HIPAA Compliance News

HHS Releases Updated HIPAA Security Risk Assessment Tool

Posted by HIPAA Journal

The HHS has updated its HIPAA Security Risk Assessment Tool and has added several new features that have been requested by users to improve usability.

The HIPAA Security Risk Assessment Tool was developed by the HHS Office of the National Coordinator for Health Information Technology (ONC) in collaboration with the HHS’ Office for Civil Rights.

The Security Risk Assessment Tool can help small to medium sized healthcare organizations conduct a comprehensive, organization-wide risk assessment to identify all risks to the confidentiality, integrity, and availability of protected health information (PHI).

By using the tool, healthcare organizations will be able to identify and assess risks and vulnerabilities and use that information to improve their defenses against malware, ransomware, viruses, botnets and other types of cyberattack.

The risk assessment is a foundational element of compliance with the Health Insurance Portability Act Security Rule. By conducting a risk assessment, healthcare organizations can identify areas where PHI may be at risk. Any risks can then be assessed, prioritized, and reduced to a reasonable and acceptable level.

Since its initial release, the tool has been updated several times to improve usability and add additional functions. The latest version of the Risk Assessment Tool – Version 3.1 – has been released to coincide with National Cybersecurity Awareness Month and includes several user-requested improvements:

  • Threat and vulnerability validation
  • Incorporation of NIST Cybersecurity Framework references
  • Improved asset and vendor management
  • Question flagging and a new Flagged Report
  • Ability to export Detailed Reports to Excel
  • Fixes for several reported bugs to improve stability

The tool can be downloaded from the HHS for Windows devices, although the latest version is not available for Mac OS.

The HHS points out that the tool is only as useful as the work that goes into conducting and documenting a risk assessment. Use of the tool does not guarantee compliance with the risk assessment requirements of the HIPAA Security Rule and will only help HIPAA-covered entities and their business associates conduct periodic risk assessments.

The post HHS Releases Updated HIPAA Security Risk Assessment Tool appeared first on HIPAA Journal.

Slew of HIPAA Violations Leads to $2.15 Million Civil Monetary Penalty for Jackson Health System

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has imposed a $2.15 million civil monetary penalty against the Miami, FL-based nonprofit academic medical system, Jackson Health System (JHS), for a slew of violations of HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

In July 2015, OCR became aware of several media reports in which the PHI of a patient was impermissibly disclosed. The individual was a well-known NFL football player. Photographs of an operating room display board and schedule had also been shared on social media by a reporter. OCR launched an investigation in October 2015 and opened a compliance review in relation to the impermissible disclosure.

JHS investigated and submitted a report confirming a photograph was taken in which two patients PHI was visible, including the PHI of a well-known person in the community. The internal investigation revealed an employee had been accessing patient information without authorization since 2011. During that time, the employee had accessed the records of 24,188 patients without any legitimate work reason for doing so and had been selling that information.

HIPAA requires covered entities to implement policies and procedures to prevent, contain, and correct security violations – 45 C.F.R. § 164.308(a)(l) – however, before risks can be managed and reduced to a reasonable and acceptable level, a covered entity must conduct a comprehensive risk analysis – 45 C.F .R. §164.308(a)(l)(ii){A) – to ensure that all risks to the confidentiality, integrity, and availability of PHI are identified.

On several occasions, OCR requested documentation on risk analyses at JHS. JHS supplied documentation on internal assessments from 2009, 2012, and 2013, and risk analyses conducted by third parties in 2014, 2015, 2016, and 2017.

OCR discovered that prior to 2017, JHS had erroneously marked several aspects of the HIPAA Security Rule as non-applicable in the risk analyses. A risk analysis failure occurred in 2014 as it had failed to cover all ePHI and did not identify all risks to ePHI contained within JHS systems. JHS had also failed to provide documentation confirming measures had been implemented to reduce all risk to ePHI to a reasonable and appropriate level, even though recommendations had been made by the company that performed the 2014 risk analysis.

