HIPAA Compliance News

HHS Declares Limited Waiver of HIPAA Sanctions and Penalties in Louisiana

The Secretary of the U.S. Department of Health and Human Services (HHS) has issued a limited waiver of HIPAA sanctions and penalties in Louisiana due to the devastation likely to be caused by Tropical Storm Barry as it made landfall on July 13 as a hurricane. The HHS announced the public health emergency in Louisiana on Friday July 12, 2019.

The waiver only applies to healthcare organizations in the emergency area and only for the length of time stated in the declaration. The waiver only applies to specific provisions of the HIPAA Privacy Rule and only for a maximum period of 72 hours after the hospital has implemented its emergency protocol.

Once the time period for the waiver ends, healthcare providers will be required once again to comply with all aspects of the HIPAA Privacy Rule, even for patients still under their at the time the declaration ends, even if the 72-hour time window has not expired.

While a waiver has been issued, the Privacy Rule does not prohibit the sharing of protected health information during disasters to assist patients and make sure they get the care they require. That includes sharing some health information with friends, family members and other individuals directly involved in a patient’s care.

The HIPAA Privacy Rule allows the sharing of PHI for public health activities and to prevent or reduce a serious and imminent threat to health or safety. HIPAA-covered entities are also permitted to share information with disaster relief organizations that have been authorized by law to assist with disaster relief efforts without first obtaining permission from patients.

During natural disasters the HIPAA Privacy and Security Rules remain in effect, although following the secretarial declaration, sanctions and penalties against HIPAA covered entities are waived for the following aspects of the HIPAA Privacy Rule:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b).

“We are working closely with state health and emergency management officials to anticipate the communities’ healthcare needs and be ready to meet them,” said Secretary Azar. The HHS emergency declaration and limited HIPAA waiver can be viewed on this link (PDF).

The post HHS Declares Limited Waiver of HIPAA Sanctions and Penalties in Louisiana appeared first on HIPAA Journal.

Selarom Demonstrates Compliance with HIPAA Regulations

El Monte, CA-based Selarom is a specialist cybersecurity firm that provides services to healthcare organizations to help them secure their sensitive data and comply with HIPAA Rules.

The company now offers a ‘HIPAA Compliance Complete Solution’ and provides a comprehensive security package for both the managerial and technical sides of organizations. Ensuring sensitive information stays private and confidential is the company’s No1 priority.

HIPAA compliance is more important today than ever before. The number of cyberattacks on healthcare organizations has reached unprecedented levels. 500+ record healthcare data breaches now being reported at a rate of more than one a day. If a breach occurs, the HHS’ Office for Civil Rights will investigate and ask for evidence of HIPAA compliance.

Many small healthcare providers struggle to comply with all provisions of the HIPAA Privacy and Security Rules. In the event of a breach or audit, those providers will be at risk of regulatory fines.

Selarom helps companies secure their data and prevent data breaches. The company ensures that in the event of a breach, it will be possible to demonstrate all reasonable and appropriate controls had been implemented in full compliance with HIPAA Rules, thus avoiding regulatory fines.

To help provide a more comprehensive service to its clients, Selarom partnered with the Compliancy Group. Through the use of The Guard, Compliancy Group’s proprietary compliance software, Selarom has demonstrated full compliance with all aspects of HIPAA and HITECH Act regulations and has been awarded Compliancy Group’s HIPAA Seal of Compliance.

Selarom is now providing an all-in-one security and compliance solution incorporating a breach prevention platform, incident response and analysis, security risk assessments, employee training, and audit support.

The post Selarom Demonstrates Compliance with HIPAA Regulations appeared first on HIPAA Journal.

Webinar: Ransomware, Malware, Phishing, and HIPAA Compliance

Compliancy Group is offering healthcare professionals an opportunity to take part in a webinar covering the main threats facing the healthcare industry.

Threats such as ransomware, malware, and phishing will be discussed by compliance experts in relation to HIPAA and the privacy and security of patient data.

Cybersecurity has become more important than ever in healthcare. The industry is seen as a weak target by hackers, large volumes of data are stored, and patient information carries a high value on the black market.

April 2019 saw the highest number of healthcare data breaches in a single month and more healthcare data breaches were reported in 2018 than in any other year to date. The increased frequency of attacks on organizations of all sizes highlights just how important cybersecurity has become.

