HIPAA Compliance News

$1.6 Million Settlement Agreed with Texas Department of Aging and Disability Services Over 2015 Data Breach

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has agreed to settle a HIPAA violation case with the Texas Department of Aging and Disability Services (DADS) to resolve HIPAA violations discovered during the investigation of a 2015 data breach that exposed the protected health information of 6,617 Medicaid recipients.

The breach was caused by an error in a web application which made ePHI accessible over the internet for around 8 years. DADS submitted a breach report to OCR on June 11, 2015.

OCR launched an investigation into the breach to determine whether there had been any violation of HIPAA Rules. On July 2015, OCR notified DADS that the investigation had revealed there had been multiple violations of HIPAA Rules.

DADS was deemed to have violated the risk analysis provision of the HIPAA Security Rule – 45 C.F.R. § 164.308(a)(1)(ii)(A) – by failing to conduct a comprehensive, organization-wide risk analysis to identify potential risks to the confidentiality, integrity, and availability of ePHI.

There had also been a failure to implement appropriate technical policies and procedures for systems containing ePHI to only allow authorized individuals to access those systems, in violation of 45 C.F.R. § 164.308(a)(4) and 45 C.F.R. § 164.312(a)(1).

Appropriate hardware, software, and procedural mechanisms to record and examine information system activity had not been implemented, which contributed to the duration of exposure of ePHI – A violation of 5 C.F.R. § 164.312(b).

As a result of these violations, there was an impermissible disclosure of ePHI, in violation of 45 C.F.R. § 164.502(a).

The severity of the violations warranted a financial penalty and corrective action plan. Both were presented to the State of Texas and DADS was given the opportunity to implement the measures outlined in the CAP to address the vulnerabilities to ePHI.

The functions and resources that were involved in the breach have since been transferred to the Health and Human Services Commission (HHSC), which will ensure the CAP is implemented.

The State of Texas presented a counter proposal for a settlement agreement to OCR which will see the deduction of $1,600,000 from sums owed to HHSC from the CMS. The settlement releases HHSC from any further actions related to the breach and HHSC has agreed not to contest the settlement or CAP.

The settlement has yet to be announced by OCR, but it has been approved by the 86th Legislature of the State of Texas. This will be the first 2019 HIPAA settlement between OCR and a HIPAA covered entity.

The post $1.6 Million Settlement Agreed with Texas Department of Aging and Disability Services Over 2015 Data Breach appeared first on HIPAA Journal.

UCLA Health Settles Class Action Data Breach Lawsuit for $7.5 Million

Posted by HIPAA Journal

UCLA Health has settled a class action lawsuit filed on behalf of victims of data breach that was discovered in October 2014. UCLA Health has agreed to pay $7.5 million to settle the lawsuit.

UCLA Health detected suspicious activity on its network in October 2014 and contacted the FBI to assist with the investigation. The forensic investigation confirmed that hackers had succeeded in gaining access to its network, although at the time it was thought that they did not access the parts of the network where patients’ medical information was stored. However, on May 5, 2015, UCLA confirmed that the hackers had gained access to parts of the network containing patients’ protected health information and may have viewed/copied names, addresses, dates of birth, Medicare IDs, health insurance information, and Social Security numbers. In total, 4.5 million patients were affected by the breach.

The Department of Health and Human Services’ Office for Civil Rights investigated the breach and was satisfied with UCLA Health’s breach response and the technical and administrative safeguards that had been implemented post-breach to improve security.

UCLA Health avoided a financial penalty, but a class action lawsuit was filed on behalf of patients affected by the breach. The plaintiffs alleged UCLA Health failed to inform them about the breach in a timely manner, there had been breach of contract, violations of California’s privacy laws, and that UCLA Health’s failure to protect the privacy of patients constituted negligence.

UCLA Health notified patients about the breach on July 15, 2015, and while this was in line with HIPAA requirements – under 60 days from the discovery that PHI had been compromised – the plaintiffs believed they should have been notified more quickly, given the fact that the breach had occurred 9 months previously.