Similar risk analysis failures occurred in 2015. Some sections of the risk analysis conducted by a third party had not been completed, the risk analysis failed to cover all ePHI, and documentation could not be supplied confirming risk management efforts had taken place. It was a similar story in 2016, and the 2017 risk analysis was not comprehensive.

OCR investigators also discovered reviews of information system activity such as audit logs had not been regularly reviewed, in violation of 45 C.F.R. § 164.308(l)(ii)(D).

OCR also determined that between July 22, 2013 and January 27, 2016, policies and procedures had not been implemented to prevent, detect, contain, and correct security violations. The HIPAA Privacy Rule had also been violated, as reasonable efforts were not made to limit certain employees’ access to PHI, which had led to unauthorized access and impermissible disclosures. Access to PHI was also not limited to the minimum necessary information, in violation of 45 C.F.R. §164.308(a)(4) and 45 C.F.R. § 164.514(d).

On multiple occasions employees had accessed records without authorization when there was no treatment relationship with a patient, and also after a treatment relationship had come to an end.

JHS had also violated the HIPAA Breach Notification Rule by failing to report a breach within 60 days of discovery in violation of 45 C.F.R. § 164.408(b). The loss of boxes of files in 2013 was not reported for 160 days. JHS also admitted that it did not have policies in place covering PHI breaches prior to October 2013.

OCR attempted to resolve the HIPAA violations via informal means, but JHS failed to comply, which led to OCR issuing a Notice of Proposed Determination. JHS waived its right to a hearing and OCR issued a Notice of Final Determination, which was not contested and JHS paid the full financial penalty of $2,154,000.

“OCR’s investigation revealed a HIPAA compliance program that had been in disarray for a number of years,” explained OCR Director Roger Severino. “This hospital system’s compliance program failed to detect and stop an employee who stole and sold thousands of patient records; lost patient files without notifying OCR as required by law; and failed to properly secure PHI that was leaked to the media.”

This is the second financial penalty for a HIPAA covered entity to be announced this month and the fifth penalty to be issued in 2019. Earlier this month, Elite Dental Associates settled its HIPAA case with OCR for $10,000 following disclosures of patients’ PHI on the Yelp review site.

Settlements were also agreed with Bayfront Health St Petersburg ($85,000), Medical Informatics Engineering ($100,000), and Touchstone Medical Imaging ($3,000,000) earlier in the year.

The post Slew of HIPAA Violations Leads to $2.15 Million Civil Monetary Penalty for Jackson Health System appeared first on HIPAA Journal.

September 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

September saw 36 healthcare data breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights, which represents a 26.53% decrease in breaches from the previous month.

1,957,168 healthcare records were compromised in those breaches, an increase of 168.11% from August. The large number of breached records is largely down to four reported incidents, each of which involved hundreds of thousands of healthcare records. Three of those incidents have been confirmed as ransomware attacks.

Largest Healthcare Data Breaches in September 2019

The largest breach of the month was due to a ransomware attack on Jacksonville, FL-based North Florida OB-GYN, part of Women’s Care of Florida. 528,188 healthcare records were potentially compromised as a result of the attack. Sarrell Dental also experienced a ransomware attack in which the records of 391,472 patients of its Alabama clinics were encrypted. 320,000 records of patients of Premier Family Medical in Utah were also potentially compromised in a ransomware attack. The University of Puerto Rico reported a network server hacking incident involving 439,753 records of Intramural Practice Plan members. The exact nature of the breach is unclear.

