HIPAA Compliance News

AAN Suggests Third Party App Security Framework Must be Included in the CMS Interoperability Plan

Posted by HIPAA Journal

The American Academy of Neurology (AAN) has voiced concerns about the interoperability plans of the Centers for Medicare and Medicaid Services (CMS) and the HHS’ Office of the National Coordinator for Health IT (ONC).

In February, both ONC and CMS proposed new rules that aim to reduce information blocking and improve interoperability. The AAN supports ONC and CMS efforts to reduce information blocking and improve interoperability. Data blocking and interoperability problems force clinicians to spend more time on clerical work, which means less time is spent providing direct care to patients.

The AAN believes many of the provisions in the new rules are necessary for empowering patients and providers by providing comprehensive access to patient data; however, in a recent letter to CMS Administrator Seema Verma, the AAN has expressed concern about patient safety and security if the ONC and CMS interoperability plans are implemented.

The AAN supports efforts to advance the use of standardized Fast Healthcare Interoperability Resources (FHIR) based APIs to allow patients to easily gain access to their health data, including claims information, lab test results, medications, and clinical notes. Easy access to that information will help with care coordination and will improve patients’ understanding of their conditions and treatments. However, there are potential problems.

“Consistent policies are needed across the board to incentivize and facilitate the exchange of data across systems,” wrote AAN President Ralph L. Sacco. “Many EHRs do not support the robust use of application program interfaces (APIs) for data exchange or are hindered by APIs that are implemented in proprietary ways that inhibit data exchange.” The AAN has also voiced concerns about privacy and security.

While the AAN understands that once PHI has been shared through an API it is no longer the responsibility of the provider to protect that information, but the AAN believes a security framework is required for third-party applications to prevent unauthorized disclosures once PHI has been transmitted by providers.

There is currently no federal regulatory framework to address unauthorized disclosures of PHI onside of enforcement by the FTC. Without a regulatory framework, a burden is placed on providers to ensure that they inform patients of the potential risks, when it should be the responsibility of app developers to ensure that all necessary precautions are taken to ensure PHI is protected. The AAN is seeking clarification on the responsibilities of third-party applications to ensure patient information is protected.

Unauthorized disclosures after PHI has been transferred do not constitute HIPAA violations, but they do have potential to negatively impact a provider’s reputation. Further, explaining the risks to patients may result in patients declining to share their information, which would work counter to CMS’s goal of promoting exchange of data and could detrimentally impact providers’ relationships with their patients.

“Given the sensitive nature of PHI and the paramount importance of trust between patients and providers, the AAN implores CMS and the FTC to ensure that there are clear security guidelines for third-party APIs and that there is robust enforcement to ensure that third-party applications are responsible stewards of patient data,” wrote Sacco.

Concern has also been raised about the sharing of certain types of particularly sensitive information, such as high-risk genetic testing data. If a patient has a genetic test that indicates there is a high probability that the patient will develop an incurable degenerative disease such as Huntington’s disease, prior to that information being shared with patients and their families it is necessary to make sure appropriate counselling is provided. The AAN suggests that that type of information should not be shared through APIs.

The AAN also believes the proposed six-month implementation time scale for many of the proposed changes is much too short. Complying with the new requirements in such a short time frame will place a significant burden on providers. More time has been requested for implementing the proposed system-wide changes.

The College of Healthcare Information Management Executives (CHIME) is also urging the CMS and ONC to extend the timescale for complying with the proposed changes and has suggested an interim rule is required and the time frame for complying should be extended from six months to three years.

The post AAN Suggests Third Party App Security Framework Must be Included in the CMS Interoperability Plan appeared first on HIPAA Journal.

April 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

April was the worst ever month for healthcare data breaches. More data breaches reported than any other month since the Department of Health and Human Services’ Office for Civil Rights started publishing healthcare data breach reports in October 2009. In April, 46 healthcare data breaches were reported, which is a 48% increase from March and 67% higher than the average number of monthly breaches over the past 6 years.

While breach numbers are up, the number of compromised healthcare records is down. In April 2019, 694,710 healthcare records were breached – A 23.9% reduction from March.  While the breaches were smaller in March, the increase in breaches is of great concern, especially the rise in the number of healthcare phishing attacks.

