HIPAA Compliance News

Northwestern Medicine Sued Over Medical Information Disclosure on Twitter

Posted by HIPAA Journal

Northwestern Medicine Regional Medical Group is being sued by a patient whose sensitive medial information was disclosed on Twitter and Facebook.

Gina Graziano discovered some of her sensitive medical information had been disclosed on social media websites and contacted Northwestern Medicine to complain about the privacy investigation.

Northwestern Medicine investigated the complaint and determined that Graziano’s medical records had been accessed on two separate occasions by a hospital employee who had no treatment relationship with Graziano. The records were accessed on March 5 and 6, 2019, using an employee’s login credentials.

Graziano’s medical file contained a range of sensitive information, including her personal details, the reason for a recent visit to the emergency department, lab test results, medications, medical history, imaging results, and other information.

Sensitive information which Graziano did not want to be placed in the public domain was disseminated on social media sites causing her to be publicly humiliated. While Northwestern Medicine did not disclose the name of the employee in the letter sent in response to her complaint, Graziano learned that the individual was Jessica Wagner, the current girlfriend of her ex-boyfriend David Wirth. Both individuals have also been named in the legal action.

In her lawsuit, Wagner is alleged to have accessed Graziano’s medical records for a period of 37 minutes, then impermissibly disclosed some of her medical information to Wagner, who then posted the information on social media sites with intent to cause Graziano harm.

Northwestern Medicine has confirmed that appropriate disciplinary action has been taken against the employee over the HIPAA violation and the Department of Health and Human Services has been notified of the HIPAA breach. It is unclear whether criminal charges have been filed against Wagner. CBS Chicago reports that Wagner was fired over the HIPAA violation.

Northwestern Medicine has issued an apology and has offered Graziano 12 months of credit monitoring services as a precaution against identity theft and fraud.

The post Northwestern Medicine Sued Over Medical Information Disclosure on Twitter appeared first on HIPAA Journal.

Is DocuSign HIPAA Compliant?

Posted by HIPAA Journal

Can DocuSign be used by healthcare organizations in connection with electronic protected health information (ePHI) without violating HIPAA Rules? Is DocuSign HIPAA compliant?

DocuSign is a San Francisco-based provider of electronic signature technology and transaction management services. Via DocuSign, companies can send documents such as contracts to customers and business associates and obtain their electronic signatures to confirm that they have read the document and agree to any terms and conditions contained therein.

In healthcare, eSignature services can streamline administrative tasks and save many hours of chasing up paperwork. The DocuSign solution can be used by healthcare providers for a range of different purposes, including obtaining eSignatures on SLAs, business associate agreements, credentialing forms, and patient consent forms.

However, if the service is used in connection with any electronic protected health information, DocuSign would be classed as a business associate. HIPAA requires all business associates to enter into a HIPAA-compliant business associate agreement with covered entities prior to being provided with or given access to ePHI.

Is DocuSign HIPAA Compliant?

When considering if DocuSign is HIPAA compliant, a key test is whether the company is willing to sign a BAA with a HIPAA-covered entity. On the DocuSign website, the company states that it is prepared to sign a BAA and has already done so with many healthcare providers and life science customers.

DocuSign also confirms that while the company does not access ePHI, any ePHI that passes through its service is secured. DocuSign also confirms that it is in full compliance with the privacy and security requirements of HIPAA and its service meets HHS standards for digital signatures.

In order to obtain a BAA, customers must first sign up for an Enterprise account with DocuSign and they must ensure the signed BAA is obtained prior to using the service with any ePHI.

Provided a BAA is obtained, DocuSign can be considered a HIPAA compliant eSignature service.

The post Is DocuSign HIPAA Compliant? appeared first on HIPAA Journal.

February 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

Healthcare data breaches continued to be reported at a rate of more than one a day in February. February saw 32 healthcare data breaches reported, one fewer than January.