Those four breaches accounted for 85.80% of the healthcare records breached in September.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
Women’s Care Florida, LLC Healthcare Provider 528188 Hacking/IT Incident Network Server
Intramural Practice Plan – Medical Sciences Campus – University of Puerto Rico Healthcare Provider 439753 Hacking/IT Incident Network Server
Sarrell Dental Healthcare Provider 391472 Hacking/IT Incident Network Server
Premier Family Medical Healthcare Provider 320000 Hacking/IT Incident Network Server
Magellan Healthcare Business Associate 55637 Hacking/IT Incident Email
CHI Health Orthopedics Clinic -Lakeside Healthcare Provider 48000 Hacking/IT Incident Desktop Computer, Electronic Medical Record, Network Server
Kilgore Vision Center Healthcare Provider 40000 Hacking/IT Incident Network Server
Peoples Injury Network Northwest Healthcare Provider 27000 Hacking/IT Incident Network Server
Sweetser Healthcare Provider 22000 Hacking/IT Incident Email
Perfect Teeth Yale, P.C. Healthcare Provider 15000 Loss Other Portable Electronic Device

Causes of September 2019 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in September with 24 incidents reported. There were 9 unauthorized access/disclosure incidents and three cases of loss/theft of physical and electronic records.

1,917,657 healthcare records were compromised in the 24 hacking/IT incidents which accounted for 97.98% of breached records in September. The mean breach size was 958,829 records and the median breach size was 5,255 records.

Unauthorized access/disclosure incidents in September accounted for 1% or 19,741 breached records. The mean breach size was 2,193 records and the median breach size was 998 records. There were two reported theft incidents involving 4,770 physical and electronic records and a single loss incident involving 15,000 records stored on a portable electronic device.

Location of Breached Protected Health Information

Phishing continues to be a major problem area for the healthcare industry. In September, 44.44% of all breaches – 16 incidents – involved PHI stored in email accounts. There were 13 network server incidents, a large percentage of which were ransomware attacks.

September 2019 Healthcare Data Breaches by Covered Entity Type

28 data breaches were reported by healthcare providers in September, four incidents were reported by health plans/health insurers, and four incidents were reported by business associates of HIPAA covered entities. A further four breaches had some business associate involvement but were reported by the covered entity.

States Affected by September 2019 Healthcare Data Breaches

September’s data breaches were reported by entities in 23 states and Puerto Rico. California, Maryland, and Washington were the worst affected with three breaches each. There were two breaches reported by entities based in Arkansas, Arizona, Colorado, Georgia, Indiana, and South Carolina, and one breach was reported in each of Alabama, Florida, Iowa, Illinois, Maine, Michigan, Nebraska, New Jersey, Ohio, Oklahoma, Tennessee, Texas, Utah, West Virginia, and Puerto Rico.

HIPAA Enforcement Activity in September 2019

In September 2019, the HHS’ Office for Civil Rights announced its third HIPAA violation penalty of the year. Bayfront Health St Petersburg in Florida was issued with an $85,000 financial penalty for the failure to provide a patient with a copy of her child’s fetal heart monitor records within a reasonable time frame. It took 9 months and multiple attempts by the patient before she was provided with the records.

This month, OCR Director Roger Severino gave an update on OCR’s main enforcement priorities and confirmed that noncompliance with the HIPAA right of access is still a major focus for OCR. Further financial penalties can be expected over the coming weeks and months for healthcare organizations that fail to provide individuals with copies of their health information within a reasonable time frame and at a reasonable cost.

There were no financial penalties issued by state attorneys general in September over HIPAA violations.

The post September 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Roger Severino Gives Update on OCR HIPAA Enforcement Priorities

Posted by HIPAA Journal

Roger Severino, Director of the HHS’ Office for Civil Rights, has given an update on OCR’s HIPAA enforcement priorities at the OCR/NIST 11th Annual HIPAA Conference in Washington D.C.

Severino confirmed that one of OCR’s top policy initiatives is still enforcing the rights of patients under the HIPAA Privacy Rule and ensuring they are given timely access to their health information at a reasonable cost.

Under HIPAA, patients have the right to view and check their medical records and obtain a copy of their health data, yet there are still healthcare organizations that are making this difficult. OCR has already agreed to settle one case this year with a HIPAA-covered entity that failed to provide a patient with a copy of her health information. OCR had to intervene before those records were provided to the patient. The entity in question, Bayfront Health St Petersburg, paid a financial penalty of $85,000 to resolve the HIPAA violation.