Largest Healthcare Data Breaches in April 2019

Two 100,000+ record data breaches were reported in April. The largest breach of the month was reported by the business associate Doctors Management Services – A ransomware attack that exposed the records of 206,695 patients.

The ransomware was deployed 7 months after the attacker had first gained access to its systems. The initial access was gained via Remote Desktop Protocol (RDP) on a workstation.

The second largest data breach was reported by the healthcare provider Centrelake Medical Group. The breach resulted in the exposure of 197,661 patients’ PHI and was also a ransomware attack that prevented patient information from being accessed. While the delay between access to the servers being gained and the ransomware being deployed was not as long, it also appeared that the attacker had been exploring the network prior to deploying the malicious software. Access to the server was gained 6 weeks prior to the ransomware being deployed. Ransomware was also used in the attack on ActivYouth Orthopaedics.

Covered Entity Entity Type Records Exposed Breach Type Location of Breached PHI
Doctors Management Services, Inc. Business Associate 206695 Hacking/IT Incident Network Server
Centrelake Medical Group, Inc. Healthcare Provider 197661 Hacking/IT Incident Network Server
Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions Institute Healthcare Provider 35000 Unauthorized Access/Disclosure Electronic Medical Record
EmCare, Inc. Healthcare Provider 31236 Hacking/IT Incident Email
Kim P. Kornegay, DMD Healthcare Provider 27000 Theft Desktop Computer, Electronic Medical Record, Paper/Films
Pediatric Orthopedic Specialties, PA, dba ActivYouth Orthopaedics Healthcare Provider 24176 Hacking/IT Incident Network Server
Health Recovery Services, Inc. Healthcare Provider 20485 Unauthorized Access/Disclosure Network Server
Baystate Health Healthcare Provider 11658 Hacking/IT Incident Email
Riverplace Counseling Center, Inc. Healthcare Provider 11639 Hacking/IT Incident Network Server
Minnesota Department of Human Services Healthcare Provider 10263 Hacking/IT Incident Email

Causes of April 2019 Healthcare Data Breaches

Hacking/IT incidents outnumbered unauthorized access/disclosure incidents by 2 to 1 in April. 28 of the reported breaches of 500 or more records were due to hacking/IT incidents. There were 14 unauthorized access/disclosure incidents, two cases of theft of PHI, one reported case of loss of paperwork, and one case of improper disposal of PHI.

While 2018 saw a decline in the number of ransomware attacks across all industry sectors, the number of ransomware attacks is increasing once again, and healthcare is the most attacked industry. Remote Desktop Protocol often exploited to gain access to servers and workstations to deploy ransomware.

In May, a Forescout study revealed that the use of vulnerable protocols is common in the healthcare industry. Risk can be reduced by disabling these protocols, and if RDP must be used, to only use RDP with a VPN.

Phishing attacks also increased considerably in April, which highlights just how vulnerable healthcare organizations are to this type of attack. Advanced anti-phishing and anti-spam solutions can reduce the volume of malicious emails that reach inboxes and combined with regular security awareness training, risk can be reduced.

The use of multi-factor authentication is also important. In the event of credentials being compromised, MFA will prevent those credentials from being used to gain access to PHI. MFA is not infallible, but it can ensure risk is reduced to a reasonable and acceptable level. According to Verizon, most credential theft incidents would not have resulted in a data breach if MFA been implemented.

Hacking/IT incidents resulted in the highest number of compromised records in April 2019 – 384,219 records or 55% of all compromised records in April. The mean breach size was 13,722 records and the median breach size was 4,008 records.

Unauthorized access/disclosure incidents resulted in the exposure of 264,016 records or 38% of the month’s total. While hacking incidents usually result in more records being compromised, these incidents were more severe and had a mean breach size of 18,858 records. The median breach size was 3,193 records.

31,810 records were exposed to loss or theft – 4.6% of the month’s total. The mean breach size was 10,603 records and the median breach size was 4,000 records.

April 2019 healthcare data breaches - breach cause

Location of Breached Protected Health Information

Email was the most common location of breached PHI in April. Email was involved in 22 data breaches – 47.8% of all breaches in April 2019. While this category includes misdirected emails, the majority of email breaches were due to phishing attacks.

Network servers were involved in 11 breaches – 23.9% of the month’s breaches – which include malware and ransomware attacks.