Under the terms of the settlement, all patients affected by the breach can claim two years of free credit monitoring and identity theft protection services. Patients will also be allowed to submit a claim to recover costs that have been incurred protecting themselves against unauthorized use of their personal and health information and they can also submit a claim to recover losses from fraud and identity theft.

Patients can claim up to $5,000 to cover the costs of protecting their identities and up to $20,000 for any losses or damage caused by identity theft and fraud. $2 million of the $7.5 million settlement has been set aside to cover patients’ claims.  The remaining $5.5 million will be paid into a cybersecurity fund which will be used to improve cybersecurity defenses at UCLA Health.

Patients have until May 20, 2019 to submit an objection or exclude themselves from the settlement. Preventative measure claim forms must be submitted by June 18, 2019 and patients must enroll in the free credit monitoring and identity theft protection services by September 16, 2019. The deadline for submitting claims for the reimbursement of losses is June 18, 2021. The final court hearing on the settlement is scheduled for June 18, 2019.

The post UCLA Health Settles Class Action Data Breach Lawsuit for $7.5 Million appeared first on HIPAA Journal.

California Dentists at Risk of Financial Penalties for Slow Release of Copies of Dental Records

Posted by HIPAA Journal

A recent report from the Dental Board of California has revealed dentists in the state are failing to provide patients with copies of their dental records in a timely manner, in violation of state laws and the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule.

Under state law (BPC §1684.1), dental practices are required to provide patients with a copy of their dental records within 15 days of a request being submitted. HIPAA (45 CFR § 164.524) requires covered dental offices to provide patients with a copy of their dental records within 30 days of the request being submitted. The HIPAA Privacy Rule also requires dentists and other HIPAA-covered entities to provide a copy of records in the format requested by the patient, provided that the request is reasonable, and the practice has the capability to provide records in the requested format.

The Dental Board has the authority to cite and fine practices that are found to have violated state laws and its 2018 Sunset Review Report for the California Legislature says citations have increased by 36% in each of the past 4 fiscal years. The failure to provide copies of dental records before the 15-day deadline is one of the five most commonly cited violations of state laws.

The Dental Board explained that “Citations may be used when patient harm is not found, but the quality of care provided to the consumer is substandard.” The Board can issue fines of up to $500 per day to a maximum of $5,000 for failing to provide copies of dental records to patients within the 15-day deadline.

Dental records can include x-ray images, photographs, test results, models, treatment information, and dentist’s notes, which should all be provided to patients on request. In addition to Dental Board fines, untimely responses to patient requests and the failure to provide copies of health information could result in a financial penalty for noncompliance with HIPAA.

While it would be unusual for state attorneys general to issue financial penalties for this aspect of noncompliance with HIPAA, one of the first financial penalties issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) for noncompliance with HIPAA was for a failure to provide patients with copies of their health records. Cignet Health of Prince George’s County had to pay OCR a $4,300,000 civil monetary penalty in 2011 to resolve the HIPAA violation.

Further, OCR explained at HIMSS19 that one of the aspects of HIPAA noncompliance that will be subject to enforcement actions in 2019 is violations of the HIPAA Privacy Rule’s right of access requirement.

Any dental office found to be routinely denying patients access to their health data or willfully failing to adhere to the 30-day deadline could be issued with a sizable financial penalty for noncompliance.

The post California Dentists at Risk of Financial Penalties for Slow Release of Copies of Dental Records appeared first on HIPAA Journal.

Northwestern Medicine Sued Over Medical Information Disclosure on Twitter

Posted by HIPAA Journal

Northwestern Medicine Regional Medical Group is being sued by a patient whose sensitive medial information was disclosed on Twitter and Facebook.

Gina Graziano discovered some of her sensitive medical information had been disclosed on social media websites and contacted Northwestern Medicine to complain about the privacy investigation.

Northwestern Medicine investigated the complaint and determined that Graziano’s medical records had been accessed on two separate occasions by a hospital employee who had no treatment relationship with Graziano. The records were accessed on March 5 and 6, 2019, using an employee’s login credentials.

Graziano’s medical file contained a range of sensitive information, including her personal details, the reason for a recent visit to the emergency department, lab test results, medications, medical history, imaging results, and other information.