More financial penalties will be issued to covered entities that fail to comply with this important provision of HIPAA. Severino confirmed that Bayfront Health’s financial penalty was the first in a series of penalties for covered entities that are not providing patients with access to their health data within 30 days of the request being received.

OCR has issued guidance to help covered entities comply with this aspect of HIPAA, but now the time has come “for serious enforcement,” explained Severino.

Severino also explained that patients must be allowed to have their health data sent to health apps. The requests should only be denied if the app poses a security risk to the covered entity. Severino confirmed a covered entity is not liable for what happens to PHI after a disclosure to a health app at the patient’s request.

In many cases, patients are not being denied access to their medical records and requests for copies of medical records are being honored, but patients are being charged excessive amounts. In 2016, OCR issued guidance on the amounts that healthcare organizations can charge for providing copies of medical records and further clarification was also issued on the fee structures that can be adopted. Financial penalties for overcharging for copies of medical records can be expected.

The crackdown on patient access issues is part of the HHS Regulatory Sprint to Coordinated Care initiative and fits in with the Trump Administration’s drive to improve transparency of healthcare costs and the reduction of the cost of healthcare in the United States.

A prop is always useful for getting a point across. In this case Severino used a medical boot that he purchased to aid recovery from a torn Achilles tendon. Severino said he was advised by his doctor to purchase the boot and paid his doctor $430 for the treatment aid. He explained that he later looked online and found the exact same boot for sale on Amazon for $70, saying “This boot represents what’s wrong with price transparency.”

OCR is looking at how HIPAA can be updated to address this problem, such as requiring healthcare providers and health plans to provide information about the expected out-of-pocket costs for medical services or equipment before those items or services are provided to patients.

Contractors provide quotes for work in advance and banks provide customers with information on the costs of mortgages before providing the funds, but that doesn’t always happen in healthcare. That is something that needs to change.

Severino also touched on the issue of cybersecurity. Phishing and ransomware attacks cause a high percentage of healthcare data breaches and in many cases the attacks can be prevented by practicing good cybersecurity hygiene.

Ransomware is often installed through the exploitation of vulnerabilities in Remote Desktop Protocol. The failure to address those RDP vulnerabilities has led to several major healthcare ransomware attacks and data breaches.

Phishing attacks have been a major cause of healthcare data breaches for several years. It is not possible to prevent all attacks, but by complying with HIPAA, risk can be significantly reduced. HIPAA calls for covered entities to provide employees with training to help them identify and avoid phishing threats. Severino explained that training is critical, as is conducting phishing simulation exercises to find out how susceptible employees are to phishing.

Other cybersecurity failures that could prevent data breaches include the lack of multi-factor authentication, poor access controls, and the failure to promptly terminate access to systems when employees leave the company.

2019 may have only seen four OCR financial penalties issued to date to resolve HIPAA violations but the year is far from over. Further penalties will be announced this year, including one $2.1 million civil monetary penalty.

Severino did not confirm the reason for the penalty or provide any details, other than saying a final determination has been reached and the penalty will be announced by the department soon.

The post Roger Severino Gives Update on OCR HIPAA Enforcement Priorities appeared first on HIPAA Journal.

Dental Practice Fined $10,000 for PHI Disclosures on Yelp

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has agreed to settle a HIPAA violation case with Elite Dental Associates over the impermissible disclosure of multiple patients’ protected health information (PHI) when responding to patient reviews on the Yelp review website.

Elite Dental Associates is a Dallas, TX-based privately-owned dental practice that provides general, implant and cosmetic dentistry. On June 5, 2016, OCR received a complaint from an Elite patient about a social media HIPAA violation. The patient claimed the dental practice had responded to a review she left on Yelp and publicly disclosed some of the PHI.

