HIPAA Compliance News

State Attorneys General Urge Congress to Align Part 2 Regulations with HIPAA

Posted by HIPAA Journal

The National Association of Attorneys General (NAAG) has urged leaders of the House and Senate to make changes to Confidentiality of Substance Use Disorder Patient Records regulations known as 42 CFR Part 2.

The regulations in question, which NAAG called “cumbersome [and] out-of-date,” restrict the uses and disclosures of substance abuse treatment records.

Under HIPAA, protected health information (PHI) can be shared between providers and caregivers for purposes related to treatment, payment, and healthcare operations without first obtaining consent from the patient. 42 CFR Part 2 prohibits the sharing of addiction treatment information by federally assisted treatment programs unless consent to do so has been obtained from the patient.

The Part 2 regulations were created more than 40 years ago to ensure the privacy of patients was protected and to ensure that patients would not face any legal or civil consequences from seeking treatment for substance abuse disorder.

NAAG argues that the regulations were created at a time when there was an “intense stigma” surrounding substance abuse disorder but says that the continued separation of substance abuse disorder from other diseases perpetuates that stigma. “The principle underlying these rules is that substance use disorder treatment is shameful and records of it should be withheld from other treatment providers in ways that we do not withhold records of treatment of other chronic diseases,” wrote NAAG.

NAAG wants substance abuse disorder to be recognized as the chronic disorder that it is, which would mean aligning the rules covering substance abuse treatment records with those of HIPAA. That would allow substance abuse treatment information to be shared along with other health information, provided protections are in place to keep that information private and confidential.

As it stands, Part 2 regulations are a barrier to treating opioid use disorder. Providers are used to complying with HIPAA, but the requirements of Part 2 can be intimidating. As such, many providers do not offer medicated-assisted treatment (MAT) for substance abuse disorder.

MAT providers are not required to comply with Part 2 requirements if they do not advertise their MAT services, but that means fewer people will take up those services. To effectively tackle the opioid epidemic in the United States, MAT services need to be promoted and should be easily accessible. Currently, many providers are keeping it a secret that they provide MAT programs to patients due to the restrictions of Part 2 regulations.

42 CFR Part 2 privacy regulations were updated in 2018, although the changes made were relatively minor. NAAG is not the only organization calling for more substantial changes and closer alignment between Part 2 and HIPAA regulations. A growing coalition of more than 40 national health care organizations support the changes and there is some support in the House and the Senate.

Reps. Markwayne Mullin (R-OK) and Earl Blumenauer (D-OR) introduced the Overdose Prevention and Patient Safety Act (OPPS Act) (H.R. 2062) and Sens. Joe Manchin (D-WV) and Shelley Moore Capito (RWV) introduced the Protecting Jessica Grubb’s Legacy Act (Legacy Act) (S. 1012) which both align HIPAA with Part 2. However, getting enough people to back the changes is likely to be a major challenge.

The post State Attorneys General Urge Congress to Align Part 2 Regulations with HIPAA appeared first on HIPAA Journal.

MU Health Patients Take Legal Action Over May 2019 Phishing Attack

Posted by HIPAA Journal

A lawsuit has been filed against University of Missouri Health Care (MU Health) over an April 2019 phishing attack.

On May 1, 2019, MU Health learned that two staff email accounts had been compromised for a period of more than one week, starting on April 23, 2019. The email accounts contained a range of sensitive information including names, dates of birth, Social Security numbers, health insurance information, clinical and treatment information.

MU Health’s investigation concluded on July 27 and notification letters were sent to individuals whose protected health information (PHI) had been exposed and potentially stolen. Approximately 14,400 patients had been impacted by the breach.

The lawsuit was filed by MU Health patient Penny Houston around a week after the notifications were issued. The lawsuit states that, as a result of the breach, patients have been placed at an elevated risk of suffering identity theft and fraud. The types of data contained in the compromised accounts would allow criminals to steal identities, file fraudulent tax returns, and open financial accounts in the victims’ names.

As a result of the exposure of personal information, breach victims could face long-term issues and have to cover the cost of credit monitoring and identity theft protection services, as none were offered by MU Health.