Sensitive information which Graziano did not want to be placed in the public domain was disseminated on social media sites causing her to be publicly humiliated. While Northwestern Medicine did not disclose the name of the employee in the letter sent in response to her complaint, Graziano learned that the individual was Jessica Wagner, the current girlfriend of her ex-boyfriend David Wirth. Both individuals have also been named in the legal action.

In her lawsuit, Wagner is alleged to have accessed Graziano’s medical records for a period of 37 minutes, then impermissibly disclosed some of her medical information to Wagner, who then posted the information on social media sites with intent to cause Graziano harm.

Northwestern Medicine has confirmed that appropriate disciplinary action has been taken against the employee over the HIPAA violation and the Department of Health and Human Services has been notified of the HIPAA breach. It is unclear whether criminal charges have been filed against Wagner. CBS Chicago reports that Wagner was fired over the HIPAA violation.

Northwestern Medicine has issued an apology and has offered Graziano 12 months of credit monitoring services as a precaution against identity theft and fraud.

The post Northwestern Medicine Sued Over Medical Information Disclosure on Twitter appeared first on HIPAA Journal.

Is DocuSign HIPAA Compliant?

Posted by HIPAA Journal

Can DocuSign be used by healthcare organizations in connection with electronic protected health information (ePHI) without violating HIPAA Rules? Is DocuSign HIPAA compliant?

DocuSign is a San Francisco-based provider of electronic signature technology and transaction management services. Via DocuSign, companies can send documents such as contracts to customers and business associates and obtain their electronic signatures to confirm that they have read the document and agree to any terms and conditions contained therein.

In healthcare, eSignature services can streamline administrative tasks and save many hours of chasing up paperwork. The DocuSign solution can be used by healthcare providers for a range of different purposes, including obtaining eSignatures on SLAs, business associate agreements, credentialing forms, and patient consent forms.

However, if the service is used in connection with any electronic protected health information, DocuSign would be classed as a business associate. HIPAA requires all business associates to enter into a HIPAA-compliant business associate agreement with covered entities prior to being provided with or given access to ePHI.

Is DocuSign HIPAA Compliant?

When considering if DocuSign is HIPAA compliant, a key test is whether the company is willing to sign a BAA with a HIPAA-covered entity. On the DocuSign website, the company states that it is prepared to sign a BAA and has already done so with many healthcare providers and life science customers.

DocuSign also confirms that while the company does not access ePHI, any ePHI that passes through its service is secured. DocuSign also confirms that it is in full compliance with the privacy and security requirements of HIPAA and its service meets HHS standards for digital signatures.

In order to obtain a BAA, customers must first sign up for an Enterprise account with DocuSign and they must ensure the signed BAA is obtained prior to using the service with any ePHI.

Provided a BAA is obtained, DocuSign can be considered a HIPAA compliant eSignature service.

The post Is DocuSign HIPAA Compliant? appeared first on HIPAA Journal.

February 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

Healthcare data breaches continued to be reported at a rate of more than one a day in February. February saw 32 healthcare data breaches reported, one fewer than January.

Healthcare data breaches by month

The number of reported breaches may have fell by 3%, but February’s breaches were far more severe. More than 2.11 million healthcare records were compromised in February breaches – A 330% increase from the previous month.

Records exposed in Healthcare data breaches by month

Causes of Healthcare Data Breaches in February 2019

Commonly there is a fairly even split between hacking/IT incidents and unauthorized access/disclosure incidents; however, in February, hacking and IT incidents such as malware infections and ransomware attacks dominated the healthcare data breach reports.

75% of all reported breaches in February (24 incidents) were hacking/IT incidents and those incidents resulted in the theft/exposure of 96.25% of all records that were breached. All but one of the top ten healthcare data breaches in February were due to hacks and IT incidents.

There were four unauthorized access/disclosure incidents and 4 cases of theft of physical or electronic PHI. The unauthorized access/disclosure incidents involved 3.1% of all compromised records and 0.65% of records were compromised in the theft incidents.

Causes of Healthcare data breaches in February 2019

Largest Healthcare Data Breaches in February 2019

The largest healthcare data breach reported in February involved the accidental removal of safeguards on a network server, which allowed the protected health information of more than 973,000 patients of UW Medicine to be exposed on the internet. Files were indexed by the search engines and could be found with simple Google searches. Files stored on the network server were accessible for a period of more than 3 weeks.

