HIPAA Compliance News

HHS Extends Comment Period on Proposed Rules to Improve ePHI Interoperability

Posted by HIPAA Journal

The Department of Health and Human Services has extended the deadline for submitting comments on its proposed rules to promote the interoperability of health information technology and electronic protected health information to June 3, 2019.

Two new rules were released on February 11, 2019 by the Office of the National Coordinator for Health IT (ONC) and the Centers for Medicare and Medicaid Services (CMS). The purpose of the new rules is to support the secure access, exchange, and use of electronic health information. The rules cover technical and healthcare industry factors that are proving to be barriers to the interoperability of health information and are limiting the ability of patients to gain access to their health data.

The deadline has been extended to give the public and industry stakeholders more time to read the proposed rules and provide meaningful input that can be used to help achieve the objectives of the rules. The extension has come in response to feedback from many stakeholders who have asked for more time to review the rules, which have potential to cause a range of issues for healthcare organizations.

Two other factors influenced the decision to extend the deadline. There appeared to be some confusion over HIPAA and whether healthcare providers are accountable for how patients use their health data. Also, the ONC has recently released the second draft of its Trusted Exchange Framework and Common Agreement (TEFCA), which could factor into comments. While there is not a great deal of overlap between TEFCA and the ONC/CMS proposed rules, both do cover interoperability and operate in the same space.

In addition, the HHS’ Office for Civil Rights has released a new FAQ for patients to explain the HIPAA right of access in relation to health apps used by patients and application programming interfaces (APIs) used by healthcare providers’ electronic health record systems. The FAQ confirms that after a patient discloses health information via an app, subsequent uses and disclosures are only the responsibility of the healthcare provider if the app developer is one of the healthcare provider’s business associates.

The post HHS Extends Comment Period on Proposed Rules to Improve ePHI Interoperability appeared first on HIPAA Journal.

Healthcare Organizations Found Not to be In Conformance with NIST CSF and HIPAA Rules

Posted by HIPAA Journal

A recent study conducted by the consultancy firm CynergisTek has revealed healthcare organizations are not in conformance with NIST Cybersecurity Framework (CSF) controls and the HIPAA Privacy and Security Rules.

For the study, CynergisTek analyzed the results of assessments at almost 600 healthcare organizations against NIST CSF and the HIPAA Privacy and Security Rules.

The NIST CSF is a voluntary framework, but the standards and best practices help organizations manage cyber risks. Healthcare organizations that are not in conformance with CSF controls face a higher risk of experiencing a cyberattack or data breach. On average, healthcare organizations were only in conformance with 47% of NIST CSF controls. Conformance has only increased by 2% in the past year.

Assisted living organizations had the highest level of conformance with NIST CSF (95%), followed by payers (86%), and accountable care organizations (73%). Business associates of HIPAA covered entities only had an average conformance level of 48%. Physician groups had the lowest level of conformance (36%).

Out of the five core functions of the NIST CSF – Identify, detect, protect, respond, and recover – conformance was lowest for detect.

Even though conformance with the HIPAA Security Rule has been mandatory for the past 14 years, many healthcare organizations were found to be falling short. On average, healthcare organizations were found to be in conformance with 72% of HIPAA Security Rule requirements, which was 2% lower than last year. Critical access hospitals fared the worst with an average of 67% conformance.

Even when organizations were complying with HIPAA Rules, significant security gaps were identified, which clearly demonstrated compliance does not necessarily equate to security.

Compliance with the requirements of the HIPAA Privacy Rule was better, but there is still significant room for improvement. On average, healthcare organizations were complying with 77% of HIPAA Privacy Rule provisions. Many organizations had missing policies and procedures and improper postings. More than 60% of assessments revealed gaps in the maintenance of written policies and procedures related to the use and release of protected health information.

Conformance with the HIPAA Privacy Rule increased year over year for payers and physician groups, but declined for hospitals and health systems, falling from 94% in 2017 to 72% in 2018. CynergisTek explained this fall as most likely being due to higher numbers of assessments being performed on hospitals and health systems in 2018.

