity, responded to his letter and stated it had passed an HHS Security Rule audit in March 2019. That audit was passed even though at the time of the audit medical images under its control were exposed online and could be freely accessed over the internet.

“As your agency aggressively pushes to permit a wider range of parties (including those not covered by HIPAA) to have access to the sensitive health information of American patients without traditional privacy protections attaching to that information, HHS’s inattention to this particular incident becomes even more troubling,” wrote Warner.

The exposure of PACS data was reported to US-CERT by the German Federal Office for Information Security. US-CERT made contact with Greenbone Networks and confirmed the exposed data had been received and said that the matter would be reported to the HHS. Greenbone Networks had no contact from HHS and no further contact from US-CERT.

The researchers in Germany also demonstrated to Sen. Warner that even on October 15, 2019, several US-based PACS have open ports that support unencrypted communications protocols. Those unsecured PACS could be accessed without authentication and a wide range of medical images could be viewed and downloaded, including X-rays and mammograms that contain sensitive patient information such as names and Social Security numbers. Those images and personal information were still accessible freely online on the date of writing the letter (Nov 8, 2019).

“As of writing this letter, TridentUSA Health Services is not included on your breach portal website and I have seen no evidence that, once contacted by US-CERT, you acted on that information in a meaningful way,” wrote Sen. Warner.

Sen. Warner has demanded answers to 5 questions:

The post Sen. Warner Demands Answers from HHS Over Apparent Lack of Response to Major PACS Data Breach appeared first on HIPAA Journal.

HHS Increases Civil Monetary Penalties for HIPAA Violations in Line with Inflation

Posted by HIPAA Journal

The U.S Department of Health and Human Services’ has increased the civil monetary penalties for HIPAA violations to take inflation into account, in accordance with the Inflation Adjustment Act.

The final rule was issued and took effect on Tuesday November 5, 2019. This rule increases the civil monetary penalties for HIPAA violations that occurred on or after February 18, 2019. Under the new penalty structure, the increases from 2018 to 2019 are detailed in the table below:

Penalty Tier Level of Culpability Minimum Penalty per Violation

(2018 » 2019)

 Maximum Penalty per Violation

(2018 » 2019)

 New Maximum Annual Penalty

(2018 » 2019)*
1 No Knowledge $114.29 » $117 $57,051 » $58,490 $1,711,533 » $1,754,698
2 Reasonable Cause $1,141 » $1,170 $57,051 » $58,490 $1,711,533 » $1,754,698
3 Willful Neglect – Corrective Action Taken $11,410 » $11,698 $57,051 » $58,490 $1,711,533 » $1,754,698
4 Willful Neglect – No Corrective Action Taken $57,051 » $58,490 $1,711,533 » $1,754,698 $1,711,533 » $1,754,698

Penalties for HIPAA violations that occurred prior to February 18, 2019 have increased to $159 per violation, with an annual cap of $39,936 per violation category.

Earlier this year, the HHS’ Office for Civil Rights announced that it had reduced the penalties for HIPAA violations in certain tiers after a review of the wording of the HITECH Act. The maximum penalty for a HIPAA violation in the highest tier remained at $1.711 million, per violation category per year. Prior to the review, the maximum HIPAA violation penalty was $1.711 million in all four penalty tiers.

*The notice of enforcement discretion, announced on April 30, 2019, capped the maximum annual penalties at $10,000 (Tier 1), $100,000 (Tier 2), $250,000 (Tier 3), and $1,711,533 (Tier 4). The notice of enforcement discretion stated that the reviewed penalty tiers would also be adjusted in line with inflation. The multiplier used by OCR to calculate the cost-of-living increases was based on the Consumer Price Index for all Urban Consumers (CPI–U) for October 2019, which was 1.02522. That would make the new maximum penalties under the notice of enforcement discretion $10,252.20 (Tier 1), $102,522 (Tier 2), $256,305 (Tier 3), and $1,754,698 (Tier 4).

While OCR’s notice of enforcement discretion states that OCR will be adopting the new, revised penalties, this has yet to be made official and is pending further rulemaking. The notification of enforcement discretion creates no legal obligations and no legal rights, so OCR could therefore legally use the above maximum penalty amount of $1,754,698 per violation category, per year across all penalty tiers.

Full details of the new penalty structures have been published in the Federal Register for all agencies, including the FDA, ACF, HRSA, AHRQ, OIG, CMS, and OCR and can be viewed here (PDF).

The post HHS Increases Civil Monetary Penalties for HIPAA Violations in Line with Inflation appeared first on HIPAA Journal.

