HIPAA Compliance News

August 2019 Healthcare Data Breach Report

Posted September 23, 2019 by HIPAA Journal

In August, healthcare data breaches continued to be reported at a rate of more than 1.5 per day, which is around twice the average monthly breaches in 2018 (29.5 per month). This is the second successive month when breaches have been reported at such an elevated level. While the number of breaches has not changed much since last month (49 compared to 50), there has been a substantial reduction in the number of exposed records.

August saw 729,975 healthcare records breached compared to 25,375,729 records in July, 3,452,442 records in June, and 1,988,376 records in May. The exceptionally high breach total for July was mostly due to the massive data breach at American Medical Collection Agency (See below for an update on the AMCA breach total).

Causes of August 2019 Healthcare Data Breaches

Hacking and other IT incidents dominated the breach reports in August. 32 breaches were attributed to hacking/IT incidents, which is almost double the number of breaches from all other causes. Hacking/IT incidents breached 602,663 healthcare records – 82.56% of all records breached in August. The average breach size was 18,833 records and the median breach size was 5,248 records.

There were 12 unauthorized access/disclosure incidents reported in August which breached 77,316 healthcare records. Those incidents breached an average of 6,443 records and the mean breach size was 1,281 records. There were 3 loss incidents and 2 theft incidents. The theft incidents saw 17,650 records potentially compromised and 32,346 records were exposed due to the loss of paperwork or electronic devices. The mean loss breach size was 10,782 records and the mean theft breach size was 8,825 records.

Location of Breached PHI

Phishing continues to pose serious problems for healthcare organizations. Out of the 49 reported breaches, 46.94% – 23 breaches – involved PHI stored in email accounts. The majority of those email breaches were due to phishing attacks.

There were 9 breaches reported that involved PHI stored on network servers, several of which involved ransomware. There were 7 breaches involving paper records/films, highlighting the need for enhanced physical security and administrative controls.

Four breaches involved portable electronic devices such as zip drives and laptop computers. These types of breaches have reduced considerably in recent years largely through the use of encryption, which should be implemented on all portable electronic devices used to store ePHI.

Defending against phishing attacks is a major challenge, and one that can only be solved through layered defenses and staff training. Technological solutions such as spam filters, web filters, firewall rules, multi-factor authentication, and DMARC should be implemented to block phishing attempts, but the sophisticated nature of many phishing campaigns means even layered defenses may be bypassed. End user training is therefore essential. Employees must be trained how to recognize email threats and conditioned how to respond when suspicious emails land in their inboxes.

An annual training session may have been sufficient to provide protection a few years ago, but the increased number of attacks and diverse nature of email threats means a single annual training session is no longer enough. Annual classroom-based training sessions should be augmented with more regular refresher training sessions, cybersecurity bulletins, and email alerts about new threats to watch out for. Phishing simulation exercises are also very beneficial for helping identify individuals who require further training and to find out how effective training has been at reducing susceptibility to phishing attacks.

Largest Healthcare Data Breaches in August 2019

Listed below are the top ten healthcare data breaches reported in August 2019. The largest breach of the month was a phishing attack on Presbyterian Healthcare Services, which saw 183,370 healthcare records breached. The Conway Regional Health System, NorthStar Anesthesia, and Source 1 Healthcare Solutions breaches were also due to phishing attacks.

The Wisconsin Diagnostic Laboratories breach, which affected 114,985 individuals, the 33,370-record breach at Mount Sinai Hospital, and the 29,644-record breach at Integrated Regional Laboratories were all due to the hacking of business associate AMCA.

The breach at Grays Harbor Community Hospital was due to a ransomware attack and the Renown Health breach was due to the loss of a portable storage device. The cause of the breach at Timothee T. Wilkin, D.O. has not been confirmed.