Healthcare data breaches by month

The number of reported breaches may have fell by 3%, but February’s breaches were far more severe. More than 2.11 million healthcare records were compromised in February breaches – A 330% increase from the previous month.

Records exposed in Healthcare data breaches by month

Causes of Healthcare Data Breaches in February 2019

Commonly there is a fairly even split between hacking/IT incidents and unauthorized access/disclosure incidents; however, in February, hacking and IT incidents such as malware infections and ransomware attacks dominated the healthcare data breach reports.

75% of all reported breaches in February (24 incidents) were hacking/IT incidents and those incidents resulted in the theft/exposure of 96.25% of all records that were breached. All but one of the top ten healthcare data breaches in February were due to hacks and IT incidents.

There were four unauthorized access/disclosure incidents and 4 cases of theft of physical or electronic PHI. The unauthorized access/disclosure incidents involved 3.1% of all compromised records and 0.65% of records were compromised in the theft incidents.

Causes of Healthcare data breaches in February 2019

Largest Healthcare Data Breaches in February 2019

The largest healthcare data breach reported in February involved the accidental removal of safeguards on a network server, which allowed the protected health information of more than 973,000 patients of UW Medicine to be exposed on the internet. Files were indexed by the search engines and could be found with simple Google searches. Files stored on the network server were accessible for a period of more than 3 weeks.

The second largest data breach was due to a ransomware attack on Columbia Surgical Specialist of Spokane. While patient information may have been accessed, no evidence was found to suggest any ePHI was stolen by the attackers.

The 326,629-record breach at UConn Health was due to a phishing attack that saw multiple employees’ email accounts compromised, and one email account was compromised in a phishing attack on Rutland Regional Medical Center that contained the ePHi of more than 72,000 patients.

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 UW Medicine Healthcare Provider 973,024 Hacking/IT Incident
2 Columbia Surgical Specialist of Spokane Healthcare Provider 400,000 Hacking/IT Incident
3 UConn Health Healthcare Provider 326,629 Hacking/IT Incident
4 Rutland Regional Medical Center Healthcare Provider 72,224 Hacking/IT Incident
5 Delaware Guidance Services for Children and Youth, Inc. Healthcare Provider 50,000 Hacking/IT Incident
6 Rush University Medical Center Healthcare Provider 44,924 Unauthorized Access/Disclosure
7 AdventHealth Medical Group Healthcare Provider 42,161 Hacking/IT Incident
8 Reproductive Medicine and Infertility Associates, P.A. Healthcare Provider 40,000 Hacking/IT Incident
9 Memorial Hospital at Gulfport Healthcare Provider 30,642 Hacking/IT Incident
10 Pasquotank-Camden Emergency Medical Service Healthcare Provider 20,420 Hacking/IT Incident

 

Location of Breached Protected Health Information

Email is usually the most common location of compromised PHI, although in February there was a major rise in data breaches due to compromised network servers. 46.88% of all breaches reported in February involved ePHI stored on network servers, 25% involved ePHI stored in email, and 12.5% involved ePHI in electronic medical records.

Location of breached PHI

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected by data breaches in February 2019 with 24 incidents reported. There were five breaches reported by health plans, and three breaches reported by business associates of HIPAA-covered entities. A further seven breaches had some business associate involvement.

February 2019 healthcare data breaches by covered entity

Healthcare Data Breaches by State

The healthcare data breaches reported in February were spread across 22 states. California and Florida were the worst affected states with three breaches apiece. Two breaches were reported in each of Illinois, Kentucky, Maryland, Minnesota, Texas, and Washington, and one breach was reported in each of Arizona, Colorado, Connecticut, Delaware, Georgia, Kansas, Massachusetts, Mississippi, Montana, North Carolina, Virginia, Wisconsin, and West Virginia.

HIPAA Enforcement Actions in February 2019

2018 was a record year for HIPAA enforcement actions, although 2019 has started slowly. The HHS’ Office for Civil Rights has not issued any fines nor agreed any HIPAA settlements so far in 2019.