CynergisTek also found that insider breaches continue to be a major challenge for healthcare organizations. Insiders were responsible for 28% of healthcare data breaches in 2018 and, on average, those breaches took 255 days to detect. 74% of cases involved employees accessing the health records of household members, 10% involved accessing the records of VIPs that were treated at the hospital. 8% of cases involved accessing the health records of co-workers and 8% involved accessing neighbors’ health records.

Business associates were found to be a major security risk. They were involved in 20% of healthcare data breaches in 2018. CynergisTek found that in many cases, healthcare organizations were not proactively assessing their vendors, even those that are medium to high risk. The most common business associate failures were related to risk assessments, governance, and access management.

The post Healthcare Organizations Found Not to be In Conformance with NIST CSF and HIPAA Rules appeared first on HIPAA Journal.

MD Anderson Cancer Center Appeals Against $4,348,000 HIPAA Penalty

Posted by HIPAA Journal

In 2018, University of Texas MD Anderson Cancer Center was issued with a $4,348,000 civil monetary penalty by the HHS’ Office for Civil Rights (OCR) following the discovery of multiple alleged HIPAA violations that contributed to three data breaches that were experienced in 2012 and 2013.

OCR launched an investigation into the breaches and determined there had been an impermissible disclosure of the electronic protected health information (ePHI) of 34,883 patients and that HIPAA Rules had been violated as a result of the failure to use encryption. OCR reasoned that had encryption been used, the breaches could have been prevented.

MD Anderson contested the financial penalty and the case was sent to an administrative law judge who ruled that the MD Anderson must pay the financial penalty.

MD Anderson has now filed a complaint against the Secretary of the HHS and has launched an appeal with the U.S. Court of Appeals, Fifth Circuit in Texas.

As reported by Information Security Media Group (ISMG), MD Anderson alleges the civil monetary penalty is unlawful, that OCR has exceeded its authority by issuing the penalty, and the penalty is excessive. MD Anderson is seeking a permanent injunction to prevent OCR from collecting the penalty and have OCR cover its legal costs associated with its case.

Three counts are detailed in the complaint. MD Anderson alleges the CMP is unlawful as OCR only has the authority to issue a CMP against a person, which is either an individual, a trust, estate, partnership, or a corporation. MD Anderson is an academic institution and cancer treatment and research center that is part of the University of Texas and is a state agency and, it is argued, state agencies are except from OCR civil monetary penalties.

MD Anderson also argues that the penalty exceeds the maximum penalty for a HIPAA violation under the reasonable cause tier and that the penalty is in breach of the eighth amendment. In each of the three cases, employees acted against MD Anderson’s policies and procedures and did not take advantage of encryption technologies that were available to them. Further, no evidence has been uncovered to suggest that any information stored on the devices has been accessed, obtained, or misused.

MD Anderson also states that the use of encryption is not a requirement of the HIPAA Security Rule, which MD Anderson claims in the lawsuit is an “optional” standard.

It remains to be seen whether the appeal will be successful; however, OCR has made it clear that addressable standards are ‘optional’ requirements of the HIPAA Security Rule.

“The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI,” wrote OCR on its website. “If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate.”

The penalties may appear excessive given the nature of the incidents, but OCR has the authority to issue financial penalties for “reasonable cause” up to a maximum of $1,500,000 per year. In its notice of proposed determination, OCR  stated how it arrived at the penalty amount.

  1. Calendar Year 2011 – 283 days, from March 24 through December 31 (maximum penalty of $1,500,000).
  2. Calendar Year 2012 – 366 days, from January 1 through December 31 (maximum penalty of $1,500,000).
  3. Calendar Year 2013 – 25 days, from January 1 through January 25, 2013 (maximum penalty of $1,500,000).

The post MD Anderson Cancer Center Appeals Against $4,348,000 HIPAA Penalty appeared first on HIPAA Journal.

Data Security Incident Response Analysis Published by BakerHostetler

Posted by HIPAA Journal

BakerHostetler has released its fifth annual Data Security Incident Response Report, which contains an analysis of the 750+ data breaches the company helped manage in 2018.

BakerHostetler suggests there has been a collision of data security, privacy, and compliance, and companies have been forced to change the way they respond to security breaches.