Name of Covered Entity	Covered Entity Type	Individuals Affected	Type of Breach
Presbyterian Healthcare Services	Healthcare Provider	183370	Hacking/IT Incident
Wisconsin Diagnostic Laboratories	Healthcare Provider	114985	Hacking/IT Incident
Grays Harbor Community Hospital	Healthcare Provider	88399	Hacking/IT Incident
Conway Regional Health System	Healthcare Provider	37000	Unauthorized Access/Disclosure
Mount Sinai Hospital	Healthcare Provider	33730	Hacking/IT Incident
Integrated Regional Laboratories, LLC	Healthcare Provider	29644	Hacking/IT Incident
Renown Health	Healthcare Provider	27004	Loss
NorthStar Anesthesia, P.A.	Healthcare Provider	19807	Unauthorized Access/Disclosure
Source 1 Healthcare Solutions LLC	Business Associate	15450	Hacking/IT Incident
Timothee T. Wilkin, D.O.	Healthcare Provider	15113	Hacking/IT Incident

August 2019 Healthcare Data Breaches by Covered Entity Type

42 of the month’s 49 data breaches were reported by healthcare providers and three incidents were reported by health plans. Business associates reported 4 breaches and a further 8 incidents had some business associate involvement.

August 2019 Healthcare Data Breaches by State

August’s healthcare data breaches affected entities based in 26 states. Texas was the worst affected with 5 reported breaches. 4 breaches were reported by entities based in Washington state, and three breaches were suffered by entities based in Arkansas, New York, and Pennsylvania.

California, Georgia, Illinois, Massachusetts, Minnesota, Missouri, New Mexico, Ohio, Oregon, and Wisconsin each experienced 2 breaches and one breach was reported by an entity based in each of Connecticut, Florida, Iowa, Kansas, Michigan, Nevada, New Jersey, Oklahoma, Rhode Island, Tennessee, and Virginia.

HIPAA Enforcement Activity in August 2019

There were no civil monetary penalties or settlements between the HHS and HIPAA-covered entities/business associates in August, and also no HIPAA-related enforcement activities by state attorneys general.

AMCA Data Breach Update

The AMCA data breach affected at least 24 healthcare organizations, 23 of which have now submitted breach reports to the Department of Health and Human Service’ Office for Civil Rights. The confirmed breach total currently stands at 26,043,743 records with a further 16,100 records expected to be added to that total. These breaches were mostly reported to OCR in July and August.

	Healthcare Organization	Confirmed Victim Count
1	Quest Diagnostics/Optum360	11,500,000
2	LabCorp	10,251,784
3	Clinical Pathology Associates	1,733,836
4	Carecentrix	467,621
5	Laboratories/Opko Health	425,749
6	American Esoteric Laboratories	409,789
7	Sunrise Medical Laboratories	401,901
8	Inform Diagnostics	173,617
9	CBLPath Inc.	141,956
10	Laboratory Medicine Consultants	140,590
11	Wisconsin Diagnostic Laboratories	114,985
12	CompuNet Clinical Laboratories	111,555
13	Austin Pathology Associates	43,676
14	Mount Sinai Hospital	33,730
15	Integrated Regional Laboratories	29,644
16	Penobscot Community Health Center	13,299
17	Pathology Solutions	13,270
18	West Hills Hospital and Medical Center / United WestLabs	10,650
19	Seacoast Pathology, Inc	8,992
20	Arizona Dermatopathology	5,903
21	Laboratory of Dermatology ADX, LLC	4,082
22	Western Pathology Consultants	4,079
23	Natera	3,035
24	South Texas Dermatopathology LLC	TBC (Est. 16,100)
	Total Records Breached	26,043,743

The post August 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Webinar: Social Media and HIPAA Compliance: Protecting Your Practice in the Digital Age

Posted September 10, 2019 by HIPAA Journal

Social media is a potential minefield for HIPAA violations. One impulsive response to an online review could violate the privacy of a patient, breach HIPAA Rules, and leave and the practice at risk of a significant HIPAA violation penalty.

In the digital age, healthcare providers have to deal with a whole new set of privacy concerns. Social media cannot be avoided, so it is important to understand what must be done to protect the business.

“Proactively generating reviews and also responding to them effectively, in a timely manner is essential to marketing your practice. However, without proper precaution, health care providers could face serious privacy breaches and even HIPAA violations,” said Liam.

In the webinar, Liam will explain how healthcare providers can respond to reviews in a manner that minimizes legal risk, while remaining fully compliant with HIPAA regulations.