Texas Health and Human Services Commission Pays $1.6 Million HIPAA Penalty

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed a $1.6 million civil monetary penalty (CMP) on Texas Health and Human Services Commission (TX HHSC) for multiple violations of Health Insurance Portability and Accountability Act (HIPAA) Rules.

TX HHSC is a state agency that operates supported living centers, regulates nursing and childcare facilities, provides mental health and substance abuse services, and administers hundreds of state programs for people in need of assistance, such as individuals with intellectual and physical disabilities.

OCR launched an investigation following receipt of a breach report from the Department of Aging and Disability Services (DADS), a state agency that was reorganized into TX HHSC in September 2017. On June 11, 2015, DADS reported a security incident to OCR which stated that the electronic protected health information (ePHI) of 6,617 individuals had been exposed over the internet. The exposed information included names, addresses, diagnoses, treatment information, Medicaid numbers, and Social Security numbers.

The information was exposed during the migration of an internal CLASS/DBMD application from a private server to a public server. A flaw in the software of the application allowed ePHI to be accessed over the internet without any authentication. As a result of the flaw, private and highly sensitive information could be found and accessed through a Google search.

TX HHSC was unable to provide documentation to demonstrate compliance with three important provisions of HIPAA Rules. OCR determined that TX HHSC had violated four HIPAA provisions.

  • 45 C.F.R. § 164.308(a)(1 )(ii)(A) – Failure to conduct a comprehensive organization-wide risk analysis to identify all risks to the confidentiality, integrity, and availability of PHI
  • 45 C.F.R. § 164.312(a)(1) – Failure to implement access controls. Credentials were not required to access ePHI contained in its CLASS/DBMD
  • 45 C.F.R. § 164.312(b) – Failure to implement audit controls that recorded user access on the public server, which prevented TX HHSC from determining who had accessed ePHI in the application during the time it was exposed.
  • 45 C.F.R. § 164.502(a) – The above failures resulted in an impermissible disclosure of the ePHI of 6,617 individuals.

Under HIPAA, financial penalties are determined based on the level of culpability. OCR determined that the violations fell short of willful neglect and constituted reasonable cause – the second penalty tier. For each of the above classes of HIPAA violation, the minimum penalty for a violation is $1,000 up to a maximum financial penalty of $100,000 per year. The risk analysis failures, access controls failures, and audit control failures spanned from 2013 to 2017, hence the $1.6 million penalty.

“Covered entities need to know who can access protected health information in their custody at all times,” said OCR Director Roger Severino. “No one should have to worry about their private health information being discoverable through a Google search.”

We initially reported on the HIPAA penalty in March 2019 when it appeared that a settlement had been reached between TX HHSC and OCR over the HIPAA violations. The 86th Legislature of the State of Texas had voted to approve the settlement; however, it would appear that the proposed settlement was rejected. OCR issued a Notice of Proposed Determination on July 29, 2019.

TX HHSC did not contest the findings of OCR’s Notice of Proposed Determination and waived the right to a hearing. OCR imposed the CMP on TX HHSC on October 25, 2019.

This is the second HIPAA penalty to be announced by OCR this week. A few days ago, OCR announced a $3 million settlement had been reached with the University of Rochester Medical Center to resolve HIPAA violations related to the loss of unencrypted devices containing ePHI.

The TX HHSC CMP is the seventh HIPAA penalty of 2019. The latest CMP brings the total HIPAA fines for 2019 up to $9,949,000.

The post Texas Health and Human Services Commission Pays $1.6 Million HIPAA Penalty appeared first on HIPAA Journal.

Webinar: Your 2019 MIPS Security Risk Analysis: 6 Steps to Compliance (11/14/19)

Posted by HIPAA Journal

Healthcare organizations often struggle with risk analyses, as OCR’s HIPAA enforcement actions clearly show. The risk analysis is the most common HIPAA violation cited in OCR’s enforcement actions.

The risk analysis is essential as it allows healthcare organizations to identify all risks to the confidentiality, integrity, and availability of ePHI. Those risks can then be reduced to a reasonable and acceptable level. A risk assessment should be completed regularly, with the frequency determined by the circumstances of their environment. For many healthcare organizations, this will be annually.

An annual security risk analysis (SRA) is a requirement of the 2019 MIPS Performance Year to comply with Promoting Interoperability. The SRA makes up 25% of the performance score so it is essential that this critical process is completed. The deadline for completing the SRA is December 31, 2019.