Cyberattacks are not only negatively affecting businesses in the healthcare sector, but also place the privacy of patient’s health information at risk. While it was once sufficient to implement standard security tools, the sophisticated nature of attacks today mean new solutions are required to protect against cyberattacks.

Protecting against cyberattacks while ensuring compliance with HIPAA can be a challenge and oversights could easily lead to a costly breach or regulatory fine.

In the latest Compliancy Group webinar, compliancy experts will walk you through the inns and outs of the regulations and you can find out more about cybersecurity with respect to the requirements of HIPAA and HITECH.

Webinar:

Ransomware, Malware, Phishing, Oh My!

Wednesday, July 10th

2:00 ET/11:00 PT

Advance Registration

The post Webinar: Ransomware, Malware, Phishing, and HIPAA Compliance appeared first on HIPAA Journal.

HELP Committee Approves Bill Calling for HIPAA Enforcement Safe Harbor

The Senate Health, Education, Labor and Pensions (HELP) Committee has approved the Lower Health Care Costs (LHCC) Act of 2019, which has implications for HIPAA-covered entities.

One of the main aims of the bill is to improve transparency of health care costs and service quality. The bill is intended to end surprise health bills and make sure patients are kept well informed about healthcare costs.

The LHCC Act includes a provision that incentivizes healthcare organizations to adopt strong cybersecurity practices by calling for the Department of Health and Human Services’ Office for Civil Rights to consider the organization’s good faith security efforts when making decisions about enforcement actions.

The bipartisan bill passed the HELP committee by 20 votes to 3. The bill includes 54 different proposals from 65 senators. With the bill now passed, HELP committee chairman Lamar Alexander (R-Tenn) hopes to present the bill to the Majority and Minority Leaders for consideration by the full senate in July.

Many healthcare organizations have been calling for OCR to consider adoption of security frameworks and other good faith efforts to improve security posture when deciding on whether a penalty for noncompliance is appropriate. A safe harbor for organizations that adopt a cybersecurity framework such as the framework developed by NIST has been proposed by several industry groups.

The LHCC Act falls short of proposing a safe harbor from all enforcement actions, but could incentivize healthcare organizations to adopt security frameworks, invest time and resources in cybersecurity, and go above and beyond the minimum standards required by HIPAA.

The provision should not be viewed as a ‘get out of jail free’ card. When financial penalties are issued by OCR, they are usually for multiple compliance failures and/or egregious violations of HIPAA Rules. Adoption of the NIST Cybersecurity Framework would likely do little to prevent financial penalties.

The impact of the new requirement may only be minimal. Currently, when OCR investigates a data breach, many factors are taken into consideration when deciding whether financial penalties are appropriate. OCR has previously made it clear that HIPAA compliance is about minimizing, not eliminating risks. OCR accepts that even organizations with strong cybersecurity protections can still be breached. The organization’s security program is already considered when OCR decides whether enforcement actions are appropriate.

In addition to the HIPAA enforcement provision, the bill proposes that the CMS require health insurers to make information such as claim data and expected out-of-pocket-expenses available to patients via APIs to help patients decide on the best health plan. This would also help to communicate that patients’ privacy and security is protected and HIPAA and state laws apply.

Concern has been raised about the risks to individually identifiable health information when it is transferred electronically to and from non-HIPAA-covered entities. The bill proposes the Government Accountability Office (GAO) conduct a study to identify any risks associated with such transfers. In addition, a study is required to identify privacy and security gaps when health information is transferred to third parties via mobile apps created by developers not bound by HIPAA.

The bill must first go before the full senate and house; however, if the bill does not pass both houses, the provisions related to HIPAA may be added to a different bill.

The post HELP Committee Approves Bill Calling for HIPAA Enforcement Safe Harbor appeared first on HIPAA Journal.

OCR Clarifies Allowable Uses and Disclosures by Health Plans for Care Coordination and Continuity of Care

The Department of Health and Human Services’ Office for Civil Rights has issued new HIPAA guidance for health plans on how protected health information can be shared to support care coordination and continuity of care.

The guidance, which is in the form of an FAQ, answers two questions commonly asked by health plans:

Can PHI be disclosed to another health plan for care coordination purposes?

OCR has confirmed that the HIPAA Privacy Rule allows PHI to be used and disclosed for healthcare operations, so it is possible to share PHI with another health plan or other covered entity if doing so is necessary for the entity’s own healthcare operations. PHI can also be shared with another health plan for the recipient’s healthcare operations provided the following conditions are met: Both entities have or had a relationship with the individual, the disclosure pertains to that relationship, and the healthcare operation is one permitted by HIPAA (See 45 CFR 164.502(a)(1)(ii); 45 CFR 164.506(c)(4))

Case management and care coordination are included in permitted ‘healthcare operations,’ so they are permitted without patient authorization, but any disclosures should be limited to the minimum necessary information.