The lawsuit also argues that patients have been paying for medical services and a proportion of that cost should have covered securing their information. Since sufficient protections had not been implemented, the plaintiffs claim they have been overpaying for medical services at MU Health.

At least 19 other patients have now added their names to the lawsuit. The plaintiffs seek reimbursement of out-of-pocket expenses to cover costs incurred as a direct result of the breach and for MU Health to pay for credit monitoring services for all victims of the breach.  Additionally, the plaintiffs want MU Health to invest more money in cybersecurity to strengthen its data security defenses, monitoring systems, and also to agree to undergo audits of its systems and procedures in the future.

The post MU Health Patients Take Legal Action Over May 2019 Phishing Attack appeared first on HIPAA Journal.

Allscripts Proposes $145 Million Settlement to Resolve DOJ HIPAA and HITECH Act Case

Posted by HIPAA Journal

A preliminary settlement has been proposed by Allscripts Healthcare Solutions to resolve alleged violations of HIPAA, the HITECH Act’s electronic health record (EHR) incentive program, and the Anti-Kickback Statute related to the electronic health record (EHR) company Practice Fusion, which was acquired by Allscripts in 2018.

Prior to the acquisition, Practice Fusion has been investigated by the Attorney’s Office for the District of Vermont in March 2017 and had provided documentation and information. Between April 2018 and January 2019, the company received further requests for documents and information through civil investigative demands and HIPAA subpoenas.

Then in March 2019, the company received a grand jury subpoena over a Department of Justice (DOJ) investigation into the business practices of Practice Fusion, potential violations of the Anti-Kickback Statute, HIPAA, and the payments received under the HHS EHR incentive program. Scant information has been released about the nature of the alleged violations by Practice Fusion.

The proposed settlement will see Allscripts pay $145 million to the DOJ to resolve the company and Practice Fusion of all civil and criminal liability related to the investigation. Allscripts President Rick Poulton hopes the settlement will be sufficient to resolve the case. Since Practice Fusion was acquired, Allscripts has had to devote an increasing amount of resources the investigation. Poulton wants to reach an agreement as soon as possible so the company can move on.

“While the amount we have agreed to pay of $145 million is not insignificant, it is in line with other settlements in the industry, and we are happy to have reached the agreement in principle,” said Poulton. “We will work with the DOJ to finalize the details of the settlement over the coming months”.

Last year, the HHS agreed a settlement with EHR vendor eClinicalWorks over alleged false claims related to the HITECH Act EHR incentive program. eClinicalWorks paid $155 million to resolve the case.

The post Allscripts Proposes $145 Million Settlement to Resolve DOJ HIPAA and HITECH Act Case appeared first on HIPAA Journal.

Judge Approves $74 Million Premera Blue Cross Data Breach Settlement

Posted by HIPAA Journal

A Federal District Judge has given preliminary approval to a proposed $74 million settlement to resolve a consolidated class action lawsuit against Premera Blue Cross for its 2014 data breach of more than 10.6 million records.

US District Judge Michael Simon determined that the proposed settlement was fair, reasonable and adequate based on the defense’s case against Premera and the likely cost of continued litigation.

The settlement will see $32 million made available to victims of the breach to cover claims for damages of which $10 million will reimburse victims for costs incurred as a result of the breach. The remaining $42 million will be used to improve Premera’s security posture over the next three years.

Data security improvements are necessary. Internal and third-party audits of Premera before and after the data breach uncovered multiple vulnerabilities. Premera had been warned about the vulnerabilities prior to the breach and failed to take action. That lack of action allowed hackers to gain access to its network. Further, it took almost a year for Premera to determine that its systems had been compromised

“Improved data security benefits all class members, even if they are no longer insured by Premera or a related Blue Cross entity, because sensitive information remains stored on Premera’s servers,” wrote Judge Simon.

Considering the data breach affected 10.6 million individuals, a fund of $10 million to reimburse costs may not seem that much. However, Judge Simon determined the figure to be fair because relatively few of the plaintiffs had suffered identity theft as a result of the data breach and the settlement includes $3.5 million to cover the cost of additional credit monitoring services.