If you have yet to conduct your SRA for 2019 and are not yet ready to attest to meeting this objective, help is at hand. HIPAA Journal sponsor, Compliancy Group, is hosting a webinar in conjunction with Compulink Healthcare Solutions which covers this important aspect of compliance.

At the webinar, Compliancy Group and Compulink Healthcare Solutions’ Director of Professional Relations and Government Programs, Dr. Karen Perry, will be discussing the security risk analysis and how you can implement appropriate safeguards to satisfy the MIPS SRA requirement.

At the end of the event you will have access to the tools you need to confidently achieve your mission-critical priorities, ensure compliance, and help your organization thrive in a fast-evolving digital landscape.

Webinar Details:

Your 2019 MIPS Security Risk Analysis: 6 Steps to Compliance

Date: Thursday, November 14, 2019

Time: 14:00 ET

Registration Link

The post Webinar: Your 2019 MIPS Security Risk Analysis: 6 Steps to Compliance (11/14/19) appeared first on HIPAA Journal.

Lack of Encryption Leads to $3 Million HIPAA Penalty for New York Medical Center

Posted by HIPAA Journal

The University of Rochester Medical Center (URMC) has paid a $3 million HIPAA penalty for the failure to encrypt mobile devices and other HIPAA violations.

URMC is one of the largest health systems in New York State with more than 26,000 employees at the Medical Center and various other components of the health system, including Strong Memorial Hospital and the School of Dentistry.

The Department of Health and Human Services’ Office for Civil Rights (OCR) launched an investigation following receipt of two breach reports from UMRC – The loss of an unencrypted flash drive and the theft of an unencrypted laptop computer in 2013 and 2017.

This was not the first time OCR had investigated URMC. An investigation was launched in 2010 following a similar breach involving a lost flash drive. In that instance, OCR provided technical compliance assistance to URMC. The latest investigation uncovered multiple violations of HIPAA Rules, including areas of noncompliance that should have been addressed after receiving technical assistance from OCR in 2010.

Under HIPAA, data encryption is not mandatory. Following a risk analysis, as part of the risk management process, covered entities must assess whether encryption is an appropriate safeguard. An alternative safeguard can be implemented in place of encryption if it provides an equivalent level of protection.

In this case, URMC had assessed risk and determined that the lack of encryption posed a high risk to the confidentiality, integrity, and availability of ePHI, yet failed to implement encryption when it was appropriate and continued to use unencrypted mobile devices that contained ePHI, in violation of 45 C.F.R. § 164.31 2(a)(2)(iv).

OCR’s investigation confirmed that the ePHI of 43 patients was contained on the stolen laptop and as a result of the theft, that information was impermissibly disclosed – 45 C.F.R. §164.502(a). OCR also determined that URMC had failed to conduct a comprehensive, organization-wide risk analysis – 45 C.F.R. § 164.308(a)(1)(ii)(A) – that included all risks to the confidentiality, integrity, and availability of ePHI, and covered ePHI stored on the lost and stolen devices.

Risks had not been sufficiently managed and reduced to reasonable and acceptable level – 45 C.F.R. §164.308(a)(l)(ii)(B) – and policies and procedures governing the receipt and removal of hardware and electronic media in and out of its facilities had not been implemented – 45 C.F.R. § 163.310(d).

In addition to the $3,000,000 financial penalty, URMC is required to adopt a robust corrective action plan to address all aspects of noncompliance identified by OCR. URMC’s compliance efforts over the next two years will be scrutinized by OCR to ensure continuing compliance.

“Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk,” said OCR Director Roger Severino. “When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect.”

This is the sixth financial penalty of 2019 that OCR has issued to resolve violations of the Health Insurance Portability and Accountability Act and it is the fourth enforcement action to cite a risk analysis failure.

The risk analysis is one of the most important elements of HIPAA compliance and a risk analysis failure is the most common HIPAA violation cited in OCRs enforcement actions.

OCR has released a risk assessment tool to help covered entities and business associates comply with this aspect of HIPAA. Further information on the HHS risk assessment tool is available on this page.

The post Lack of Encryption Leads to $3 Million HIPAA Penalty for New York Medical Center appeared first on HIPAA Journal.

Common Office 365 Mistakes Made by Healthcare Organizations

Posted by HIPAA Journal

An Office 365 phishing campaign has been running over the past few weeks that uses voicemail messages as a lure to get users to disclose their Office 365 credentials. Further information on the campaign is detailed below along with some of the most common Office 365 mistakes that increase the risk of a costly data breach and HIPAA penalty.