Webinar Details:

Date: Tuesday, September 17th

Time: 2:00 pm ET/11:00 am PT

Register Here

The post Webinar: Social Media and HIPAA Compliance: Protecting Your Practice in the Digital Age appeared first on HIPAA Journal.

OCR Settles First HIPAA Violation Case Under 2019 Right of Access Initiative

Posted September 9, 2019 by HIPAA Journal

Earlier this year, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced that one of the main areas of HIPAA enforcement in 2019 would be HIPAA right of access failures, including untimely responses to access requests and overcharging for copies of medical records.

The HIPAA right of access allows patients to obtain copies of their medical records on request. HIPAA-covered entities are required to honor those requests and provide patients with access to PHI or copies of health data contained in a ‘designated record set’ within 30 days of the request being received. A covered entity is permitted to charge a reasonable, cost-based fee for providing a copy of the individual’s PHI, which can include the cost of certain labor, supplies and postage.

HIPAA-covered entities that fail to provide copies of records in a reasonable time frame or charge excessive amounts for providing a copy of a patient’s PHI are in violation of the HIPAA Privacy Rule – See 45 CFR 164.501. Such violations can attract a sizable financial penalty.

This week, OCR has announced that the first settlement has been reached with a HIPAA-covered entity under the right of access initiative. Bayfront Health St. Petersburg, a 480-bed hospital in St. Petersburg, FL, has agreed to pay OCR $85,000 to settle the case.

OCR launched an investigation into a potential HIPAA violation at Bayfront Health following receipt of a complaint from a patient on August 14, 2018. The patient alleged that she had requested her fetal heart monitor records from Bayfront Health St. Petersburg in October 2017. At the time of the complaint, 9 months after the request was made, she had still not been provided with a full copy of her records.

OCR confirmed that the patient made the request on October 18, 2017 and was informed by Bayfront Health that the records could not be found. Two further requests were sent to Bayfront Health by the patient’s counsel on January 2, 2018 and February 12, 2018. In March 2018, Bayfront Health provided an incomplete set of records and a complete response was only received on August 23, 2018. The patient’s counsel shared the records with the patient, but it took the intervention of OCR for the fetal heart monitor records to be provided to the patient. Those records were provided directly to the patient on February 7, 2019.

OCR determined that the failure to provide access to the patient’s designated record set was a clear violation of 45 C.F.R. § 164.524 and that the HIPAA violation warranted a sizable financial penalty.

“Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law,” said OCR Director Roger Severino. “We aim to hold the health care industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.”

In addition to the financial penalty, Bayfront Health has agreed to implement a corrective action plan and will be monitored by OCR for the following 12 months.

The post OCR Settles First HIPAA Violation Case Under 2019 Right of Access Initiative appeared first on HIPAA Journal.

Most Patients Happy to Share EHR Data for Research, But Not Entire Medical Record

Posted September 6, 2019 by HIPAA Journal

A majority of patients are comfortable with sharing their biospecimens and EHR data for research purposes, according to a new study published in JAMA Network Open; however, most patients want to restrict the sharing of at least one part of their medical record. Patients also exhibited preferences as to the institutions with whom their data and biospecimens were shared.

Certain legislation covering the use of EHR data and biospecimens allow patient data to be shared for research purposes, either in identifiable or de-identified form, unless the patient explicitly opts out of data sharing. The researchers note that this all or nothing approach is problematic, as many patients are concerned about sharing certain types of information due to fears about secondary uses of their data.

The researchers investigated the attitudes of 1,246 adults in the United States about a tiered consent approach to EHR record sharing. This approach splits an individual’s medical records into smaller parts, which allows patients to consent to sharing certain parts of their medical records and restricting sharing on others. The researchers also investigated attitudes toward sharing EHR or partial EHR data with different types of researchers.

A small percentage of patients – 46 individuals (3.7%) – declined to share their EHR data with their own healthcare provider, 352 individuals (28.3%) declined sharing their data with nonprofit organizations, and 590 (47.4%) declined to share their data with for-profit organizations. 291 individuals (23.4%) said they would be happy to share data with any researcher.

