HIPAA Compliance News

Aetna Settles HIV Status Breach Case with California AG for $935,000

Posted by HIPAA Journal

Hartford, CT-based health insurer Aetna has agreed to pay the California Attorney General $935,000 to resolve alleged violations of state laws related to a 2017 privacy violation that exposed state residents’ HIV status.

On July 28, 2017, Aetna’s mailing vendor sent letters to plan members who were receiving HIV medications or pre-exposure prophylaxis to prevent them from contracting HIV. The letters contained instructions for their HIV medications; however, information about the HIV medications was clearly visible through the window of the envelopes, resulting in the impermissible disclosure of highly sensitive information to postal workers, friends, family members, and roommates.  Approximately 12,000 individuals were sent letter, 1,991 of whom lived in California.

The privacy breach was a violation of HIPAA Rules, and according to California Attorney General Xavier Becerra, also a violation of several California laws including the Unfair Competition Law, the Confidentiality of Medical Information Act, the Health and Safety Code (section 120980), and the State Constitution.

In addition to the financial penalty, the settlement agreement requires Aetna to designate an employee to implement and maintain its mailing program, oversee compliance with state and federal laws, and the management of external vendors to ensure they handle medical data in compliance with state and federal laws and Aetna’s policies and procedures. Aetna is also required to complete an annual privacy risk assessment to evaluate compliance with the terms of the settlement for the next three years.

“A person’s HIV status is incredibly sensitive information and protecting that information must be a top priority for the entire healthcare industry,” said Attorney General Bercerra. “Aetna violated the public’s trust by revealing patients’ private and personal medical information.”

The privacy violation has proven expensive for Aetna. In January 2018, Aetna settled a class action lawsuit filed on behalf of victims of the breach for $17,161,200. Also in January, Aetna agreed to pay the New York Attorney General $1,150,000 to settle its case and resolve alleged HIPAA violations and breaches of state law.

A further $640,170.59 was paid to settle a multi-state action by Attorneys General in New Jersey, Connecticut, Washington, and the District of Columbia. The latest settlement brings the total financial penalties issued to date in relation to the breach to $2,725,170.59.

The post Aetna Settles HIV Status Breach Case with California AG for $935,000 appeared first on HIPAA Journal.

Oregon Health Information Property Act Proposes Paying Patients to Share Their Healthcare Data

Posted by HIPAA Journal

The Oregon Health Information Property Act proposes patients should be allowed to give authorization to their healthcare providers to sell on their health data and to receive payment in exchange for allowing their data to be used by third parties.

Currently, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule limits the allowable uses and disclosures of ‘Protected Health Information.’ HIPAA-covered entities are only permitted to use or disclose PHI for purposes related to the provision of treatment, payment for healthcare, or healthcare operations. While there are some exceptions, other uses and disclosures are prohibited unless consent is first obtained from patients.

The HIPAA Privacy Rule covers PHI, which is identifiable patient information. If PHI is stripped of information that allow an individual to be identified, it is no longer considered PHI and is no longer subject to Privacy Rule controls. That means that if a HIPAA-covered entity de-identifies PHI, they can then sell that information on for profit. That information can be valuable to research organizations and other entities.

Senate Bill 703, dubbed the Oregon Health Information Property Act, is sponsored by Senator Floyd Prozanski (D-Eugene) and has the support of than 40 co-sponsors. Essentially, the bill would see consumers health information treated in a similar way to property and would allow them to profit from its sale.

The Oregon Health Information Property Act

The Oregon Health Information Property Act has three main components:

  1. It would require HIPAA-covered entities and their business associates and subcontractors to obtain a signed authorization from consumers before they de-identify PHI to sell on to third parties.
  2. Consumers could choose if they want to receive payment in exchange for giving authorization to allow their health data to be sold.
  3. The bill also prevents consumers from being discriminated against for refusing to sign an authorization or choosing to receive payment.

HIPAA-covered entities are able to profit from selling de-identified data so it is argued that patients should receive a cut of the payment; however, despite having attracted considerable support, concern has been voiced about the impact of these authorizations.

The bill, in its current form, does not place any limitations on the uses of health data once authorization has been provided. Information could therefore be used for a wide range of purposes once authorization has been given – Reasons that may not necessarily be listed on the authorization form.