Physical records such as paperwork, charts, and films were involved in 6 breaches – 13% of the month’s total.

April 2019 healthcare data breaches - location of PHI

April Breaches by Covered Entity Type

April was a relatively good month for business associates of covered entities with only two breaches reported and one further breach having some business associate involvement, although a business associate breach was the largest breach of the month.

6 health plans reported breaches in April and the remaining 38 breaches were reported by healthcare providers.

April 2019 healthcare data breaches by covered entity type

April 2019 Healthcare Data Breaches by State

Data breaches were reported by entities based in 21 states in April. California and Texas were the worst affected, with each state having 5 breaches. Florida, Minnesota, and Ohio each had four breaches, and there were 3 breaches reported by entities in Illinois.

Idaho, Massachusetts, New York, Oregon, Tennessee, and Washington each had 2 breaches and one breach was reported in each of Alabama, Delaware, Louisiana, North Carolina, New Jersey, Pennsylvania, South Dakota, Utah, and West Virginia.

HIPAA Enforcement Activity in April 2019

There were no financial penalties issued by the HHS’ Office for Civil Rights or state Attorneys General in 2019. The first OCR financial penalty of 2019 was issued in May – A $3,000,000 penalty for Touchstone Medical Imaging for the delayed response to a data breach in which the records of 307,839 patients were exposed.

In addition to the delayed response, there was a failure to issue breach notifications in a reasonable time frame, a failure to notify the media about the breach, two BAAs failures, insufficient access rights, and a risk analysis failure.

The post April 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Lawsuit Alleges Hospital Worker Disclosed Information about Woman’s Sexual Assault to her Attacker

Posted by HIPAA Journal

A lawsuit has been filed against Atchison Hospital in Kansas by a sexual assault victim who alleges an x-ray technician at the hospital contacted her attacker and disclosed sensitive information about the treatment she received at the hospital.

According to the Kansas City Star, after being raped, the woman sought treatment at the hospital. She underwent a rape kit examination, and allegedly made it clear to the hospital that she did not want her health information to be disclosed to third parties.

Despite being against the patient’s wishes and a violation of the HIPAA Privacy Rule, information about the examination was disclosed to her attacker by a female X-ray technician at the hospital. The x-ray technician also told the man that he had been accused of sexually assaulting the patient.

Following the disclosure, the man repeatedly harassed and threatened the patient by phone and text message over the following weeks. In addition to receiving a barrage of abuse from her attacker, the lawsuit claims the woman was also harassed by hospital staff.

A complaint was filed with the hospital over the privacy violation and an internal investigation was launched. The medical records system was checked to determine whether there had been any unauthorized accessing of her medical records and interviews were conducted with staff members.

No evidence was uncovered to suggest the woman’s electronic medical records had been accessed inappropriately, but the hospital concluded the X-ray technician had viewed the woman’s medical information in the hospital’s health information department.  The hospital confirmed to the woman that the X-ray technician was not part of her care team and was not authorized to view her records.

The hospital apologized for the privacy breach and reviewed an updated its policies and procedures to reduce the risk of further incidents such as this occurring.

The X-ray technician was fired from the hospital over the privacy violation and was subsequently hired by Saint Luke’s Cushing Hospital. According to the patient’s attorneys, details of the former employee’s conduct were not disclosed to Cushing Hospital and a positive review was provided. The patient’s attorneys claim the hospital did not do enough to communicate the reason for termination to the woman’s potential new employer.

Hospital CEO, John Jacobson issued a statement to the Atchison Globe, saying “Patient confidentiality at Atchison Hospital and our ability to protect personal information is a top priority of ours… we are deeply disturbed by the actions of this former employee. In fact, when we were made aware of this situation, we took immediate steps to investigate and within two days, we terminated this individual’s employment.”

The lawsuit accuses the hospital of having inadequate policies in place to protect against the unauthorized accessing of patient information and claims the hospital was negligent, there was an invasion of the patient’s privacy, and the hospital breached its fiduciary duty. The lawsuit seeks punitive damages.

The post Lawsuit Alleges Hospital Worker Disclosed Information about Woman’s Sexual Assault to her Attacker appeared first on HIPAA Journal.