Can a health plan use and disclose PHI to inform individuals about other available health plans, without first obtaining authorization and Is this possible if PHI was received for another purpose?

Uses and disclosures of PHI for marketing purposes is generally not permitted without prior authorization. Using PHI for the purposes of offering an individual a different health plan could be seen to be marketing and would therefore only be permitted with prior authorization.

However, there are exceptions to marketing rule. Marketing communications are permitted face to face – 5 CFR 164.508(a)(3)(i) and HIPAA also does not count communications regarding replacements to, or enhancements of, existing health plans, provided the covered entity is not receiving financial remuneration for the communications. (See 45 CFR 164.506(c)(1) and 45 CFR 164.501). It is also permitted to use PHI that has been received for another purpose if the above conditions are met.

You can view the new OCR FAQ on this link.

The post OCR Clarifies Allowable Uses and Disclosures by Health Plans for Care Coordination and Continuity of Care appeared first on HIPAA Journal.

Patient Care Coordinator Gets 1 Year Jail Term for HIPAA Violation

A former patient care coordinator at University of Pittsburgh Medical Center (UPMC) has received a 1-year jail term for accessing the medical records of patients and using that information to cause malicious harm.

Sue Kalina, 62, of Butler, PA, had previously worked at UPMC Tri Rivers Musculoskeletal and Allegheny Health Network as a patient care coordinator. On March 30, 2016, while employed by UPMC, Kalina first started accessing patients’ medical records without authorization. She continued to do so until June 15, 2017.

Kalina accessed the records of friends, old classmates, and individuals that she had an aggrievance with. She used information from the medical records in a campaign of vengeance against her former employer, Frank J. Zottola Construction.

Kalina had worked at the firm as office manager for 24 years before losing the position and being replaced by a younger woman. Kalina accessed that woman’s medical records and disclosed gynecological information about the moan to the Zottola controller in June 2017. Kalina also left a voicemail message in which the medical information of the new office manager and one other Zottola employee was disclosed.

Zottola informed UPMC and Kalina was terminated. She was later hired by Allegheny Health Network where she is alleged to have continued to access patient records without authorization. In total, Kalina accessed the records of 111 patients without authorization.

Kalina took responsibility for her actions but claimed she was going through a difficult time in her life and had health issues. She also claimed she was not aware she was breaking the law and thought she was not prohibited from looking at patient files. Kalina and her legal team were seeking probation due to Kalina’s ongoing family commitments.

Prosecutors argued Kalina had been provided with HIPAA training and was aware that she was breaking the law and to claim ignorance of that was ‘a complete farce.” The U.S. attorney’s office sought a jail term of between 6 and 12 months.

At sentencing, U.S. District Judge Arthur Schwab opted for a jail term at the top end of that scale as the crime was particularly ‘egregious.’ Kalina was sentenced to 12 months in jail followed by 3 years of probation. During that time frame Kalina is not permitted to have any contact with any of the 111 victims.

The post Patient Care Coordinator Gets 1 Year Jail Term for HIPAA Violation appeared first on HIPAA Journal.

May 2019 Healthcare Data Breach Report

In April, more healthcare data breaches were reported than in any other month to date. The high level of data breaches has continued in May, with 44 data breaches reported. Those breaches resulted in the exposure of almost 2 million individuals’ protected health information.

Healthcare data breaches by month 2014-2019

On average, 2018 saw 29.5 healthcare data breaches reported to the HHS’ Office for Civil Rights each month – a rate of more than one a day.

From January 2019 to May 2019, an average of 37.2 breaches have been reported each month. Up until May 31, 2019, 186 healthcare data breaches had been reported to OCR, which is more than half (52%) the number of breaches reported last year.

It remains to be seen whether the increase in data breaches is just a temporary blip or whether 40+ healthcare data breaches a month will become the new norm.

Healthcare records exposed by month 2017-2019

May saw a 186% increase in the number of exposed records compared to April. Across the 44 breaches, 1,988,376 healthcare records were exposed or compromised in May. So far this year, more than 6 million healthcare records have been exposed, which is more than half of the number of records exposed in 2018.