The second largest data breach was due to a ransomware attack on Columbia Surgical Specialist of Spokane. While patient information may have been accessed, no evidence was found to suggest any ePHI was stolen by the attackers.

The 326,629-record breach at UConn Health was due to a phishing attack that saw multiple employees’ email accounts compromised, and one email account was compromised in a phishing attack on Rutland Regional Medical Center that contained the ePHi of more than 72,000 patients.

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 UW Medicine Healthcare Provider 973,024 Hacking/IT Incident
2 Columbia Surgical Specialist of Spokane Healthcare Provider 400,000 Hacking/IT Incident
3 UConn Health Healthcare Provider 326,629 Hacking/IT Incident
4 Rutland Regional Medical Center Healthcare Provider 72,224 Hacking/IT Incident
5 Delaware Guidance Services for Children and Youth, Inc. Healthcare Provider 50,000 Hacking/IT Incident
6 Rush University Medical Center Healthcare Provider 44,924 Unauthorized Access/Disclosure
7 AdventHealth Medical Group Healthcare Provider 42,161 Hacking/IT Incident
8 Reproductive Medicine and Infertility Associates, P.A. Healthcare Provider 40,000 Hacking/IT Incident
9 Memorial Hospital at Gulfport Healthcare Provider 30,642 Hacking/IT Incident
10 Pasquotank-Camden Emergency Medical Service Healthcare Provider 20,420 Hacking/IT Incident

 

Location of Breached Protected Health Information

Email is usually the most common location of compromised PHI, although in February there was a major rise in data breaches due to compromised network servers. 46.88% of all breaches reported in February involved ePHI stored on network servers, 25% involved ePHI stored in email, and 12.5% involved ePHI in electronic medical records.

Location of breached PHI

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected by data breaches in February 2019 with 24 incidents reported. There were five breaches reported by health plans, and three breaches reported by business associates of HIPAA-covered entities. A further seven breaches had some business associate involvement.

February 2019 healthcare data breaches by covered entity

Healthcare Data Breaches by State

The healthcare data breaches reported in February were spread across 22 states. California and Florida were the worst affected states with three breaches apiece. Two breaches were reported in each of Illinois, Kentucky, Maryland, Minnesota, Texas, and Washington, and one breach was reported in each of Arizona, Colorado, Connecticut, Delaware, Georgia, Kansas, Massachusetts, Mississippi, Montana, North Carolina, Virginia, Wisconsin, and West Virginia.

HIPAA Enforcement Actions in February 2019

2018 was a record year for HIPAA enforcement actions, although 2019 has started slowly. The HHS’ Office for Civil Rights has not issued any fines nor agreed any HIPAA settlements so far in 2019.

There were no enforcement actions by state attorneys general over HIPAA violations in February. The only 2019 penalty to date is January’s $935.000 settlement between California and Aetna.

The post February 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Are Google Home and Google Assistant HIPAA Compliant?

Posted by HIPAA Journal

Can Google Home and Google Assistant be used in medical practices? Is Google Assistant HIPAA compliant or would using it in the workplace constitute a HIPAA violation?

Connected home assistants such as Google Home devices are growing in popularity. According to a 2018 study by market research firm Cognilytica, 51% of people use voice assistants in the car, 39% use them at home, and 1% use them at work. Apple’s Siri has the greatest market share followed by Google Assistant, which powers Google Home smart speakers.

It may be tempting to bring a Google Home device into the office and use it to take notes, get quick answers to questions, launch applications, and schedule reminders and calls. In a normal office environment, a Google Home device could possibly be used, but in healthcare, there is considerable potential for a HIPAA violation.

Virtual assistants are being developed for use in healthcare and they have potential to change how physicians interact with medical records and deliver patient care, but currently most virtual assistants lack the required security safeguards to satisfy the requirements of HIPAA.

Google Home devices can be configured to record audio and video, which in a healthcare setting could easily violate the privacy of patients. If any medical information is dictated or otherwise recorded, that would be classed as a HIPAA violation unless the voice technology was covered by a business associate agreement.