The case against Premera was complex and involved a considerable amount of technical information about the data security protections that were put in place. The evidence also spanned several years. “Whether Premera breached its contractual promises, was negligent, or engaged in unfair practices under Washington’s Consumer Protection Act with respect to Premera’s provision of data security are relatively strong claims,” wrote Judge Simon.

The settlement resolves the lawsuit with no admission of liability. In addition to the $74 million, Premera also settled a multi-state lawsuit with 30 states for $10 million over the failure to address known data security risks.

The Premera data breach was also investigated by the HHS’ Office for Civil Rights. It remains to be seen whether a financial penalty will be deemed appropriate.

The post Judge Approves $74 Million Premera Blue Cross Data Breach Settlement appeared first on HIPAA Journal.

New York Governor Signs SHIELD Act into Law

Posted by HIPAA Journal

The Stop Hacks and Improve Electronic Data Security (SHIELD) Act has been signed into state law by New York Governor Andrew M. Cuomo. The Act improves privacy protections for state residents and strengthens New York’s data breach notification laws to ensure they maintain pace with current technology.

The SHIELD Act – S5575B/A5635B – was signed into law on July 25, 2019 and takes effect in 240 days. The Act makes several changes to existing state privacy and data breach notification laws:

The definition of covered entities has been broadened to include any person or entity that holds the private information of a New York State resident, irrespective of whether that person or entity does business in New York State.

All businesses must “develop, implement and maintain reasonable safeguards” to ensure the confidentiality, integrity, and availability of personal information. Those measures should reflect the size of the business. The SHIELD Act includes a list of factors considered to be ‘reasonable security protections’.

A written information security program must be developed which incorporates all SHIELD Act requirements. The responsibility for implementing and administrating the program must be assigned to an individual, who must also oversee employee receive training on SHIELD Act requirements.

The definition of a data breach has been expanded to include any unauthorized accessing of private information. Previously, notifications were only required when personal information had been acquired by an unauthorized individual.

The definition of a personal information has been expanded to include email addresses and usernames along with the associated password or security question answers that would allow the account to be accessed. The new law requires notifications to be issued if a financial account number is exposed along with any method of gaining access to the account. Biometric information is also now included in the definition of personal information warranting notifications.

As is the case with HIPAA, inadvertent and good faith disclosures of personal information are exempt from notifications provided there is little risk of harm.

Organizations covered by the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act, and financial service providers covered by the New York Department of Financial Services Cybersecurity Rule are given a safe harbour if they are in compliance with their respective regulations.

There is no change to the time scale for issuing notifications. They must be sent “in the most expedient time possible and without unreasonable delay.”

The post New York Governor Signs SHIELD Act into Law appeared first on HIPAA Journal.

Computer Doc Achieves HIPAA Compliance with Compliancy Group

Posted by HIPAA Journal

Compliancy Group has announced that the Indian Trail, NC-based IT firm Computer Doc has completed the initial phase of its HIPAA compliance journey and has demonstrated compliance with the HIPAA Privacy, Security, Breach Notification, Omnibus Rules and the requirements of the HITECH Act.

Since 1997, Computer Doc has been providing IT support and consultancy services to businesses in and around Charlotte, NC. The firm focuses on providing IT support to small to medium sized businesses to help them increase productivity, improve efficiency, and boost profitability through the intelligent use of IT.

In order to reassure healthcare companies that the firm is aware of the requirements of HIPAA and is committed to providing a HIPAA-compliant IT support service, Computer Doc signed up with the Compliancy Group and was guided through the compliance process.

“With HIPAA violation fine enforcement up 400% in recent years and series of high-profile breaches and multi-million dollar settlements that drew national attention, the importance of HIPAA compliance for both IT service providers (BAs) and their healthcare IT clients (CEs) has never been more urgent,” explained Compliancy Group.

Using the Compliancy Group’s proprietary compliance tracking software, The Guard, and assisted by Compliancy Group coaches, Computer Doc completed the 6-stage implementation program and demonstrated compliance with all relevant provisions of HIPAA Rules.

“Achieving compliance with HIPAA has improved our business and opened the doors to many medical practices that we could not help before,” explained Computer Doc.