In addition to federal and state regulations covering data breaches and notifications, companies in the United States must also comply with global privacy laws such as the EU’s General Data Protection Regulation (GDPR).  All of these different regulations make the breach response a complex process. The definitions of personal information and breach response and reporting requirements differ for GDPR, HIPAA, and across the 50 states. The failure to comply with any of the above-mentioned regulations can lead to severe financial penalties. It is therefore of major importance to be prepared for breaches and be able to respond as soon as a breach is discovered.

This has led many companies to create committees to help manage data breaches, which include stakeholders with expertise in each of the above areas.

Most Common Causes of Data Breaches

An analysis of 2018 incidents shows phishing remains the most common cause of data breaches, accounting for 37% of all incidents managed by the law firm in 2018. The most common type of phishing attack seeks Office 365 credentials. 34% of phishing attacks in 2018 resulted in an Office 365 account being accessed by the attacker.

  1. Phishing Attacks – 37%
  2. Network Intrusions – 30%
  3. Accidental Disclosures – 12%
  4. Lost/stolen devices and records – 10%
  5. System Misconfiguration – 4%

30% of successful phishing attacks saw the attackers peruse the network to find accessible data. 12% of intrusions resulted in the deployment of ransomware, and 8% resulted in a fraudulent wire transfer. In 1% of cases, a successful phishing attack resulted in the deployment of malware other than ransomware.

55% of successful attacks occurred as a result of a mistake by employees, 27% were due to a non-vendor unrelated third party, 11% were due to a vendor, 5% of attacks involved a malicious insider, 3% were due to a non-vendor related third party, and 2% were due to an unrelated third party.

Incident Response, Investigation and Recovery

In 2018, 74% of breaches were discovered internally and 26% were identified by a third-party.

The average time to detect a breach across all industry sectors was 66 days. It took an average of 8 days to contain the breach and 28 days for a forensic investigation to be completed. The average time to issue notifications was 56 days.

Healthcare data breaches took an average of 36 days to discover, 10 days to contain, 32 days to complete a forensic investigation, and 49 days to issue notifications. Healthcare data breaches required an average of 5,751 notification letters to be sent.

There was an increase in investigations by OCR and state Attorneys General in 2018. 34% of breaches resulted in an investigation by an Attorney General and 34% were investigated by OCR. Out of 397 breach notifications issued, 4 lawsuits were filed.

There has been an increase in the use of forensic investigators following a breach. 65% of breaches involved some kind of forensic investigation compared to 41% of incidents in 2017. The average cost of a forensic investigation was $63,001 and $120,732 for network intrusion incidents.

The average ransom payment that was paid was $28,920 and the maximum was $250,000. In 91% of cases, payment of the ransom resulted in the attacker supplying valid keys to decrypt files.

70% of breaches required credit monitoring services to be offered, in most cases due to the exposure of Social Security numbers.

BakerHostetler also notes that following a data breach there is often an increase in access right requests. It is therefore important for companies to have established and scalable access right request processes in place to ensure they can cope with the increase following a security breach.

Interactive Data Breach Notification Map

Healthcare organizations are required to comply with the HIPAA Breach Notification Rule which requires breach notification letters to be issued to affected individuals within 60 days of the discovery of a breach of PHI.

States have also introduced their own breach notification laws, which differ from HIPAA and may, in some cases, require notifications to be issued more rapidly. To help companies find out about the breach notification requirements in each state, BakerHostetler has compiled an interactive data breach notification map.

Using this interactive tool, organizations can find out about the breach reporting requirements in each state. The interactive data breach notification map can be viewed on this link.

The post Data Security Incident Response Analysis Published by BakerHostetler appeared first on HIPAA Journal.

Amazon Announces 6 New HIPAA Compliant Alexa Skills

Posted by HIPAA Journal

Six new HIPAA compliant Alexa skills have been launched by Amazon that allow protected health information to be transmitted without violating HIPAA Rules.

The new HIPAA compliant Alexa skills were developed by six different companies that have participated in the Amazon Alexa healthcare program. The new skills allow patients to schedule appointments, find urgent care centers, receive updates from their care providers, receive their latest blood sugar reading, and check the status of their prescriptions.