Touchstone Medical Imaging Fined $3 Million by OCR for Extensive HIPAA Failures

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a settlement has been reached with the Franklin, TN-based diagnostic medical imaging services company, Touchstone Medical Imaging. The settlement resolves multiple violations of HIPAA Rules discovered by OCR during the investigation of a 2014 data breach.

Touchstone Medical Imaging has agreed to a settlement of $3,000,000 to resolve the violations and will adopt a corrective action plan (CAP) to address its HIPAA compliance issues. The high settlement amount reflects widespread and prolonged noncompliance with HIPAA Rules. OCR alleged 8 separate violations across 10 HIPAA provisions. The settlement resolves the HIPAA case with no admission of liability.

On May 9, 2014, Touchstone Medical Imaging was informed by the FBI that one of its FTP servers was accessible over the Internet and allowed anonymous connections to a shared directory. The directory contained files that included the protected health information (PHI) of 307,839 individuals.

As a result of the lack of access controls, files had been indexed by search engines and could be found by the public with simple Internet searches. Even when the server was taken offline, patient information could still be accessed over the Internet. The failure to secure the server constituted a violation of 45 C.F.R. § 164.312(a)(1).

The security breach was reported to OCR, but Touchstone initially claimed that no PHI had been exposed. OCR launched an investigation into the breach and during the course of that investigation Touchstone admitted that PHI had in fact been exposed. The types of information that could be accessed over the internet included names, addresses, dates of birth, and Social Security numbers.

In addition to the impermissible disclosure of 307,839 individuals’ PHI – a violation of 45 C.F.R. § 164.502(a) – OCR discovered the security breach had not been properly investigated until September 26, 2014: Several months after Touchstone was initially notified about the breach by the FBI, and after notification had been given to OCR. The delayed breach investigation was a violation of 45 C.F.R. §164.308(a)(6)(ii).

As a result of the delayed investigation, affected individuals did not receive notifications about the exposure of their PHI until 147 days after the discovery of the breach: Well in excess of the 60-day Breach Notification Rule’s maximum time limit for issuing notifications. The delayed breach notices were a violation of 45 C.F.R. § 164.404. Similarly, a media notice was not issued about the breach for 147 days, in violation of 45 C.F.R. § 164.406.

During the course of its investigation, OCR discovered that Touchstone had failed to complete a thorough, organization-wide risk analysis to identify all risks to the confidentiality, integrity, and availability of ePHI: A violation of 45 C.F.R. § 164.308(a)(1)(ii)(A).

OCR also identified two cases of Touchstone having failed to enter into a business associate agreement with vendors prior to providing access to systems containing ePHI.

OCR cites the use of an IT services company – MedIT Associates  – without a BAA as a violation 45 C.F.R. §§ 164.502(e)(2), 164.504(e), and 164.308(b), and the use of a third-party data center, XO Communications, without a BAA as a violation of 45 C.F.R. § 164.308(a)(1)(ii)(A).

In addition, in violation of 45 C.F.R. § 164.308(b), XO Communications continues to be used without a business associate agreement in place.

“Covered entities must respond to suspected and known security incidents with the seriousness they are due, especially after being notified by two law enforcement agencies of a problem,” said OCR Director Roger Severino.  “Neglecting to have a comprehensive, enterprise-wide risk analysis, as illustrated by this case, is a recipe for failure.”

The settlement comes just a few days after OCR announced it has reduced the maximum financial penalties for three of the four HITECH Act tiers of HIPAA violations. This settlement confirms that while minor HIPAA violations may now attract lower financial penalties, when serious violations of HIPAA Rules are discovered and healthcare organizations fail to take prompt action to correct violations, the financial penalties can be considerable.

The post Touchstone Medical Imaging Fined $3 Million by OCR for Extensive HIPAA Failures appeared first on HIPAA Journal.

Arizona Court of Appeals Rules Patient Can Proceed with Negligence Claim Based on HIPAA Violation

Posted by HIPAA Journal

An Arizona man who sued Costco over a privacy violation and had the lawsuit dismissed by the trial court has had the decision overturned by the Court of Appeals, which ruled that the patient can sue the pharmacy for negligence based on a violation of the Health Insurance Portability and Accountability Act (HIPAA).

The privacy violation in question occurred in 2016. The man had received a sample of an erectile dysfunction drug in January 2016 and received a telephone call from Costco letting him know that his full prescription was ready to be collected. The man cancelled the prescription but when he contacted the pharmacy a month later about a separate prescription, he discovered the cancellation had not been processed. He then cancelled the prescription for a second time but, again, the prescription was not cancelled.