Healthcare records exposed by year 2014-2019

In terms of the number of records exposed, May would have been similar to April were it not for a massive data breach at the healthcare clearinghouse Inmediata Health Group. The breach was the largest of the year to date and resulted in the exposure of 1,565,338 records.

A web page which was supposed to only be accessible internally had been misconfigured and the page could be accessed by anyone over the internet.

 

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 Inmediata Health Group, Corp. Healthcare Clearing House 1,565,338 Unauthorized Access/Disclosure
2 Talley Medical Surgical Eyecare Associates, PC Healthcare Provider 106,000 Unauthorized Access/Disclosure
3 The Union Labor Life Insurance Company Health Plan 87,400 Hacking/IT Incident
4 Encompass Family and internal medicine group Healthcare Provider 26,000 Unauthorized Access/Disclosure
5 The Southeastern Council on Alcoholism and Drug Dependence Healthcare Provider 25,148 Hacking/IT Incident
6 Cancer Treatment Centers of America® (CTCA) at Southeastern Regional Medical Center Healthcare Provider 16,819 Hacking/IT Incident
7 Takai, Hoover, and Hsu, P.A. Healthcare Provider 16,542 Unauthorized Access/Disclosure
8 Hematology Oncology Associates, PC Healthcare Provider 16,073 Hacking/IT Incident
9 Acadia Montana Treatment Center Healthcare Provider 14,794 Hacking/IT Incident
10 American Baptist Homes of the Midwest Healthcare Provider 10,993 Hacking/IT Incident

Causes of May 2019 Healthcare Data Breaches

Hacking/IT incidents were the most numerous in May with 22 reported incidents. In total, 225,671 records were compromised in those breaches. The average breach size was 10,258 records with a median of 4,375 records.

There were 18 unauthorized access/disclosure incidents in May, which resulted in the exposure of 1,752,188 healthcare records. The average breach size was 97,344 records and the median size was 2,418 records.

8,624 records were stolen in three theft incidents. The average breach size 2,875 records and the median size was 3,578 records. There was one loss incident involving 1,893 records.

causes of May 2019 healthcare data breaches

Location of Breached PHI

Email continues to be the most common location of breached PHI. 50% of the month’s breaches involved at least some PHI stored in email accounts. The main cause of these types of breaches is phishing attacks.

Network servers were the second most common location of PHI. They were involved in 11 breaches, which included hacks, malware infections and ransomware attacks.  Electronic medical records were involved in 7 breaches, most of which were unauthorized access/disclosure breaches.

Location of breached PHi (may 2019)

May 2019 Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type in May with 34 breaches. 5 breaches were reported by health plans and 4 breaches were reported by business associates of HIPAA-covered entities. A further two breaches had some business associate involvement. One breach involved a healthcare clearinghouse.

May 2019 healthcare data breaches by covered entity type

May 2019 Healthcare Data Breaches by State

May saw healthcare data breaches reported by entities in 17 states.  Texas was the worst affected state in May with 7 reported breaches. There were 4 breaches reported by covered entities and business associates in California and 3 breaches were reported in each of Indiana and New York.

2 breaches were reported by entities base in Connecticut, Florida, Georgia, Maryland, Minnesota, North Carolina, Ohio, Oregon, Washington, and Puerto Rico. One breach was reported in each of Colorado, Illinois, Kentucky, Michigan, Missouri, Montana, and Pennsylvania.

HIPAA Enforcement Actions in May 2019

OCR agreed two settlements with HIPAA covered entities in May and closed the month with fines totaling $3,100,000.

Touchstone Medical Imaging agreed to settle its HIPAA violation case for $3,000,000. The Franklin, TN-based diagnostic medical imaging services company was investigated after it was discovered that an FTP server was accessible over the internet in 2014.

The settlement resolves 8 alleged HIPAA violations including the lack of a BAA, insufficient access rights, a risk analysis failure, the failure to respond to a security incident, a breach notification failure, a media notification failure, and the impermissible disclosure of the PHI of 307,839 individuals.

Medical Informatics Engineering settled its case with OCR and agreed to pay a financial penalty of $100,000 to resolve alleged HIPAA violations uncovered during the investigation of its 2015 breach of 3.5 million patient records. Hackers had gained access to MIE servers for 19 days in May 2015.

OCR determined there had been a failure to conduct a comprehensive risk analysis and, as a result of that failure, there was an impermissible disclosure of 3.5 million individuals’ PHI.