This is not the first time that Alexa skills have been developed, but a stumbling block has been the requirements of the HIPAA Privacy Rule, which limit the use of voice technology with protected health information. Now, thanks to HIPAA compliant data transfers, the voice assistant can now be used by a select group of healthcare organizations to communicate PHI without violating the HIPAA Privacy Rule.

Amazon has stated that it plans to work with many other developers through an invite-only program to develop new skills to use within its HIPAA-eligible environment. Amazon is offering those organizations business associate agreements to meet HIPAA requirements. The initial roll-out has been limited to six new HIPAA compliant Alexa skills as detailed below:

New HIPAA Compliant Alexa Skills

The purpose of the new skills is to allow patients, caregivers, and health plan members to use Amazon Alexa to manage their healthcare at home through voice commands. The skills make it easier for patients to perform healthcare-related tasks, access their health data, and interact with their providers.

The six new HIPAA compliant Alexa skills are:

Express Scripts

Members of the Express Scripts pharmacy services organization can check the status of a home delivery prescription and can ask Alexa to send notifications when prescriptions have been shipped and when they arrive at their door.

Cigna Health Today

Employees who have been enrolled in a Cigna health plan can use this Alexa skill to check wellness program goals, receive health tips, and access further information on rewards.

My Children’s Enhanced Recovery After Surgery (ERAS)

Parents and caregivers of children enrolled in Boston Children’s Hospital’s ERAS program can send updates to their care teams on recovery progress. Care teams can also send information on post-op appointments and pre- and post-op guidance. Initially, the skill is being used in relation to cardiac surgery patients, although the program will be expanded in the near future.

Livongo Blood Sugar Lookup

Participants in Livongo’s Diabetes Program can query their latest blood sugar reading from their device, check blood sugar monitoring trends such as their weekly average reading, and receive personalized health tips through their Alexa device.

Atrium Health

Atrium Health’s new Alexa skill allows patients to find urgent care locations near them and schedule same-day appointments, find out about opening hours, and current waiting times. Initially the Alexa skill is being offered to customers in North and South Carolina.

Swedish Health Connect

Providence St. Joseph Health has created an Alexa skill that allows patients to find Swedish Express Care Clinics in their vicinity and schedule same day appointments at 37 of its locations on the west coast.

The post Amazon Announces 6 New HIPAA Compliant Alexa Skills appeared first on HIPAA Journal.

CMS Launches Review Program to Assess Compliance with the HIPAA Administrative Simplification Rules

Posted by HIPAA Journal

The HHS’ Centers for Medicare and Medicaid Services (CMS) has launched a compliance review program to assess whether HIPAA covered entities are complying with the HIPAA Administrative Simplification Rules for electronic healthcare transactions. The compliance reviews will commence in April 2019.

The HIPAA Administrative Simplification Rules

The HIPAA Administrative Simplification Rules were introduced to improve efficiency and the effectiveness of the health system in the United States. They require healthcare organizations to adopt national standards for healthcare transactions that are conducted electronically, including the use of standard code sets and unique health identifiers, in addition to complying with the requirements of the HIPAA Privacy and Security Rules.

The HHS’ Office for Civil Rights is responsible for enforcing the HIPAA Privacy, Security, and Breach Notification Rules. The CMS is responsible for administering and enforcing the rules covering transaction and code sets standards, the employer identifier standard, and the national provider identifier standard, as detailed in 45 CFR Parts 160, 162, and 164. The CMS-administered standards are required to be adopted whenever there is an exchange of health information. If the standards are not adopted, healthcare information cannot be exchanged efficiently.

The CMS Compliance Review Program

Starting in April 2019, the CMS will conduct compliance reviews on 9 randomly selected health plans and healthcare clearinghouses, including those that deal with Medicare and Medicaid and those that do not.

The compliance reviews will assess whether HIPAA -covered entities are in compliance with the standards set for:

  • Transaction formats;
  • Code sets; and
  • Unique identifiers

If covered entities selected for a review are found not to be in compliance with the HIPAA Administrative Simplification Rules, they will be provided with a corrective action plan to address any violations and will be given the opportunity to make changes and achieve compliance.

Any covered entity that fails to make the necessary changes and achieve compliance with the HIPAA Administrative Simplification standards will be subjected to “escalating enforcement actions”, which could include civil monetary penalties.