Overall, 909 patients (72.9%) were willing to share their EHR data and biospecimens selectively and, in general, there was a preference for sharing data within the organization where patients received medical care, followed by nonprofit healthcare organizations. Patients were least willing to share data with for-profit organizations. The majority of patients said at least one item on their medical record should not be shared with others for research purposes.

“In a system in which people can choose where to receive care, it seems plausible that a patient selects to receive care in the most trusted institution, and this trust may more easily transfer to the care of data and biospecimens,” wrote the researchers.

By giving patients the choice of sharing subsets of their EHR data, patients would appear to be more open to sharing their records for research purposes. The researchers also found that there was a marked difference in the number of patients willing to share their data based on the method of obtaining consent. When opt-in forms were used, patients were willing to share fewer data items than when opt-out forms were used.

“We found that a tiered-permission system that allowed for specific removal of data items or categories of data could be implemented in practice and that it mattered to participants with whom the EHR data and biospecimens would be shared because there were differences in sharing preferences according to the researchers’ affiliations,” said the researchers.

The post Most Patients Happy to Share EHR Data for Research, But Not Entire Medical Record appeared first on HIPAA Journal.

Hurricane Dorian: Limited HIPAA Waiver Issued in Puerto Rico, Florida, Georgia, South Carolina

Posted September 4, 2019 by HIPAA Journal

Alex Azar, Secretary of the Department of Health and Human Services (HHS) has declared a public health emergency (PHE) in Puerto Rico and the states of Florida, Georgia, and South Carolina due to Hurricane Dorian.

The announcement follows the presidential PHE in the above areas as the states prepare for when the hurricane makes landfall. The declaration was accompanied by the announcement of a limited waiver of HIPAA sanctions and penalties for certain provisions of the HIPAA Privacy Rule, as mandated by the Project Bioshield Act of 2004 of the Social Security Act. The waiver only applies in the emergency areas and for the period of time covered by the PHE.

The waiver applies to hospitals that have implemented their disaster protocol, and only for up to 72 hours from when the disaster protocol was implemented, unless the PHE declaration terminates before that 72-hour period has elapsed.

Once the PHE comes to an end, hospitals are required to comply with all requirements of the HIPAA Privacy Rule for all patients, including those still under the care of the hospital when the PHE ends. The HHS notes that during a PHE, the requirements of the HIPAA Privacy and Security Rules remain in place.

Even in the absence of a HIPAA waiver, the HIPAA Privacy Rule permits the sharing of patient information with friends, family, public health officials, and emergency personnel. Entities can share patient information for the purposes of providing treatment, for public health activities, and to lessen a serious threat to public health or safety. Information can also be shared with patients’ friends, family and other individuals involved in their care to ensure that proper care and treatment can be provided.

Under the terms of the HIPAA waiver, the HHS agrees to waive HIPAA sanctions and penalties for the following provisions of the HIPAA Privacy Rule:

The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
The patient’s right to request confidential communications. See 45 CFR 164.522(b).

Further information on the waiver and HIPAA privacy and disclosures of PHI in emergency situations can be found on the following link: https://www.hhs.gov/sites/default/files/hurricane-dorian-hipaa-bulletin.pdf

The post Hurricane Dorian: Limited HIPAA Waiver Issued in Puerto Rico, Florida, Georgia, South Carolina appeared first on HIPAA Journal.

UCMC and Google File Motions to Dismiss HIPAA Privacy Lawsuit

Posted September 2, 2019 by HIPAA Journal

On June 26, a patient of University of Chicago Medical Center (UCMC) filed a lawsuit against the medical center and Google over an alleged privacy violation related to the sharing of protected health information (PHI) without first properly de-identifying the data.

Patient information was shared with Google to assist with the development of its predictive medical data analytics technology. HIPAA does not prohibit the sharing of information with third parties such as technology companies, provided consent is obtained from patients prior to information being shared.

Alternatively, healthcare organizations can share patient information provided it is de-identified. Under HIPAA, that means removing 18 identifiers to ensure patients cannot be identified. HIPAA calls for one of two methods to be used to de-identify PHI: Expert determination or the safe harbor method. The latter involves stripping PHI of all 18 identifiers, while the former requires an expert to determine, through recognized statistical and scientific principles, that the risk of patients being re-identified is sufficiently low.