There were no enforcement actions by state attorneys general over HIPAA violations in February. The only 2019 penalty to date is January’s $935.000 settlement between California and Aetna.

The post February 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Are Google Home and Google Assistant HIPAA Compliant?

Posted by HIPAA Journal

Can Google Home and Google Assistant be used in medical practices? Is Google Assistant HIPAA compliant or would using it in the workplace constitute a HIPAA violation?

Connected home assistants such as Google Home devices are growing in popularity. According to a 2018 study by market research firm Cognilytica, 51% of people use voice assistants in the car, 39% use them at home, and 1% use them at work. Apple’s Siri has the greatest market share followed by Google Assistant, which powers Google Home smart speakers.

It may be tempting to bring a Google Home device into the office and use it to take notes, get quick answers to questions, launch applications, and schedule reminders and calls. In a normal office environment, a Google Home device could possibly be used, but in healthcare, there is considerable potential for a HIPAA violation.

Virtual assistants are being developed for use in healthcare and they have potential to change how physicians interact with medical records and deliver patient care, but currently most virtual assistants lack the required security safeguards to satisfy the requirements of HIPAA.

Google Home devices can be configured to record audio and video, which in a healthcare setting could easily violate the privacy of patients. If any medical information is dictated or otherwise recorded, that would be classed as a HIPAA violation unless the voice technology was covered by a business associate agreement.

Is Google Assistant HIPAA Compliant?

Google does sign business associate agreements with healthcare companies for a wide range of its products, but currently neither Google Home nor Google Assistant are covered by its BAA. Until such time that Google confirms that its voice assistant meets the requirements of HIPAA and includes devices and the voice technology that power them into its BAA, neither Google Home nor Google Assistant are HIPAA compliant and should not be used in a healthcare setting.

The post Are Google Home and Google Assistant HIPAA Compliant? appeared first on HIPAA Journal.

Is Calendly HIPAA Compliant?

Posted by HIPAA Journal

Calendly is a popular tool that is used by many businesses to schedule meetings and appointments, but can Calendly be used by healthcare organizations? Is Calendly HIPAA compliant?

Businesses can waste a considerable amount of time scheduling appointments and meetings. Lengthy email exchanges and phone tag are commonplace. Calendly aims to eliminate the time wasted attempting to connect with others and the platform can reduce no-show rates through automated email and text reminders. The solution integrates with Google Calendar, iCloud calendar, Office 365, Salesforce, and GoToMeeting and other popular software platforms and can also be integrated directly into business websites to allow customers to schedule appointments directly.

The platform is used by healthcare organizations for scheduling internal meetings, but in order to use Calendly with any electronic protected health information, healthcare organizations would first need to enter into a HIPAA-compliant business associate agreement with Calendly.

Is Calendly HIPAA Compliant?

Calendly explains on its website that the platform is secure and all data uploaded is protected. Data sent to and stored by the scheduling tool is protected by 256-bit encryption and Calendly is hosted on Amazon Web Services, which is a HIPAA-compliant hosting solution. Calendly cannot read medical charts and other private information as it only reads the busy/free status of calendar events to avoid double bookings.

While secure, Calendly explains in the help section of its website that “Calendly should not be used for collecting Protected Health Information” and that the solution should not be used for asking “any personal or medical questions in the question form invitees complete when scheduling.” Calendly also does not sign business associates with HIPAA covered entities.

As such, Calendly is not a HIPAA-compliant scheduling tool. The tool can be used by healthcare organizations, just not in connection with any ePHI. Healthcare organizations should ensure that only HIPAA-compliant scheduling tools are used for booking patient appointments.

The post Is Calendly HIPAA Compliant? appeared first on HIPAA Journal.

Is Evernote HIPAA Compliant?

Posted by HIPAA Journal

Evernote is a useful cloud-based service that allows users to take notes, create to do lists, plan projects, and collaborate with teams, but is Evernote HIPAA compliant? Can Evernote be used in healthcare by physicians and other healthcare professionals without violating HIPAA Rules?