It did not end there for MIE. MIE also settled a multi-state lawsuit filed by 16 state attorneys general. A multi-state investigation uncovered several HIPAA violations. MIE agreed to pay a penalty of $900,000 to resolve the case.

The post May 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

House Overturns Ban on HHS Funding HIPAA National Patient Identifier Development

One of the requirements of the HIPAA Administrative Simplification Rules was the development of a national identifier for all patients. Such an identifier would be used by all healthcare organizations to match patients with health records from multiple sources and would improve the reliability of health information and ensure it could be shared quickly and efficiently.

That national patient identifier has failed to materialize. For the past two decades, the Department of Health and Human Services has been prohibited from using funds to develop or promote a unique patient identifier system out of concerns over privacy and security of patient data.

Just as was the case in 1996, the benefits of using national patient identifiers remain and the need for such a system is greater than ever. Many hospitals, healthcare and health IT groups have been urging Congress to lift the HHS ban due to the benefits that would come from using a national identifier.

They argue it would make it much easier to match medical information from multiple sources with the correct patient and the potential for errors would be greatly reduced. Together with the cost savings, adoption of a national patient identifier would improve the quality of care provided to patients and patient safety.

Now, 20 years after the ban was put in place, it is closer to being lifted. The U.S. House of Representatives recently voted on several amendments to a $99.4 billion HHS appropriations bill. The amendment calling for the lifting of the ban was proposed by Rep. Bill Foster (D-Ill.) and was passed on Wednesday 12, June in a 246 to 178 vote. Until now, neither chamber in Congress has ever voted to lift the ban.

“For the last 21 years, this misguided policy has been in place, and thousands of Americans have died due to getting the wrong drug to the wrong patient or due to incorrect or incomplete electronic medical records, all arising from the inability to simply and correctly merge health records from different systems,” said Rep. Foster.

The passing of the amendment is the first step toward a national identifier being developed, but there are plenty of hurdles to overcome before the ban is finally lifted. The appropriations bill must first be passed, and the senate would need to give its approval, then the president would need to sign the bill into law.

Even though the benefits of a national patient identifier are clear, many privacy advocates believe the privacy and security risks are too great and that adoption of a national identifier would result in loss of control of patient data and more frequent, larger, and more damaging healthcare data breaches.

The post House Overturns Ban on HHS Funding HIPAA National Patient Identifier Development appeared first on HIPAA Journal.

Alabama Jury Awards Woman $300,000 Damages over HIPAA Breach

A woman in Alabama has been awarded $300,000 in damages after a doctor illegally accessed and disclosed her protected health information to a third party.

Plaintiff Amy Pertuit filed a lawsuit against Medical Center Enterprise (MCE) in Alabama, a former MCE physician, and an attorney over the violation of her privacy in January 2015.

According to lawyers for the plaintiff, Amy Pertuit’s husband was experiencing visitation issues and was involved in a custody battle with his former wife, Deanna Mortenson.

Mortenson contacted Dr. Lyn Diefendfer, a physician at MCE, and convinced her to obtain health information about Amy Pertuit for use against her husband in the custody battle. The information was disclosed to Mortenson’s attorney, Gary Bradshaw.

Dr. Diefendfer accessed Pertuit’s records through the Alabama Prescription Drug Monitoring Program website. Since Dr. Diefendfer had no treatment relationship with Pertuit, she was not authorized to access her medical information. The access and disclosure were violations of hospital policies and HIPAA Rules.

After discovering that her health information had been disclosed, Pertuit lodged a complaint with the Department of Health and Human Services’ Office for Civil Rights which put the hospital on notice. However, the hospital failed to implement appropriate sanctions against Diefendfer. Dr. Diefendfer is alleged to have accessed further health information in 2016 and again disclosed that information to Bradshaw.

The plaintiff’s lawyers also said that the hospital’s privacy officer had investigated Dr. Diefendfer and discovered 22 separate violations of hospital policies and HIPAA Rules.

The lawsuits filed against Dr. Diefender, Deanna Mortensen, and Gary Bradshaw were all settled out of court. The case against MCE went to a jury trial.

The jury unanimously found that MCE had failed to take appropriate action against Dr. Diefender after the discovery of the privacy violation, and awarded the plaintiff $295,000 in punitive damages and a further $5,000 as compensation for pain, suffering, and humiliation.

The post Alabama Jury Awards Woman $300,000 Damages over HIPAA Breach appeared first on HIPAA Journal.