The lawsuit alleges UCMC failed to remove all the necessary information from the data prior to it being shared with Google. In addition to the dates and times when patients checked in/out of hospital, the lawsuit alleges “copious free-text notes” were also shared with Google.

The time stamps place each patient at the hospital at a specific time, which places patient privacy at risk. The lawsuit alleges the inclusion of time stamps violates the provisions of the safe harbor de-identification method and that UCMC did not obtain consent from patients to share their data with Google.

The main issue is Google already stores vast quantities of user data from its “prolific data mining” activities and that the tech giant is in a position where it could identify all individuals from the medical records provided by UCMC.

The lawsuit even goes as far as to suggest the collaboration between the medical center and the hospital is an attempt to “pull off what is likely the greatest heist of consumer medical records in history.”

Last week, UCMC and Google filed motions to have the lawsuit dismissed. The defendants claim that a secure process was employed to de-identify patient data and that the process was fully compliant with HIPAA Rules. Further, Google argues that the plaintiff and other class members do not allege Google has used its data to re-identify patients, only that the company has the capability of doing so. Consequently, no injury has been sustained as a result of the sharing of information and even if an injury had been sustained, the case should be dismissed as there is no private right of action under HIPAA.

The defendants also argue that the definition of the intrusion provided by the plaintiffs does not fall under HIPAA as each patient voluntarily provided their medical information to the medical center. Instead, it falls under the Consumer Fraud and Deceptive Business Practices Act.

The post UCMC and Google File Motions to Dismiss HIPAA Privacy Lawsuit appeared first on HIPAA Journal.

OCR Offers Advice on Managing Malicious Insider Threats

Posted August 30, 2019 by HIPAA Journal

Healthcare organizations can implement robust defenses to prevent hackers from gaining access to sensitive data, but not all threats come from outside the organization. It is also important to implement policies, procedures, and technical solutions to detect and prevent attacks from within.

Healthcare employees require access to protected health information (PHI) to perform their work duties. While those individuals may be deemed trustworthy, providing access to PHI exposes the organization to risk. Workers can go rogue and access patient information without authorization and could easily abuse their access rights and steal patient data for financial gain.

There will always be the occasional bad apple, but the 2019 Verizon Data Breach Investigations Report suggests the problem is far more prevalent. According to the report, 59% of all security incidents and data breaches analyzed for the report were caused by insiders.

Many of those breaches were due to mistakes made by healthcare employees, but a significant percentage were caused by malicious insiders who stole patient information for financial gain. Common malicious insider attacks include accessing the medical records of celebrities for financial gain and stealing patient data to commit identity theft and fraud.

These attacks can have grave implications for patients, who may suffer huge losses from identity theft and other misuses of their PHI. The attacks can also cause financial and reputational harm to the healthcare organization and expose the organization to regulatory fines. Memorial Healthcare System was fined $5.5 million for HIPAA violations related to the inappropriate access and theft of health data by some of its employees in 2012.

This week, the Department of Health and Human Services’ Office for Civil Rights (OCR) has issued advice to healthcare organizations on how they can reduce the risk of insider breaches and ensure they are detected rapidly when they do occur.

In its 2019 Summer Cybersecurity Newsletter, OCR offers tips on overcoming the challenges associated with protecting patient data from attacks from within and explains how risk can be managed to comply with HIPAA Rules.

In order to protect patient data, healthcare providers must know all locations whether patient information is stored and how that information flows throughout the organization. Without such knowledge it is impossible to conduct a thorough and accurate risk analysis to determine all risks to the confidentiality, integrity, and availability of patient data and reduce those risks to a reasonable an appropriate level.

Physical, technical and administrative access controls must be implemented to protect patient data against unauthorized access from within. Role-based access controls can help to reduce risk by preventing employees from accessing resources they are not authorized to use. Those controls should limit access to the minimum necessary information required to perform that individuals work duties.

OCR also reminds covered entities that they should control what individuals are able to do with patient data. If view only access is required, users should not be able to modify, delete, or download data. Controls should be implemented to prevent access from certain devices such as smartphones and the copying of data to portable storage devices such as zip drives.