Evernote serves as an easily accessible repository for a wide range of information, including documents, audio files, images, and video files. One of the key features of Evernote which makes it so useful is the ability to automatically synch files and notes across multiple devices.

Evernote is available as a free app or a paid service for businesses and does incorporate access controls and security features such as single sign-on (SSO) and two-factor authentication to prevent unauthorized use of the applications.  Evernote stores data on the Google Cloud platform, which can be HIPAA compliant. Encryption is also supported by Evernote for Mac and Evernote for Windows Desktop. In-note encryption uses an AES 128-bit key.

Evernote is designed to make data sharing as easy as possible, which should raise a red flag if you are thinking about using Evernote with protected health information or files containing protected health information – patients documents or dictated notes for instance.

Is Evernote HIPAA Compliant?

So, with the above security controls, is Evernote HIPAA compliant? While the security controls mentioned above do offer some protection against unauthorized access, they are not currently sufficient to meet the requirements of the HIPAA Security Rule. Further, Evernote does not sign business associate agreements with HIPAA covered entities.

Therefore, Evernote is not a HIPAA compliant note taking app and it should therefore not be used in connection with any protected health information.

There are alternatives that can be used in its place.  You can read more about these on the links below:

Is Google Keep HIPAA Compliant?

Is Microsoft OneNote HIPAA Compliant?

The post Is Evernote HIPAA Compliant? appeared first on HIPAA Journal.

Is Return Path HIPAA Compliant?

Posted by HIPAA Journal

Return Path is an email marketing and optimization platform that allows businesses to automate and analyze their email marketing campaigns but is Return Path HIPAA compliant? Can the email marketing platform be used by healthcare organizations without violating HIPAA Rules?

Sending Marketing Emails to Patients and Health Plan Members

Before any healthcare organization can use an email service for sending marketing emails that contain electronic protected health information (ePHI) they must first:

  • Obtain consent from patients/plan members to receive marketing communications
  • Ensure that the service provider has appropriate security controls to protect the confidentiality of ePHI stored by or used by the platform
  • Ensure that ePHI can be uploaded to the platform securely without placing the information at risk of compromise
  • Enter into a HIPAA-compliant business associate agreement (BAA) with the service provider

Marketing messages are not included in the HIPAA Privacy Rule’s TPO definition. Consent must be obtained in writing from patients/members before ePHI can be used for marketing purposes.

A BAA is required, as the uploading of ePHI to a mailing service counts as a disclosure of ePHI. The service provider is considered a business associate and is required to be informed of its responsibilities with respect to HIPAA and must agree to abide by HIPAA Rules.

Provided the above conditions are met, a HIPAA-covered entity can use a third-party platform for sending marketing emails.

Is Return Path HIPAA Compliant?

Return Path naturally has a range of security protections in place to ensure the confidentiality, integrity, and availability data uploaded to its platform. However, Return Path makes no mention of HIPAA or business associate agreements in its terms and conditions.

Return Path also states in its T&Cs that it is the responsibility of users of its platform to ensure they comply with appropriate laws and regulations.

So, is Return Path HIPAA compliant? Without a BAA, Return Path is not a HIPAA compliant email service and cannot therefore be used in connection with any ePHI.

The post Is Return Path HIPAA Compliant? appeared first on HIPAA Journal.

Is Mandrill HIPAA Compliant?

Posted by HIPAA Journal

Is Mandrill HIPAA compliant? Can MailChimp’s transactional email service be used by healthcare organizations without violating HIPAA Rules?

Use of Mandrill by Healthcare Organizations

Mandrill is a transactional email offering from MailChimp, the leading automated email marketing platform. Mandrill allows businesses to automatically send emails to customers and individuals that interact with their web apps and connects to MailChimp via an API.

Transactional emails differ from marketing emails in that they are programmed to be triggered by events such as password resets, confirmation of placement of orders, welcome messages, and sending receipts. In contrast to marketing emails, which require an opt-in from patients/plan members under HIPAA Rules, in most cases, transactional emails do not.