Is Google Assistant HIPAA Compliant?

Google does sign business associate agreements with healthcare companies for a wide range of its products, but currently neither Google Home nor Google Assistant are covered by its BAA. Until such time that Google confirms that its voice assistant meets the requirements of HIPAA and includes devices and the voice technology that power them into its BAA, neither Google Home nor Google Assistant are HIPAA compliant and should not be used in a healthcare setting.

The post Are Google Home and Google Assistant HIPAA Compliant? appeared first on HIPAA Journal.

Is Calendly HIPAA Compliant?

Posted by HIPAA Journal

Calendly is a popular tool that is used by many businesses to schedule meetings and appointments, but can Calendly be used by healthcare organizations? Is Calendly HIPAA compliant?

Businesses can waste a considerable amount of time scheduling appointments and meetings. Lengthy email exchanges and phone tag are commonplace. Calendly aims to eliminate the time wasted attempting to connect with others and the platform can reduce no-show rates through automated email and text reminders. The solution integrates with Google Calendar, iCloud calendar, Office 365, Salesforce, and GoToMeeting and other popular software platforms and can also be integrated directly into business websites to allow customers to schedule appointments directly.

The platform is used by healthcare organizations for scheduling internal meetings, but in order to use Calendly with any electronic protected health information, healthcare organizations would first need to enter into a HIPAA-compliant business associate agreement with Calendly.

Is Calendly HIPAA Compliant?

Calendly explains on its website that the platform is secure and all data uploaded is protected. Data sent to and stored by the scheduling tool is protected by 256-bit encryption and Calendly is hosted on Amazon Web Services, which is a HIPAA-compliant hosting solution. Calendly cannot read medical charts and other private information as it only reads the busy/free status of calendar events to avoid double bookings.

While secure, Calendly explains in the help section of its website that “Calendly should not be used for collecting Protected Health Information” and that the solution should not be used for asking “any personal or medical questions in the question form invitees complete when scheduling.” Calendly also does not sign business associates with HIPAA covered entities.

As such, Calendly is not a HIPAA-compliant scheduling tool. The tool can be used by healthcare organizations, just not in connection with any ePHI. Healthcare organizations should ensure that only HIPAA-compliant scheduling tools are used for booking patient appointments.

The post Is Calendly HIPAA Compliant? appeared first on HIPAA Journal.

Is Evernote HIPAA Compliant?

Posted by HIPAA Journal

Evernote is a useful cloud-based service that allows users to take notes, create to do lists, plan projects, and collaborate with teams, but is Evernote HIPAA compliant? Can Evernote be used in healthcare by physicians and other healthcare professionals without violating HIPAA Rules?

Evernote serves as an easily accessible repository for a wide range of information, including documents, audio files, images, and video files. One of the key features of Evernote which makes it so useful is the ability to automatically synch files and notes across multiple devices.

Evernote is available as a free app or a paid service for businesses and does incorporate access controls and security features such as single sign-on (SSO) and two-factor authentication to prevent unauthorized use of the applications.  Evernote stores data on the Google Cloud platform, which can be HIPAA compliant. Encryption is also supported by Evernote for Mac and Evernote for Windows Desktop. In-note encryption uses an AES 128-bit key.

Evernote is designed to make data sharing as easy as possible, which should raise a red flag if you are thinking about using Evernote with protected health information or files containing protected health information – patients documents or dictated notes for instance.

Is Evernote HIPAA Compliant?

So, with the above security controls, is Evernote HIPAA compliant? While the security controls mentioned above do offer some protection against unauthorized access, they are not currently sufficient to meet the requirements of the HIPAA Security Rule. Further, Evernote does not sign business associate agreements with HIPAA covered entities.

Therefore, Evernote is not a HIPAA compliant note taking app and it should therefore not be used in connection with any protected health information.

There are alternatives that can be used in its place.  You can read more about these on the links below:

Is Google Keep HIPAA Compliant?

Is Microsoft OneNote HIPAA Compliant?

The post Is Evernote HIPAA Compliant? appeared first on HIPAA Journal.