When replying to the patient’s June 4, 2016 post, Elite disclosed the patient’s last name along with details of her health condition, treatment plan, insurance, and cost information.

The investigation confirmed that to be the case, but also found it was not the first time that PHI had been disclosed without authorization on the social media platform when responding to patient reviews. Further impermissible PHI disclosures were found on the Elite review page.

In addition to the impermissible disclosures of PHI, which violated 45 C.F.R. § 164.502(a), OCR determined Elite had not implemented policies and procedures relating to PHI, in particular the release of PHI on social media and other public platforms, in violation of 45 C.F.R. § 164.530(i). Elite was also discovered not to have included the minimum required content in its Notice of Privacy Practices as required by the HIPAA Privacy Rule (45 C.F.R. § 164.520(b)).

OCR agreed to a HIPAA violation fine of $10,000 and a corrective action plan (CAP) to resolve the alleged HIPAA violations and settle the case with no admission of liability. The three potential HIPAA violations could have attracted a substantially higher financial penalty; however, when considering an appropriate financial penalty, OCR took the financial position of the practice, its size, and Elite’s cooperation with the OCR investigation into account.

“Social media is not the place for providers to discuss a patient’s care,” said OCR Director, Roger Severino.  “Doctors and dentists must think carefully about patient privacy before responding to online reviews.”

This is the 4th OCR HIPAA settlement of 2019. In September, OCR fined Bayfront Health St Petersburg $85,000 for a HIPAA Right of Access failure. In May, two settlements were agreed to resolve multiple HIPAA violations at Medical Informatics Engineering ($100,000) and Touchstone Medical Imaging ($3,000,000).

The post Dental Practice Fined $10,000 for PHI Disclosures on Yelp appeared first on HIPAA Journal.

Sen. Rand Paul Introduces National Patient Identifier Repeal Act

Posted by HIPAA Journal

Sen. Rand Paul, M.D., (R-Kentucky) has introduced a new bill that attempts to have the national patient identifier provision of HIPAA permanently removed due to privacy concerns over the implementation of such a system.

Today, HIPAA is best known for its healthcare data privacy and security regulations, but the national patient identifier system was proposed in the original HIPAA legislation of 1996 as a measure to facilitate data sharing and help reduce wastage in healthcare.

The provision called for the HHS to “adopt standards providing for a standard unique health identifier for each individual, employer, health plan, and healthcare provider for use in the health care system.” However, in 1998, former Congressman Ron Paul (R-Texas), Sen. Rand Paul’s father, introduced a proposal which called for a ban on funding the development and implementation of such a system. The ban was introduced into the Congressional budget for 1999 and has been written into all Congressional budgets ever since.

This year there was hope that the ban would finally be removed following a June amendment to the House of Representative’s appropriation bill for fiscal year 2020. The amendment received strong bipartisan support and it was hoped that the Senate would follow the House’s lead and have the ban finally lifted. However, on September 18, 2019, the Senate appropriations subcommittee’s proposed budget bill for fiscal year 2020 included the same language as previous years and, as it stands, the ban looks set to remain in place for at least another year.

Sen. Rand Paul’s National Patient Identifier Repeal Act seeks to repeal the HIPAA provision, which Sen Paul believes will place the privacy of Americans at risk. He considers the provision to be dangerous, as it would allow a government-issued ID number to be linked with the private medical histories of every man, woman, and child in America.

It is for the very same reason that dozens of healthcare industry stakeholder groups want the national patient identifier introduced, as without such an identifier, it is difficult to accurately match medical records with the correct patient. Those seeking to have the ban lifted believe it will improve the accuracy of health information exchange and improve security and patient safety.

Sen. Paul disagrees, as he believes the potential privacy risks are too great. “As a physician, I know firsthand how the doctor-patient relationship relies on trust and privacy, which will be thrown into jeopardy by a national patient ID,” explained Sen. Paul. “Considering how unfortunately familiar our world has become with devastating security breaches and the dangers of the growing surveillance state, it is simply unacceptable for government to centralize some of Americans’ most personal information.”