After demonstrating compliance with HIPAA, Computer Doc is entitled to display Compliancy’ Group’s HIPAA Seal of Compliance. The Seal of Compliance demonstrates to all HIPAA-covered entities that the firm is fully compliant with HIPAA regulations and patient’s ePHI is secure.

The post Computer Doc Achieves HIPAA Compliance with Compliancy Group appeared first on HIPAA Journal.

2019 Cost of A Data Breach Study Reveals Increase in U.S. Healthcare Data Breach Costs

Posted by HIPAA Journal

The Ponemon Institute/IBM Security has published its 2019 Cost of a Data Breach Report – A comprehensive analysis of data breaches reported in 2018.

The report shows data breach costs have continue to rise and the costliest breaches are experienced by healthcare organizations, as has been the case for the past 9 years.

Average Data Breach Costs $3.92 Million

Over the past five years, the average cost of a data breach has increased by 12%. The global average cost of a data breach has increased to $3.92 million. The average breach size is 25,575 records and the cost per breached record is now $150; up from $148 last year.

Globally, the healthcare industry has the highest breach costs with an average mitigation cost of $6.45 million. Healthcare data breaches typically cost 65% more than data breaches experienced in other industry sectors.

Data breach costs are the highest in the United States, where the average cost of a data breach is $8.19 million – or $242 per record. The average cost of a healthcare data breach in the United States is $15 million.

Healthcare Data Breaches Cost $429 per Record

In healthcare, the average cost of a breach has increased to $429 per record from $408 last year – an increase of 5.15%. The financial sector has the second highest breach costs. Financial industry breaches cost an average of $210 per record – less than half the per record cost of a healthcare data breach.

Fortunately, mega data breaches are relatively rare but when they do occur the costs can soar. Mega data breaches are classed as breaches of more than 1 million records. IBM projected losses due to a data breach of $1 million records would be $42 million, whereas a breach of 50 million records would cost $388 million to resolve. The recent data breach at American Medical Collection Agency, which is known to have affected 18 healthcare providers and 25 million individuals, would fit halfway along that cost scale.

“Cybercrime represents big money for cybercriminals, and unfortunately that equates to significant losses for businesses,” said Wendi Whitmore, Global Lead for IBM X-Force Incident Response and Intelligence Services. “With organizations facing the loss or theft of over 11.7 billion records in the past 3 years alone, companies need to be aware of the full financial impact that a data breach can have on their bottom line –and focus on how they can reduce these costs.”

The survey was conducted by the Ponemon Institute on 507 companies that have experienced a data breach in the past year and involved 3,211 interviews with individuals with knowledge of the breach. Breach costs were determined using an activity-based costing (ABC) method, which identifies activities and assigns a cost to each based on actual use.

The Effects of A Data Breach Are Felt For Years

In this year’s study, IBM analyzed the financial impact of a data breach including the longtail financial costs. The analysis revealed the financial repercussions of a data breach are felt for years. The majority of the breach costs are realized in the first year after the breach when 67% of the cost is accrued. 22% of the cost is accrued in the second year, and 11% of the cost comes 2 or more years after the breach. In highly regulated industries such as healthcare, the longtail costs are higher.

For the majority of businesses, the biggest cost is loss of business after a data breach. Across all industry sectors, loss of business has been the biggest breach cost for the past 5 years, which now costs businesses an average of $1.42 million or 36% of their total breach cost. The average loss of customers following a data breach is 3.9%, although the figure is higher for healthcare organizations who often struggle to retain patients after a breach.

Breach costs are affected by several factors, including the nature of the breach and the organization’s size. The average cost of a data breach at an SMB with fewer than 500 employees is $2.5 million or 5% of annual revenue. With such crippling costs, it is easy to see why so many SMBs fail within 6 months of experiencing a data breach.

Malicious attacks were most common (51%) and were also the costliest breaches to resolve. Malicious attacks cost 25% more to resolve than breaches caused by system glitches or human error. Malicious attacks are now occurring much more frequently. There was a 21% increase in malicious attacks between 2014 and 2019.