The man subsequently authorized his ex-wife to collect his regular prescription. While at the pharmacy, the pharmacist joked with his ex-wife about the uncollected erectile dysfunction prescription. The man was attempting to reconcile with his ex-wife at the time. The man alleges the impermissible disclosure to his ex-wife was the reason that attempt failed.

The man complained to Costco about the privacy violation and received a letter in reply stating the pharmacist had violated Costco policies and HIPAA Rules by disclosing details of the prescription to his ex-wife. The man subsequently sued Costco alleging a variety of tort claims relating to the failure to cancel the prescription and the privacy violation, but the lawsuit was dismissed by the trials court.

The ruling was appealed and was partially overturned in the Arizona Court of Appeals. Presiding Judge Jennifer M. Perkins reversed the decision on the negligence and punitive damages claims, although affirmed the dismissal of all other claims.

Judge Perkins ruled that Costco had a duty of care to the plaintiff arising from Costco’s privacy policies and HIPAA laws and that the duty of care was breached. The overturning of the trial court ruling will see the case returned to a lower court for further proceedings.

There is no private cause of action in HIPAA, so it is rare for lawsuits to be filed over HIPAA violations. In most cases where patient privacy has been violated and legal action is taken, lawsuits are filed for violations of state laws. The ruling is the first in the state of Arizona to accept a negligence claim based on violations of HIPAA Rules.

“HIPAA does not preempt state-law negligence claims for wrongful disclosure of medical information. Accordingly, we hold HIPAA’s requirements may inform the standard of care in state-law negligence actions just as common industry practice may establish an alleged tortfeasor’s duty of care and to the extent such claims are permitted under [state law] A.R.S. § 12-2296,” wrote the Judge in her ruling.

The post Arizona Court of Appeals Rules Patient Can Proceed with Negligence Claim Based on HIPAA Violation appeared first on HIPAA Journal.

HHS To Apply New Caps on Financial Penalties for HIPAA Violations to Reflect Level of Culpability

Posted by HIPAA Journal

Body:

The Department of Health and Human Services has issued a notification of enforcement discretion regarding the civil monetary penalties that are applied when violations of HIPAA Rules are discovered and will be reducing the maximum financial penalty for three of the four penalty tiers.

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 increased the penalties for HIPAA violations. The new penalties were based on the level of knowledge a HIPAA covered entity or business associate had about the violation and whether action was voluntarily taken to correct any violations.

The 1st penalty tier applies when a covered entity or business associate is unaware that HIPAA Rules were violated and, by exercising a reasonable level of due diligence, would not have known that HIPAA was being violated.

The 2nd tier applies when a covered entity knew about the violation or would have known had a reasonable level of due diligence been exercised, but when the violation falls short of willful neglect of HIPAA Rules.

The 3rd penalty tier applies when there was willful neglect of HIPAA Rules, but the covered entity corrected the problem within 30 days.

The 4th tier applies when there was willful neglect of HIPAA Rules and no efforts were made to correct the problem in a timely manner.

The maximum penalty across all four tiers was set at $1.5 million for violations of an identical provision in a single calendar year.

On January 25, 2013, the HHS implemented an interim final rule (IFR) and adopted the new penalty structure, but believed at the time that there were inconsistencies in the language of the HITCH Act with respect to the penalty amounts. The HHS determined at the time that the most logical reading of the law was to apply the same maximum penalty cap of $1,500,000 across all four penalty tiers.

The HHS has now reviewed the language of the HITECH Act and believes a better reading of the requirements of the HITECH Act would be for the annual penalty caps to be different in three of the four tiers to better reflect the level of culpability. The minimum and maximum amounts in each tier will remain unchanged.

New Interpretation of the HITECT ACT’s Penalties for HIPAA Violations

Penalty Tier Level of Culpability Minimum Penalty per Violation Maximum Penalty per Violation Old Maximum Annual Penalty New Maximum Annual Penalty
1 No Knowledge $100 $50,000 $1,500,000 $25,000
2 Reasonable Cause $1,000 $50,000 $1,500,000 $100,000
3 Willful Neglect – Corrective Action Taken $10,000 $50,000 $1,500,000 $250,000
4 Willful Neglect – No Corrective Action Taken $50,000 $50,000 $1,500,000 $1,500,000

 

The HHS will publish its notification in the Federal Register on April 30, 2019. The HHS notes that its notification of enforcement discretion creates no legal obligations and no legal rights. Consequently, it is not necessary for it to be reviewed by the Office of Management and Budget.