Industry associations such as the College of Healthcare Information Management Executives (CHIME) have stepped up efforts to have the ban lifted due to the difficulties matching medical records with patients.

CHIME CEO, Russ Branzell explained that Congress has already approved a healthcare identifier for Medicare beneficiaries, but a national identifier is also required. “The patient identification conversation is one about saving lives and unlocking the potential for technology to revolutionize healthcare while cutting costs.” He has called Sen. Paul’s views on the national patient identifier “antiquated and from some bygone era.”

While many industry associations share Branzell’s view, Sen. Paul’s bill has received support from certain privacy advocacy groups, including the Citizen’s Council for Health Freedom. Advocates of the removal of the HIPAA provision believes the centralization of patient information would greatly increase the risk of security breaches and could allow hackers to steal individuals’ lifelong healthcare records and such a system would allow unprecedented tracking of Americans through their healthcare records.

The post Sen. Rand Paul Introduces National Patient Identifier Repeal Act appeared first on HIPAA Journal.

IT Departments Slow to Modify and Block Access Rights When Employees Change Roles or Leave the Company

Posted by HIPAA Journal

A recent survey of IT professionals, conducted by IT firm Ivanti, has revealed access rights to digital resources are not always terminated promptly when employees change roles or leave the company. The latter is especially concerning as there is a high risk of data theft and sabotage of company systems by former employees. There have been many reported cases of former employees taking sensitive data to new employers and conducting malicious acts in cases of termination.

The survey was conducted online in the summer of 2019 on 400 individuals, 70% of whom were IT professionals. Questions were asked about setting up permissions for new employees, modifying access rights when roles change, and terminating access rights to company resources when employees are terminated, contracts end, or employees find alternative employment.

The respondents came from a broad range of industries including healthcare. 27% of respondents said they were required to comply with the Health Insurance Portability and Accountability Act (HIPAA), 25% were required to comply with the EU’s General Data Protection Regulation (GDPR), and 23% had to comply with the Sarbanes-Oxley Act (SOX)

While policies and procedures have been established to cover the entire process, the survey revealed issues onboarding new employees, modifying permissions, and terminating access rights.

85% of employees said they did not have access to all the resources they needed to complete their job duties when they first joined the company. Surveyed IT professionals confirmed that to be the case, with 38% saying it takes an average of 2-4 days to fully onboard new starters and 27% said it takes more than a week.

From a security and compliance perspective, modifying access rights to resources is of far greater importance but even though legislation such as HIPAA calls for prompt changes to be made to prevent unauthorized data access, access right changes are slow to be applied, if they are applied at all.

Only 55% of respondents were confident that access to unnecessary resources was removed when an employee’s role in the organization changed. 26% of IT professionals said it typically takes over a week to fully deprovision employees when they leave the company and only half of surveyed IT professionals were confident that access to critical systems and data had been blocked for the most recent employee to leave the company. When asked if they knew someone who still had access to a former employer’s systems or data, 52% said yes.

The biggest perceived risks of failing to fully deprovision a former employee were sensitive data leakage (38%), cyberattacks through an unmanaged account (26%), and malicious data theft (24%).

When asked about the reasons for the onboarding, amending, and offboarding issues, the main issue was poorly defined processes, cited as a problem by 24% of surveyed IT professionals. 23% said there were issues with automation and 10% said it was due to a lack of resources. More than half of IT professionals (54%) had to make changes manually, 37% used some automation, and just 9% said processes were fully automated and were applied as soon as HR makes a change.

Unless job roles and permissions are well defined and procedures properly documented, issues will occur and without a high degree of automation, there are bound to be delays offboarding employees, even though the delays expose companies to considerable risk and potential fines for noncompliance.

The post IT Departments Slow to Modify and Block Access Rights When Employees Change Roles or Leave the Company appeared first on HIPAA Journal.