The study identified several factors which reduce the cost of a data breach. The most important step to take to reduce breach costs is to form an incident response (IR) team. Companies that had formed an IR team, developed an IR plan, and extensively tested that plan, reduced their breach costs by an average of $1.23 million.

A rapid breach response greatly reduces breach costs. The average time from breach to discovery is 279 days. Companies that identified and remediated the breach inside 200 days saved an average of $1.2 million.

The post 2019 Cost of A Data Breach Study Reveals Increase in U.S. Healthcare Data Breach Costs appeared first on HIPAA Journal.

June 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

For the past two months, healthcare data breaches have been reported at a rate of 1.5 per day – Well above the typical rate of one per day. In June, data breaches returned to more normal levels with 30 breaches of more than 500 healthcare records reported in June – 31.8% fewer than May 2019.

 

While the number of reported data breaches fell,  June saw a 73.6% increase in the number of health records exposed in data breaches. 3,452,442 healthcare records were exposed in the 30 healthcare data breaches reported in June.

Largest Healthcare Data Breaches in June 2019

The increase in exposed records is due to a major breach at the dental health plan provider Dominion Dental Services (Dominion National Insurance Company). Dominion discovered an unauthorized individual had access to its systems and patient data for 9 years. During that time, the protected health information of 2,964,778 individuals may have been stolen. That makes it the largest healthcare data breach to be reported to the Office for Civil Rights so far in 2019 – At least for a month until entities affected by the breach at American Medical Collection Agency report the breach.

9 of the ten largest healthcare data breaches in June were hacking/IT incidents and the top six breaches involved network servers. Three email security breaches and one improper disposal incident round out the top ten.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
Dominion Dental Services, Inc., Dominion National Insurance Company, and Dominion Dental Services USA, Inc. Health Plan 2,964,778 Hacking/IT Incident Network Server
Inform Diagnostics, Inc. Healthcare Provider 173,617 Hacking/IT Incident Network Server
EyeCare Partners, LLC [on behalf of affiliated covered entities] Healthcare Provider 141,165 Hacking/IT Incident Network Server
TenX Systems, LLC d/b/a ResiDex Software Business Associate 90,000 Hacking/IT Incident Network Server
Shingle Springs Health and Wellness Center Healthcare Provider 21,513 Hacking/IT Incident Network Server
Desert Healthcare Services, LLC Healthcare Provider 8,000 Hacking/IT Incident Network Server
Summa Health Healthcare Provider 7,989 Hacking/IT Incident Email
Community Physicians Group Healthcare Provider 5,400 Hacking/IT Incident Email
Community Healthlink Healthcare Provider 4,598 Hacking/IT Incident Email
Adventist Health Physician Services Healthcare Provider 3,797 Improper Disposal Paper/Films

The Year So Far

As you can see in the graph below, 2019 is shaping up to be a bad year for healthcare data breaches. In the first 6 months of 2019, the records of 9,652,575 Americans were exposed, impermissibly disclosed, or stolen. That is already almost double the records exposed in 2017 and last year’s total will soon be exceeded. The data breach at American Medical Collection Agency has yet to appear in the figures below. That breach alone will raise the 2019 total to almost 35 million healthcare records. That’s more healthcare records than were breached in 2016, 2017, and 2018 combined.

Causes of June 2019 Healthcare Data Breaches

There was a fairly even split between hacking/IT incidents and unauthorized access/disclosure incidents in June, which accounted for 83% of all breaches reported. There were 12 unauthorized access/disclosure incidents reported in June, but they typically involved small numbers of records. Unauthorized access/disclosure incidents impacted 18,165 patients. The mean breach size was 1,813 records and the median breach size was 1,502 records.

There were 13 hacking/IT incidents reported in June. While these breaches only accounted for 43% of all incidents reported in June, 3,424,422 healthcare records were compromised in those breaches – 99.19% of all records breached in June. The mean breach size was 263,417 records and the median breach size was 7,995 records.

There were three theft incidents reported involving 3,424 records. The mean breach size was 1,141 records and the median breach size was 1,282 records. One loss incident was reported that impacted 2,634 patients and one improper disposal incident exposed the PHI of 3,797 patients.