That does not mean that there are no HIPAA issues for healthcare organizations that are considering using Mandrill. Any email service used by a healthcare organization that requires electronic protected health information (ePHI) to be uploaded would have to have privacy and security safeguards built into the platform to prevent unauthorized ePHI access and an audit trail would need to be maintained. Any ePHI uploaded would need to be secured in transit, and stored data would need to be encrypted.

If the service is to be used with any ePHI, the service provider would be classed as a business associate and a business associate agreement would therefore be required.

Most service providers that support HIPAA compliance and are prepared to enter into a business associate agreement with HIPAA-covered entities make it clear that they support HIPAA compliance and offer a BAA.

Is Mandrill HIPAA Compliant?

Users of Mandrill are bound by the terms and conditions of MailChimp. You can find out more about Mailchimp and HIPAA compliance here, but to summarize that post, MailChimp states that “You’re responsible for determining whether the Service is suitable for you to use in light of your obligations under any regulations like HIPAA” and since, at the time of writing, MailChimp does not offer a BAA, neither MailChimp or Mandrill are HIPAA compliant.

MailChimp and Mandrill can be used by healthcare organizations, but since they are not HIPAA compliant they cannot be used in connection with any ePHI.

The post Is Mandrill HIPAA Compliant? appeared first on HIPAA Journal.

Former Patient Care Coordinator Pleads Guilty to Disclosing Patients’ PHI with Intent to Cause Harm

Posted by HIPAA Journal

A former employee of an affiliate of University of Pittsburgh Medical Center (UPMC) who was discovered to have accessed the medical records of patients without authorization has pleaded guilty to one count of wrongful disclosure of health information and now faces a fine and jail term for the HIPAA violation.

Ms. Linda Sue Kalina, 61, of Butler, PA, had previously worked as a patient care coordinator at Tri Rivers Musculoskeletal (TRM) between March 7, 2016 and June 23, 2017 before moving to Allegheny Health Network (AHN) where she worked from July 24, 2017 to August 17, 2017.

Between December 2016 and August 2017, Ms. Kalina was accused of accessing the files of 111 UPMC patients and 2 AHN patients without authorization or any legitimate work reason for doing so. According to her indictment, she also disclosed the PHI of four of those patients to individuals not authorized to receive the information.

Prior to working at TRM, Ms. Kalina had been employed at Frank J. Zottola Construction for 24 years until she was fired from the position of office manager. While at TRM and AHN, Ms. Kalina had impermissibly accessed the medical records of employees of the construction firm, including the gynecological records of the woman who replaced her.

Ms. Kalina was accused of sending an email to the company controller in June 2017 in which she disclosed the woman’s gynecological records and also left a voicemail revealing information from those records to another Zottola employee in August 2017.

Zottola contacted UPMC to complain about the privacy violation, and after an internal investigation, Ms. Kalina was fired. The HIPAA violation case was then pursued by the Department of Justice.

Ms. Kalina was indicted on six counts in the summer of 2018 in relation to wrongfully obtaining and disclosing PHI in violation of HIPAA, including disclosing PHI with intent to cause malicious harm.

In federal court, Ms. Kalina pleaded guilty to one count of wrongful disclosure of ePHI with intent to cause harm – leaving the voicemail message and admitted having accessed the medical records of more than 100 individuals without authorization.

U.S. District Judge Arthur Schwab agreed to release Ms. Kalina on bond pending sentencing on June 25, 2019. Ms. Kalina was ordered not to make contact with any of the victims and the victims were instructed not to make contact with Ms. Kalina.

Ms. Kalina faces a fine of up to $250,000 for the HIPAA violations and a sentence of up to 10 years in jail.

The post Former Patient Care Coordinator Pleads Guilty to Disclosing Patients’ PHI with Intent to Cause Harm appeared first on HIPAA Journal.