Senate Fails to Remove Ban on Funding of National Patient Identifier

Posted by HIPAA Journal

The Department of Health and Human Services (HHS) is prohibited from using any of its budget to fund the development and implementation of a national patient identifier, but there was hope that the ban would finally be lifted this year.

The House of Representatives added an amendment to its Departments of Labor, Health, and Human Services, and Education, and Related Agencies Act of 2020 which removed the ban, which would allow the HHS to follow through on this requirement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

It now looks likely that the ban will remain in place for at least another year as the Senate Appropriations Subcommittee’s draft 2020 fiscal budget bill, released last Wednesday, has retained the text banning the HHS from acting on this HIPAA requirement.

The ban has been in place since 1999 and was introduced because of concerns over patient privacy. The ban has been written into the Congressional budget every year since and the proposed 2020 fiscal budget bill is no different.

The proposed fiscal budget bill includes the text, “None of the funds made available in this act may be used to promulgate or adopt any final standard under section 1173(b) of the Social Security Act providing for, or providing for the assignment of, a unique health identifier for an individual (except in an individual’s capacity as an employer or a health care provider), until legislation is enacted specifically approving the 13 standard.”

The purpose of the national patient identifier is to make it easier for patients to be efficiently matched with their health records. Regardless of where a patient receives treatment, their health data will be tied to them through their unique national patient identifier code. The new identifier would help to ensure that patient information could flow freely between different healthcare organizations and it is seen by many healthcare industry stakeholders to be essential for full interoperability. A national patient identifier could help to improve patient privacy, patient safety, and eliminate considerable waste and misspending in healthcare.

For several years, industry associations such as the College of Healthcare Information Management Executives (CHIME), the American Health Information Management Association (AHMIA), and the Health Innovation Alliance (HIA) have been calling for the ban to be lifted.

HIA Executive Director Joel White has called the ban ‘antiquated’ and said studies have suggested that patients are matched with their records as little as 50% of the time. A national patient identifier would instantly solve that problem.

Efforts to have the ban removed have stepped up in recent years, and this year 56 healthcare stakeholder groups urged the Senate to remove the ban. Significant progress was made this year when the amendment receives strong bipartisan support in the House of Representatives.

Convincing the Senate to lift the ban is proving more difficult. As long as privacy concerns remain, the ban is unlikely to be lifted. One of the main issues is a single identifier would be used to tie medical records to an individual from birth until death, and that could allow unprecedented tracking of Americans through their health records. It could also potentially facilitate the sharing, use, and analysis of patient data without patient consent.

While the draft fiscal budget bill has not had the ban removed, it is possible that an amendment could be made at a later date. AHMIA and CHIME leaders remain hopeful that the Senate will follow the House’s lead and have the ban lifted this year.

The post Senate Fails to Remove Ban on Funding of National Patient Identifier appeared first on HIPAA Journal.

Study Reveals Types of Protected Health Information Most Commonly Exposed in Healthcare Data Breaches

Posted by HIPAA Journal

Researchers from Michigan State University and Johns Hopkins University have conducted a study of healthcare data breaches over the past 10 years to examine what types of information are most commonly exposed in healthcare data breaches.

The study, published in the journal Annals of Internal Medicine on Monday September 23, 2019, confirms that the health information of approximately 169 million Americans was exposed, compromised, or impermissibly disclosed in 1,461 data breaches at 1,388 entities between October 2009 and July 2019. Those breaches each impacted 500 or more individuals and were reportable incidents under HIPAA and the HITECH Act.

The researchers explain that information about the types of information exposed in data breaches is not widely available to the public, since it is not a requirement to share the types of data that have been compromised in the breaches. It is therefore difficult for researchers to classify the amount and types of healthcare information exposed and gain an accurate picture of the consequences of the breaches.