The 2019 CMS Compliance Review Program follows on from a pilot review program conducted in 2018 on three health plans and three healthcare clearinghouses that volunteered to participate. A separate program will take place in 2019 in which providers will also be able to volunteer for compliance reviews.

After the latest round of 9 compulsory compliance reviews have been completed, the CMS will conduct an ongoing campaign involving periodic reviews of randomly selected covered entities to assess compliance with the HIPAA Administrative Simplification Rules.

These will be in addition to the normal procedure for enforcing compliance, which currently operates on a complaint basis.

Organizations can use the web-based Administrative Simplification Enforcement and Testing Tool (ASETT) to test transactions to determine whether they are compliant and to submit complaints about HIPAA Administrative Simplification Rules violations.

The post CMS Launches Review Program to Assess Compliance with the HIPAA Administrative Simplification Rules appeared first on HIPAA Journal.

$1.6 Million Settlement Agreed with Texas Department of Aging and Disability Services Over 2015 Data Breach

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has agreed to settle a HIPAA violation case with the Texas Department of Aging and Disability Services (DADS) to resolve HIPAA violations discovered during the investigation of a 2015 data breach that exposed the protected health information of 6,617 Medicaid recipients.

The breach was caused by an error in a web application which made ePHI accessible over the internet for around 8 years. DADS submitted a breach report to OCR on June 11, 2015.

OCR launched an investigation into the breach to determine whether there had been any violation of HIPAA Rules. On July 2015, OCR notified DADS that the investigation had revealed there had been multiple violations of HIPAA Rules.

DADS was deemed to have violated the risk analysis provision of the HIPAA Security Rule – 45 C.F.R. § 164.308(a)(1)(ii)(A) – by failing to conduct a comprehensive, organization-wide risk analysis to identify potential risks to the confidentiality, integrity, and availability of ePHI.

There had also been a failure to implement appropriate technical policies and procedures for systems containing ePHI to only allow authorized individuals to access those systems, in violation of 45 C.F.R. § 164.308(a)(4) and 45 C.F.R. § 164.312(a)(1).

Appropriate hardware, software, and procedural mechanisms to record and examine information system activity had not been implemented, which contributed to the duration of exposure of ePHI – A violation of 5 C.F.R. § 164.312(b).

As a result of these violations, there was an impermissible disclosure of ePHI, in violation of 45 C.F.R. § 164.502(a).

The severity of the violations warranted a financial penalty and corrective action plan. Both were presented to the State of Texas and DADS was given the opportunity to implement the measures outlined in the CAP to address the vulnerabilities to ePHI.

The functions and resources that were involved in the breach have since been transferred to the Health and Human Services Commission (HHSC), which will ensure the CAP is implemented.

The State of Texas presented a counter proposal for a settlement agreement to OCR which will see the deduction of $1,600,000 from sums owed to HHSC from the CMS. The settlement releases HHSC from any further actions related to the breach and HHSC has agreed not to contest the settlement or CAP.

The settlement has yet to be announced by OCR, but it has been approved by the 86th Legislature of the State of Texas. This will be the first 2019 HIPAA settlement between OCR and a HIPAA covered entity.

The post $1.6 Million Settlement Agreed with Texas Department of Aging and Disability Services Over 2015 Data Breach appeared first on HIPAA Journal.

UCLA Health Settles Class Action Data Breach Lawsuit for $7.5 Million

Posted by HIPAA Journal

UCLA Health has settled a class action lawsuit filed on behalf of victims of data breach that was discovered in October 2014. UCLA Health has agreed to pay $7.5 million to settle the lawsuit.

UCLA Health detected suspicious activity on its network in October 2014 and contacted the FBI to assist with the investigation. The forensic investigation confirmed that hackers had succeeded in gaining access to its network, although at the time it was thought that they did not access the parts of the network where patients’ medical information was stored. However, on May 5, 2015, UCLA confirmed that the hackers had gained access to parts of the network containing patients’ protected health information and may have viewed/copied names, addresses, dates of birth, Medicare IDs, health insurance information, and Social Security numbers. In total, 4.5 million patients were affected by the breach.