The complex nature of healthcare IT systems makes it hard to achieve total visibility into the entire network and see every device in use. However, without full visibility, it is difficult to identify unauthorized data access quickly. OCR reminds covered entities that they must overcome the challenges and gain visibility into what users are doing on the network. Security teams must regularly check system, event, application, and audit logs in order to quickly detect suspicious activity and unusual patterns of data access. It may not be possible to prevent insider breaches, but when they occur, they must be identified and rectified promptly. There have been many cases of insiders accessing patient records without authorization for several years before the breach is detected.

Safeguards can be implemented, and policies and procedures developed to reduce risk, but those measures may not remain effective forever. Security is a dynamic process. Safeguards, policies and procedures need to be regularly assessed to ensure they continue to be effective. Access rights should be monitored and changed as appropriate when employees change role or transfer to a different department, and physical and electronic access to data must be terminated quickly when employees leave the organization.

Preventing and detecting attacks by malicious insiders is certainly a challenge, but by recognizing the risks and implementing appropriate safeguards, the risk of a breach can be managed and reduced to an acceptable level.

The post OCR Offers Advice on Managing Malicious Insider Threats appeared first on HIPAA Journal.

July 2019 Healthcare Data Breach Report

Posted August 26, 2019 by HIPAA Journal

May 2019 was the worst ever month for healthcare data breaches with 46 reported breaches of more than 500 records. More breaches were reported in May than any other month since the HHS’ Office for Civil Rights started publishing breach summaries on its website in 2009. That record of 44 breaches was broken in July.

July saw 50 healthcare data breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights, which is 13 more breaches than the monthly average for 2019 and 20.5 more breaches than the monthly average for 2018.

July 2019 was the second worst month in terms of the number of healthcare records exposed. 25,375,729 records are known to have been exposed in July.

There are still 5 months left of 2019, yet more healthcare records have been breached this year than in all of 2016, 2017, and 2018 combined. More than 35 million individuals are known to have had their healthcare records compromised, exposed, or impermissibly disclosed this year.

Causes of July 2019 Healthcare Data Breaches

The main reason for the increase in reported data breaches in July is the colossal data breach at American Medical Collection Agency (AMCA). AMCA provides medical billing and collection services and its clients included some of the largest medical testing laboratories in the United States. Those clients have now been lost as a result of the breach.

The final victim count is not yet known, nor the number of records compromised in the breach. To date, 22 healthcare organizations have confirmed they have been affected and more than 24 million records are known to have been exposed. At least 8 healthcare organizations have not yet submitted their breach reports to OCR.

Healthcare Providers Impacted by the American Medical Collection Agency Data Breach

	Healthcare Organization	Estimated Records Exposed	Confirmed Victim Count
1	Quest Diagnostics/Optum360	11,900,000	11,500,000
2	LabCorp	7,700,000	10,251,784
3	Clinical Pathology Associates	2,200,000	1,733,836
4	Carecentrix	500,000	467,621
5	American Esoteric Laboratories	541,900	409,789
6	Inform Diagnostics	173,617	173,617
7	Laboratory Medicine Consultants	147,600	140,590
8	Integrated Regional Laboratories	29,644	29,644
21	Penobscot Community Health Center	13,000	13,299
9	West Hills Hospital and Medical Center / United West Labs	10,650	10,650
10	Seacoast Pathology, Inc	10,000	8,992
11	Arizona Dermatopathology	7,000	5,903
12	Western Pathology Consultants	4,550	4,079
13	Natera	3,000	3,035
14	Sunrise Medical Laboratories	427,000	TBC
15	BioReference Laboratories/Opko Health	422,600	TBC
16	CBLPath Inc.	148,900	TBC
17	CompuNet Clinical Laboratories	111,000	TBC
18	Austin Pathology Associates	46,500	TBC
19	South Texas Dermatopathology PLLC	16,100	TBC
20	Pathology Solutions	13,300	TBC
22	Laboratory of Dermatology ADX, LLC	4,240	TBC

Hacking and IT incidents dominated the breach reports in July with 35 incidents reported. Those breaches resulted in the exposure of 23,203,853 healthcare records. The average breach size was 662,967 records and the mean breach size was 4,559 records.