Office 365 Voicemail Phishing Scam

The Office 365 voicemail phishing scam was detected by researchers at McAfee. The campaign has been running for several weeks and targets middle management and executives at high profile companies. A wide range of industries have been attacked, including healthcare, although the majority of attacks have been on companies in the service, IT services, and retail sectors.

The emails appear to have been sent by Microsoft and alert users to a new voicemail message. The emails include the caller’s telephone number, the date of the call, the duration of the voicemail message, and a reference number. The emails appear to be automated messages and tell the recipient that immediate attention is required to access the message.

The phishing emails include an HTML attachment which will play a short excerpt from the voicemail message if opened. Users will then be redirected to a spoofed Office 365 web page where they must enter their Office 365 credentials to listen to the full message. If credentials are entered, they will be captured by the attacker. Users are then redirected to the Office.com website. No voicemail message will be played.

This is not the first time that voicemail and missed call notifications have been used as a lure in phishing attacks, but the inclusion of audio recordings in phishing emails is unusual. The partial voicemail recording comes from an embedded .wav file in the HTML attachment.

McAfee reports that three different phishing kits are being used to generate the spoofed Microsoft Office 365 websites, which suggests three different threat groups are using this ploy.

While there are red flags that should alert security-aware employees that this is a scam, unfamiliarity with this type of phishing scam and the inclusion of Microsoft logos and carbon-copy Office 365 login windows may be enough to convince users that the voicemail notifications are genuine.

Common Office 365 Mistakes to Avoid and HIPAA Best Practices

This is just the latest of several recent phishing campaigns targeting Office 365 users and attacks on Office 365 users are increasing. Listed below are some steps that can be taken to reduce risk along with some of the common Office 365 mistakes that are made which can increase the risk of account compromises, data breaches and HIPAA penalties.

Consider Using a Third-Party Anti-Phishing Solution on Top of Office 365

Office 365 incorporates anti-spam and anti-phishing protections as standard through Microsoft Exchange Online Protection (EOP). While this control is effective at blocking spam email (99%) and known malware (100%), it doesn’t perform so well at stopping phishing emails and zero-day threats. Microsoft is improving its anti-phishing controls but EOP is unlikely to provide a sufficiently high level of protection for healthcare organizations that are extensively targeted by cybercriminals.

Microsoft’s anti-phishing protections are better in Advanced Threat Protection (APT), although this solution cannot identify zero-day threats, does not include sandboxing for analyzing malicious attachments, and email impersonation protection is limited. For advanced protection against phishing and zero-day threats, consider layering a third-party anti-phishing solution on top of Office 365.

Implement Multi-Factor Authentication

A third-party solution will block more threats, but some will still be delivered to inboxes. The Verizon Data Breach Investigations Report revealed 30% of employees open phishing emails and 12% click links in those messages. Security awareness training for employees is mandatory under HIPAA and can help to reduce susceptibility to phishing attacks, but additional anti-phishing measures are required to reduce risk to a reasonable and acceptable level. One of the most effective measures is multi-factor authentication. It is not infallible, but it will help to ensure that compromised credentials cannot be used to access Office 365 email accounts.

Check DHS Advice Prior to Migrating from On-Premises Mail Services to Office 365

There are risks and vulnerabilities that must be mitigated when migrating from on-premises mail services to Office 365. The DHS’ Cybersecurity and Infrastructure Security Agency has issued best practices that should be followed. Check this advice before handling your own migrations or using a third-party service.

Ensure Logging is Configured and Review Email Logs Regularly

HIPAA requires logs to be created of system activity and ePHI access attempts, including the activities of authorized users. Those logs must also be reviewed regularly and checked for signs of unauthorized access and suspicious employee behavior.

Ensure Your Emails are Encrypted

Email encryption will prevent messages containing ePHI from being intercepted in transit. Email encryption is a requirement of HIPAA if messages containing ePHI are sent outside your organization.

Make Sure You Read Your Business Associate Agreement

Just because you have obtained a signed business associate agreement from Microsoft it does not mean your email is HIPAA-compliant. Make sure you read the terms in the BAA, check your set up is correct, and you are aware of your responsibilities for securing Office 365 and you are using Office 365 in a HIPAA compliant manner.

Backup and Use Email Archiving

In the event of disaster, it is essential that you can recover your email data. Your Office 365 environment must therefore be backed up and emails containing ePHI and HIPAA-related documents must be retained for a period of 6 years. An archiving solution – from Microsoft or a third-party – is the best way of retaining emails as archives can be searched and emails quickly recovered when they are required, such for legal discovery or a compliance audit.

The post Common Office 365 Mistakes Made by Healthcare Organizations appeared first on HIPAA Journal.