The Department of Health and Human Services’ Office for Civil Rights investigated the breach and was satisfied with UCLA Health’s breach response and the technical and administrative safeguards that had been implemented post-breach to improve security.

UCLA Health avoided a financial penalty, but a class action lawsuit was filed on behalf of patients affected by the breach. The plaintiffs alleged UCLA Health failed to inform them about the breach in a timely manner, there had been breach of contract, violations of California’s privacy laws, and that UCLA Health’s failure to protect the privacy of patients constituted negligence.

UCLA Health notified patients about the breach on July 15, 2015, and while this was in line with HIPAA requirements – under 60 days from the discovery that PHI had been compromised – the plaintiffs believed they should have been notified more quickly, given the fact that the breach had occurred 9 months previously.

Under the terms of the settlement, all patients affected by the breach can claim two years of free credit monitoring and identity theft protection services. Patients will also be allowed to submit a claim to recover costs that have been incurred protecting themselves against unauthorized use of their personal and health information and they can also submit a claim to recover losses from fraud and identity theft.

Patients can claim up to $5,000 to cover the costs of protecting their identities and up to $20,000 for any losses or damage caused by identity theft and fraud. $2 million of the $7.5 million settlement has been set aside to cover patients’ claims.  The remaining $5.5 million will be paid into a cybersecurity fund which will be used to improve cybersecurity defenses at UCLA Health.

Patients have until May 20, 2019 to submit an objection or exclude themselves from the settlement. Preventative measure claim forms must be submitted by June 18, 2019 and patients must enroll in the free credit monitoring and identity theft protection services by September 16, 2019. The deadline for submitting claims for the reimbursement of losses is June 18, 2021. The final court hearing on the settlement is scheduled for June 18, 2019.

The post UCLA Health Settles Class Action Data Breach Lawsuit for $7.5 Million appeared first on HIPAA Journal.

California Dentists at Risk of Financial Penalties for Slow Release of Copies of Dental Records

Posted by HIPAA Journal

A recent report from the Dental Board of California has revealed dentists in the state are failing to provide patients with copies of their dental records in a timely manner, in violation of state laws and the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule.

Under state law (BPC §1684.1), dental practices are required to provide patients with a copy of their dental records within 15 days of a request being submitted. HIPAA (45 CFR § 164.524) requires covered dental offices to provide patients with a copy of their dental records within 30 days of the request being submitted. The HIPAA Privacy Rule also requires dentists and other HIPAA-covered entities to provide a copy of records in the format requested by the patient, provided that the request is reasonable, and the practice has the capability to provide records in the requested format.

The Dental Board has the authority to cite and fine practices that are found to have violated state laws and its 2018 Sunset Review Report for the California Legislature says citations have increased by 36% in each of the past 4 fiscal years. The failure to provide copies of dental records before the 15-day deadline is one of the five most commonly cited violations of state laws.

The Dental Board explained that “Citations may be used when patient harm is not found, but the quality of care provided to the consumer is substandard.” The Board can issue fines of up to $500 per day to a maximum of $5,000 for failing to provide copies of dental records to patients within the 15-day deadline.

Dental records can include x-ray images, photographs, test results, models, treatment information, and dentist’s notes, which should all be provided to patients on request. In addition to Dental Board fines, untimely responses to patient requests and the failure to provide copies of health information could result in a financial penalty for noncompliance with HIPAA.

While it would be unusual for state attorneys general to issue financial penalties for this aspect of noncompliance with HIPAA, one of the first financial penalties issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) for noncompliance with HIPAA was for a failure to provide patients with copies of their health records. Cignet Health of Prince George’s County had to pay OCR a $4,300,000 civil monetary penalty in 2011 to resolve the HIPAA violation.

Further, OCR explained at HIMSS19 that one of the aspects of HIPAA noncompliance that will be subject to enforcement actions in 2019 is violations of the HIPAA Privacy Rule’s right of access requirement.

Any dental office found to be routinely denying patients access to their health data or willfully failing to adhere to the 30-day deadline could be issued with a sizable financial penalty for noncompliance.

The post California Dentists at Risk of Financial Penalties for Slow Release of Copies of Dental Records appeared first on HIPAA Journal.