There were 9 unauthorized access/disclosure incidents in July involving 2,160,699 healthcare records. The average breach size was 240,077 records and the mean breach size was 3,881 records.

There were three theft incidents reported that involved 3,584 records, 2 loss incidents that exposed 4,593 records, and one improper disposal incident that exposed 3,000 records.

Largest Healthcare Data Breaches in July 2019

Name of Covered Entity	Covered Entity Type	Individuals Affected	Type of Breach	Location of Breached PHI
Optum360, LLC	Business Associate	11,500,000	Hacking/IT Incident	Network Server
Laboratory Corporation of America Holdings dba LabCorp	Healthcare Provider	10,251,784	Hacking/IT Incident	Network Server
Clinical Pathology Laboratories, Inc.	Healthcare Provider	1,733,836	Unauthorized Access/Disclosure	Network Server
CareCentrix, Inc.	Healthcare Provider	467,621	Hacking/IT Incident	Network Server
Bayamon Medical Center Corp.	Healthcare Provider	422,496	Hacking/IT Incident	Network Server
Memphis Pathology Laboratory d/b/a American Esoteric Laboratories	Healthcare Provider	409,789	Unauthorized Access/Disclosure	Network Server
Laboratory Medicine Consultants, Ltd.	Healthcare Provider	140,590	Hacking/IT Incident	Network Server
Imperial Health, LLP	Healthcare Provider	116,262	Hacking/IT Incident	Desktop Computer, Network Server
Puerto Rico Women And Children’s Hospital, LLC	Healthcare Provider	99,943	Hacking/IT Incident	Network Server
Ameritas Life Insurance Corp.	Health Plan	39,675	Hacking/IT Incident	Email

Location of Breached Protected Health Information

There was a major increase in network server incidents in July. The rise was due to the AMCA breach but also an uptick in ransomware attacks on healthcare providers. Phishing also continues to pose problems for healthcare organizations. 21 of the breaches reported in July involved PHI stored in email accounts.

The number of reported phishing attacks strongly suggests multi-factor authentication has not yet been implemented by many healthcare organizations. If credentials are compromised, MFA can help prevent the email account from being remotely accessed.

July 2019 Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity in July with 39 breaches reported. Three health plans reported breaches and there were 8 breaches reported by business associates of HIPAA covered entities. A further 18 healthcare data breaches had some business associate involvement.

July 2019 Healthcare Data Breaches by State

July’s 50 data breaches were spread across 26 states and Puerto Rico. Typically, California experiences the most data breaches in any given month due to the number of healthcare organizations based in California; however, California only saw one healthcare data breach reported in July.

Minnesota was the worst affected state with 6 reported breaches. Four breaches were reported by healthcare organizations based in Michigan, Pennsylvania, and Texas. Three breaches were reported in Nevada and Tennessee, two breaches were reported in each of North Carolina, Ohio, Wisconsin, and Puerto Rico.

One breach was reported in each of Alabama, Arkansas, Arizona, California, Connecticut, Georgia, Kentucky, Louisiana, Massachusetts, Maryland, Maine, Missouri, Nebraska, New Hampshire, New York, Oregon, and South Carolina.

HIPAA Enforcement Activity in July 2019

It has been a relatively quiet year for HIPAA enforcement by the HHS’ Office for Civil Rights. While there were two settlements agreed in May 2019 to resolve HIPAA violations, no further financial penalties have been announced.

State Attorneys General also have the authority to take action against healthcare organizations that have violated HIPAA Rules. July saw one settlement reached between Premera Blue Cross and 30 state attorneys general over its 10.4 million-record data breach in 2014.

Under the terms of the settlement agreement, Premera Blue Cross is required to pay a financial penalty of $10,000,000 to resolve the HIPAA violations discovered during the Washington Attorney General-led investigation.

In addition to the $10 million penalty, Premera Blue Cross settled a class action lawsuit for $74 million. $32 million will cover claims from breach victims and $42 million will be directed toward improving cybersecurity.

The post July 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

HHS Proposes Rule Easing Restrictions on Substance Use Disorder Treatment Records

Posted August 23, 2019 by HIPAA Journal

The Substance Abuse and Mental Health Services Administration (SAMHSA) has proposed a new rule that loosens restrictions on substance use disorder (SUD) treatment records, aligning Part 2 regulations more closely with HIPAA.