“When the media reports data breaches that occurred to healthcare providers, the headline is always the number of patients affected,” explained John (Xuefeng) Jiang, MSU professor of accounting and information systems at MSU and lead author of the study. “We felt both the regulators and the public didn’t pay enough attention to the type of information compromised in the healthcare data breach.”

Types of Data Exposed in Healthcare Data Breaches

For the study, the researchers categorized healthcare data into three main groups: Demographic information (Names, email addresses, personal identifiers etc.); service and financial information (Payments, payment dates, billing amounts etc.); and Medical information (Diagnosis, treatments, medications etc.)

Social Security numbers, drivers license numbers, payment card information, bank account information, insurance information, and birth dates added to a subcategory of sensitive demographic information. This information could be used by criminals for identity theft, medical identity theft, tax and financial fraud. A subcategory of medical information was also used for particularly sensitive health data such as substance abuse records, HIV status, sexually transmitted diseases, mental health information, and cancer diagnoses, due to the potential implications for patients should that information be exposed or compromised.

Key Findings of the Study

  • 71% of breaches involved either sensitive demographic information or sensitive financial information, which placed 159 million individuals at risk of identity theft or financial fraud
  • 66% of breaches involved sensitive demographic information such as Social Security numbers
  • 65% of the breaches exposed general medical or clinical information
  • 35% of breaches compromised service or financial information
  • 16% of breaches only exposed medical or clinical information without exposing sensitive demographic or financial information
  • 76% of breaches included sensitive service and financial information such as credit card numbers – Those breaches affected 49 million individuals
  • 2% of breaches compromised sensitive health information – Those breaches affected 2.4 million individuals

Jiang believes hackers are not targeting healthcare organizations to gain access to patients’ sensitive medical information, instead healthcare organizations are attacked, and hackers take whatever data they can find in the hope that the information can be monetized. Jiang suggests hospitals and research institutions should store medical information separately from demographic information. Medical information could then be shared between healthcare providers and researchers without greatly increasing risks for patients. A separate system could be used for demographic, financial and billing information, which is needed by hospital administration staff.

The researchers advocate greater focus on the types of information exposed or compromised in healthcare data breaches to help breach victims manage risk more effectively. They suggest the Department of Health and Human Services should formally collect and publish information about the types of data that have been exposed in data breaches to help the public assess the potential for harm. The researchers plan to work closely with lawmakers and the healthcare industry to provide practical guidance and advice based on the results of their academic studies.

Data Breach Notifications Under HIPAA

The HIPAA Breach Notification Rule requires all patients affected by a reportable healthcare data breach to be notified within 60 days of discovery of the breach. Affected individuals must be told what types of information have been exposed or compromised as that information allows breach victims to make a determination about the risk they face so they can make a decision about any actions they need to take to reduce the risk of harm.

OCR explains in its online guidance on breach notification requirements of HIPAA, “These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable).”

Publicly Available HIPAA Breach Information

The HHS’ Office for Civil Rights, as required by the HITECH Act, has been publishing summaries of data breaches of 500 or more healthcare records on the HHS website since October 2009. The breach portal, which can be accessed by the public, contains basic information about the breaches.

The breach portal details the name of the breached entity, state, type of covered entity, individuals affected, breach submission date, type of breach, location of breached information, and whether there was business associate involvement. This information can also be downloaded for breaches that are under investigation by OCR and for incidents that have been archived following the closure of the OCR investigation.

When a data breach is archived, further information is added to the breach summary in a “web description” field. The web summary is not available for breaches still under investigation, but the information is included for archived breaches. The web summary is only viewable in the downloaded breach reports.

In many cases, the web description includes details of the types of information that were exposed in the breach, but not in all cases. Formalizing this requirement would ensure that all breaches detailed on the portal would have that information included. The web description field also includes information on any actions taken by OCR in response to the breach that led to the resolution and closure of the investigation.

The post Study Reveals Types of Protected Health Information Most Commonly Exposed in Healthcare Data Breaches appeared first on HIPAA Journal.