Location of Breached Protected Health Information

Phishing attacks are continuing to cause problems for healthcare providers, but so too is ransomware. There was a sharp increase in ransomware attacks in Q1 and the trend continued in Q2. Ransomware may have fallen out of favor with cybercriminals in 2018, but it appears to be back in vogue in 2019. Email is usually the most common location of breached PHI, but there was a fairly even split between networks server and email incidents in June. The rise in ransowmare and malware attacks in June account for the increase in network server incidents.

 

June 2019 Healthcare Data Breaches by Covered Entity Type

Healthcare providers reported 24 data breaches in June, one breach was reported by a health plan and one by a healthcare clearinghouse. While only one data breach was reported by a business associate, a further 7 data breaches had some business associate involvement.

 

June 2019 Healthcare Data Breaches by State

June’s 30 healthcare data breaches affected covered entities in 20 states. Arizona and California were the worst affected with three reported breaches. Florida, Massachusetts, Maryland, Minnesota, Missouri, and Ohio each experienced two breaches, and one breach was reported in each of Arkansas, Iowa, Illinois, Indiana, Kentucky, Michigan, Nevada, Pennsylvania, Texas, Virginia, Vermont, and Wyoming.

HIPAA Enforcement Actions in June 2019

One HIPAA enforcement action came to a conclusion in June. Premera Blue Cross agreed to settle a multi-state lawsuit over its 10.4-million-record data breach in 2017.

Premera Blue Cross is one of the nations largest health insurers. In early 2018, Premera discovered hackers had gained access to its network by exploiting an unpatched software vulnerability. The investigation into the breach revealed there had been basic security failures. The case, led by Washington State Attorney General Bob Ferguson, was settled for $10,000,000.

Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah, Vermont and Washington all participated in the lawsuit.

The Department of Health and Human Services’ Office for Civil Rights did not issue any financial penalties for HIPAA violations in June.

The post June 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Idaho Hospitals Must Now Comply with New Idaho Patient Rights Rules

Posted by HIPAA Journal

New rules for hospitals have been implemented in Idaho that give patients new rights. The rules were implemented by the Idaho Department of Health and Welfare (IDHW) and are effective from July 1, 2019.

The new rules were suggested by patient advocacy groups and “incorporate standards that parallel—but do not exactly mirror—existing law and/or Medicare conditions of participation for hospitals,” according to IDHW. The policies align with the MyHealthEData initiative, which was launched in 2018 with the aim of removing the barriers to secure access to electronic medical records.

Under previous state law, critical access hospitals (CAHs) were not required to comply with many of the regulatory conditions that applied to other healthcare providers. The new rules change that, which will mean new policies and procedures will need to be implemented by CAHs. That will come with a considerable administrative burden.

The new rules apply to all hospitals in Idaho as well as any provider that renders services in hospitals. All hospitals and providers have been advised to check their policies and procedures to make sure they are compliant with the new rules.

The main purpose of the new rules is to improve patient rights and make it easier – and quicker – for patients to obtain copies of their health information and access to their EHRs.

As required by HIPAA, patients must be provided with a copy of their medical records on request within 30 days of the request being received. Under the new rules in Idaho, access to EMRs must be provided within 3 days of the request being received. The copy must also be provided in a readily readable format on a popular portable media storage device.

HIPAA limits the amount that can be charged for providing patients with copies of their health information. The new Idaho rules further protect patients by only permitting hospitals to charge a reasonable fee for labor and restricting the charges for copies to the cost of copying at the local library.

A patient’s right to privacy has been further protected. Patients have the right to privacy when personal care is being provided, which extends to continuous observation and video and audio monitoring of patients. As of July 1, 2019, hospitals are not permitted to record video or audio, except in common areas, without first obtaining written consent from the patient. Those recordings must then be included in a patient’s medical record.

The new rules also cover notices of discontinuation of care, advance directives, obtaining and documenting informed consent, patient safety, patient grievances, restraint and seclusion, and law enforcement restraints.

The post Idaho Hospitals Must Now Comply with New Idaho Patient Rights Rules appeared first on HIPAA Journal.