The new rule, proposed on August 22, is the first element of the HHS’s Regulatory Sprint to Coordinated Care initiative, which will also see changes made to HIPAA, the Anti-Kickback Statute, and Stark Law.

SUD treatment records are covered by Confidentiality of Substance Use Disorder Patient Records regulations – 42 CFR Part 2 (Part 2). Part 2 pre-dates HIPAA by two decades and was introduced at a time when there were no broader privacy and security standards for health data. Part 2 regulations were required to protect the privacy of patients by severely restricting the allowable uses and disclosures of SUD treatment records. When Part 2 was introduced, there was a stigma associated with SUD and without privacy protections, many individuals suffering from the disorder may have avoided seeking treatment.

Since 1975, further privacy and security laws have been introduced. The HIPAA Security Rule requires all HIPAA-covered entities to implement safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) and the HIPAA Privacy Rule restricts uses and disclosures of that information. However, Part 2 requires additional protections for SUD records than those for PHI and ePHI.

It is important to protect the privacy of patients and ensure that SUD information is safeguarded against unauthorized access as the information could be misused, but it is also essential for SUD treatment information to be made available to healthcare providers to better support care coordination.

The proposed rule does not change the privacy framework of Part 2, it just eases restrictions on SUD treatment records and removes some of the complexity of Part 2 regulations. While there is closer alignment with HIPAA, the proposed changes fall short of full harmonization with HIPAA Rules.

One on the most important changes concerns the separation of SUD treatment records from an individual’s medical record. The proposed rule would allow a healthcare provider to record SUD information in that individual’s medical record, provided the SUD information was willingly given by the patient. SUD treatment records created by federally assisted substance use disorder (SUD) treatment programs still need to be segregated.

The language of Part 2 has been changed to clarify that, with written consent, SUD records can be shared for payment and healthcare operations. Another clarification has been made on procedures during emergency situations, when additional protections for SUD records are suspended.

Under the proposed rule, providers who do not provide opioid treatments would be permitted to access a central registry of patients who have enrolled in treatment programs. Enrollment in an opioid treatment program would involve consent to have treatment information shared with the central registry. This update is intended to help prevent accidental overdoses. Opioid treatment programs will be permitted to sign up with a state prescription drug monitoring program and report on the Schedule II to V drugs that have been dispensed or prescribed.

Changes have also been proposed that make it easier for patients to share their SUD records with non-medical entities such as the Social Security Administration. Currently, a patient would need to provide the name of a person within a non-medical entity who is authorized to receive their records. Under the proposed rule, a patient could give consent to share the records with the entity as a whole.

Business associates that have been provided with SUD records for research purposes will be permitted to disclose that information to entities not covered by HIPAA for similar purposes.

Part 2 requires providers to sanitize devices containing SUD treatment records. Under the proposed rule, the information would only need to be deleted as sanitization typically involves the destruction of the device.

A restriction has been removed that prevented the courts from disclosing substance use records as part of an investigation into a serious crime that was not believed to have been committed by the patient. The time that undercover agents can stay in a Part 2 program has also been extended from 6 months to one year.

There have been calls from many healthcare associations and healthcare provider groups calling for Part 2 regulations to be aligned with HIPAA. Such a change would require approval on Capitol Hill. Recently, the National Association of Attorneys General (NAAG) called for leaders in the House and Senate to support changes to Part 2, and support is required. As HHS Secretary Alex Azar explained in a press meeting on Thursday, the HHS can only propose changes. In order to align Part 2 with HIPAA, House and Senate approval is required. Secretary Azar has expressed support for such changes.

“We do believe the proposed changes are very common sense, responsive changes to concerns by both patients and providers,” said Azar. While important changes have been made, many will feel the HHS has not done enough. Azar accepts that the proposed rule will not satisfy all calls for Part 2 reform, “We believe we’re going as far as we can.”

The post HHS Proposes Rule Easing Restrictions on Substance Use Disorder Treatment Records appeared first on HIPAA Journal.

Daily HIPAA News, HIPAA RSS Feeds, HIPAA Information