The new penalty caps will be adopted by the HHS until further notice and will continue to be adjusted annually to account for inflation. The HHS expects to engage in further rulemaking to review the penalty amounts to better reflect the text of the HITECH Act.

The post HHS To Apply New Caps on Financial Penalties for HIPAA Violations to Reflect Level of Culpability appeared first on HIPAA Journal.

HHS Extends Comment Period on Proposed Rules to Improve ePHI Interoperability

Posted by HIPAA Journal

The Department of Health and Human Services has extended the deadline for submitting comments on its proposed rules to promote the interoperability of health information technology and electronic protected health information to June 3, 2019.

Two new rules were released on February 11, 2019 by the Office of the National Coordinator for Health IT (ONC) and the Centers for Medicare and Medicaid Services (CMS). The purpose of the new rules is to support the secure access, exchange, and use of electronic health information. The rules cover technical and healthcare industry factors that are proving to be barriers to the interoperability of health information and are limiting the ability of patients to gain access to their health data.

The deadline has been extended to give the public and industry stakeholders more time to read the proposed rules and provide meaningful input that can be used to help achieve the objectives of the rules. The extension has come in response to feedback from many stakeholders who have asked for more time to review the rules, which have potential to cause a range of issues for healthcare organizations.

Two other factors influenced the decision to extend the deadline. There appeared to be some confusion over HIPAA and whether healthcare providers are accountable for how patients use their health data. Also, the ONC has recently released the second draft of its Trusted Exchange Framework and Common Agreement (TEFCA), which could factor into comments. While there is not a great deal of overlap between TEFCA and the ONC/CMS proposed rules, both do cover interoperability and operate in the same space.

In addition, the HHS’ Office for Civil Rights has released a new FAQ for patients to explain the HIPAA right of access in relation to health apps used by patients and application programming interfaces (APIs) used by healthcare providers’ electronic health record systems. The FAQ confirms that after a patient discloses health information via an app, subsequent uses and disclosures are only the responsibility of the healthcare provider if the app developer is one of the healthcare provider’s business associates.

The post HHS Extends Comment Period on Proposed Rules to Improve ePHI Interoperability appeared first on HIPAA Journal.

Healthcare Organizations Found Not to be In Conformance with NIST CSF and HIPAA Rules

Posted by HIPAA Journal

A recent study conducted by the consultancy firm CynergisTek has revealed healthcare organizations are not in conformance with NIST Cybersecurity Framework (CSF) controls and the HIPAA Privacy and Security Rules.

For the study, CynergisTek analyzed the results of assessments at almost 600 healthcare organizations against NIST CSF and the HIPAA Privacy and Security Rules.

The NIST CSF is a voluntary framework, but the standards and best practices help organizations manage cyber risks. Healthcare organizations that are not in conformance with CSF controls face a higher risk of experiencing a cyberattack or data breach. On average, healthcare organizations were only in conformance with 47% of NIST CSF controls. Conformance has only increased by 2% in the past year.

Assisted living organizations had the highest level of conformance with NIST CSF (95%), followed by payers (86%), and accountable care organizations (73%). Business associates of HIPAA covered entities only had an average conformance level of 48%. Physician groups had the lowest level of conformance (36%).

Out of the five core functions of the NIST CSF – Identify, detect, protect, respond, and recover – conformance was lowest for detect.

Even though conformance with the HIPAA Security Rule has been mandatory for the past 14 years, many healthcare organizations were found to be falling short. On average, healthcare organizations were found to be in conformance with 72% of HIPAA Security Rule requirements, which was 2% lower than last year. Critical access hospitals fared the worst with an average of 67% conformance.

Even when organizations were complying with HIPAA Rules, significant security gaps were identified, which clearly demonstrated compliance does not necessarily equate to security.

Compliance with the requirements of the HIPAA Privacy Rule was better, but there is still significant room for improvement. On average, healthcare organizations were complying with 77% of HIPAA Privacy Rule provisions. Many organizations had missing policies and procedures and improper postings. More than 60% of assessments revealed gaps in the maintenance of written policies and procedures related to the use and release of protected health information.

Conformance with the HIPAA Privacy Rule increased year over year for payers and physician groups, but declined for hospitals and health systems, falling from 94% in 2017 to 72% in 2018. CynergisTek explained this fall as most likely being due to higher numbers of assessments being performed on hospitals and health systems in 2018.

CynergisTek also found that insider breaches continue to be a major challenge for healthcare organizations. Insiders were responsible for 28% of healthcare data breaches in 2018 and, on average, those breaches took 255 days to detect. 74% of cases involved employees accessing the health records of household members, 10% involved accessing the records of VIPs that were treated at the hospital. 8% of cases involved accessing the health records of co-workers and 8% involved accessing neighbors’ health records.

Business associates were found to be a major security risk. They were involved in 20% of healthcare data breaches in 2018. CynergisTek found that in many cases, healthcare organizations were not proactively assessing their vendors, even those that are medium to high risk. The most common business associate failures were related to risk assessments, governance, and access management.

The post Healthcare Organizations Found Not to be In Conformance with NIST CSF and HIPAA Rules appeared first on HIPAA Journal.

MD Anderson Cancer Center Appeals Against $4,348,000 HIPAA Penalty

Posted by HIPAA Journal

In 2018, University of Texas MD Anderson Cancer Center was issued with a $4,348,000 civil monetary penalty by the HHS’ Office for Civil Rights (OCR) following the discovery of multiple alleged HIPAA violations that contributed to three data breaches that were experienced in 2012 and 2013.

OCR launched an investigation into the breaches and determined there had been an impermissible disclosure of the electronic protected health information (ePHI) of 34,883 patients and that HIPAA Rules had been violated as a result of the failure to use encryption. OCR reasoned that had encryption been used, the breaches could have been prevented.

MD Anderson contested the financial penalty and the case was sent to an administrative law judge who ruled that the MD Anderson must pay the financial penalty.

MD Anderson has now filed a complaint against the Secretary of the HHS and has launched an appeal with the U.S. Court of Appeals, Fifth Circuit in Texas.

As reported by Information Security Media Group (ISMG), MD Anderson alleges the civil monetary penalty is unlawful, that OCR has exceeded its authority by issuing the penalty, and the penalty is excessive. MD Anderson is seeking a permanent injunction to prevent OCR from collecting the penalty and have OCR cover its legal costs associated with its case.

Three counts are detailed in the complaint. MD Anderson alleges the CMP is unlawful as OCR only has the authority to issue a CMP against a person, which is either an individual, a trust, estate, partnership, or a corporation. MD Anderson is an academic institution and cancer treatment and research center that is part of the University of Texas and is a state agency and, it is argued, state agencies are except from OCR civil monetary penalties.

MD Anderson also argues that the penalty exceeds the maximum penalty for a HIPAA violation under the reasonable cause tier and that the penalty is in breach of the eighth amendment. In each of the three cases, employees acted against MD Anderson’s policies and procedures and did not take advantage of encryption technologies that were available to them. Further, no evidence has been uncovered to suggest that any information stored on the devices has been accessed, obtained, or misused.

MD Anderson also states that the use of encryption is not a requirement of the HIPAA Security Rule, which MD Anderson claims in the lawsuit is an “optional” standard.

It remains to be seen whether the appeal will be successful; however, OCR has made it clear that addressable standards are ‘optional’ requirements of the HIPAA Security Rule.

“The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI,” wrote OCR on its website. “If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate.”

The penalties may appear excessive given the nature of the incidents, but OCR has the authority to issue financial penalties for “reasonable cause” up to a maximum of $1,500,000 per year. In its notice of proposed determination, OCR  stated how it arrived at the penalty amount.

  1. Calendar Year 2011 – 283 days, from March 24 through December 31 (maximum penalty of $1,500,000).
  2. Calendar Year 2012 – 366 days, from January 1 through December 31 (maximum penalty of $1,500,000).
  3. Calendar Year 2013 – 25 days, from January 1 through January 25, 2013 (maximum penalty of $1,500,000).

The post MD Anderson Cancer Center Appeals Against $4,348,000 HIPAA Penalty appeared first on HIPAA Journal.