The bill also makes no distinction between an individual’s protected health information, health information or de-identified data. By signing a form to receive a small payment, consumers would be relinquishing their privacy and important protections afforded by HIPAA, which could have various unintended repercussions.

The post Oregon Health Information Property Act Proposes Paying Patients to Share Their Healthcare Data appeared first on HIPAA Journal.

Analysis of 2018 Healthcare Data Breaches

Posted by HIPAA Journal

Our 2018 healthcare data breach report reveals healthcare data breach trends, details the main causes of 2018 healthcare data breaches, the largest healthcare data breaches of the year, and 2018 healthcare data breach fines. The report was compiled using data from the Department of Health and Human Services’ Office for Civil Rights (OCR).

2018 Was a Record-Breaking Year for Healthcare Data Breaches

Since October 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of U.S. healthcare data breaches. In that time frame, 2,545 healthcare data breaches have been reported. Those breaches have resulted in the theft, exposure, or impermissible disclosure of 194,853,404 healthcare records. That equates to the records of 59.8% of the population of the United States.

The number of reported healthcare data breaches has been steadily increasing each year. Except for 2015, the number of reported healthcare data breaches has increased every year.

Healthcare data breaches 2009-2018

In 2018, 365 healthcare data breaches were reported, up almost 2% from the 358 data breaches reported in 2017 and 83% more breaches that 2010.

2018 was the worst year in terms of the number of breaches experienced, but the fourth worst in terms of the number of healthcare records exposed, behind 2015, 2014, and 2016. The last two years have certainly seen an improvement in that sense, although 2018 saw a 157.67% year-over-year increase in the number of compromised healthcare records.

healthcare records exposed 2009-2018

2018 Healthcare Data Breaches by Month

Healthcare data breaches in 2018 by month

Healthcare Records Exposed Each Month in 2018

records exposed in healthcare data breaches in 2018 by month

Largest 2018 Healthcare Data Breaches

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1  AccuDoc Solutions, Inc. Business Associate 2,652,537 Hacking/IT Incident
2 Iowa Health System d/b/a UnityPoint Health Business Associate 1,421,107 Hacking/IT Incident
3 Employees Retirement System of Texas Health Plan 1,248,263 Unauthorized Access/Disclosure
4 CA Department of Developmental Services Health Plan 582,174 Theft
5 MSK Group Healthcare Provider 566,236 Hacking/IT Incident
6 CNO Financial Group, Inc. Health Plan 566,217 Unauthorized Access/Disclosure
7 LifeBridge Health, Inc Healthcare Provider 538,127 Hacking/IT Incident
8 Health Management Concepts, Inc. Business Associate 502,416 Hacking/IT Incident
9 AU Medical Center, INC Healthcare Provider 417,000 Hacking/IT Incident
10 SSM Health St. Mary’s Hospital – Jefferson City Healthcare Provider 301,000 Improper Disposal

Click for further information on the largest healthcare data breaches of 2018.

Causes of 2018 Healthcare Data Breaches

The biggest causes of healthcare data breaches in 2018 were hacking/IT incidents (43.29%) and unauthorized access/disclosures (39.18%), which together accounted for 82.47% of all data breaches reported in 2018. There were 42 theft incidents (11.5%) reported in 2018, 13 cases (3.56%) of lost PHI/ePHI, and 9 cases (2.47%) of improper disposal of PHI/ePHI.

Causes of 2018 Healthcare Data Breaches

There was a 5.33% annual increase in hacking/IT incidents – 158 breaches compared to 150 in 2017. While the number of hacking/IT-related breaches rose only slightly, the breaches were far more damaging in 2018 and resulted in the theft/exposure of 161.89% more healthcare records. The mean breach size of hacking/IT incidents in 2017 was 23,218 records and in 2018 it rose to 57,727 records in 2018 – A year-over-year increase of 148.63%.

2018 saw an even larger increase in unauthorized access/disclosure incidents. 14.4% more incidents were reported in 2018 than 2017 and 146.49% more healthcare records were exposed in unauthorized access/disclosure incidents than the previous year. The mean breach size of unauthorized access/disclosure incidents in 2017 was 9,893 records and 21,316 records in 2018 – An increase of 115.47%.

Loss, theft, and improper disposal incidents all declined in 2018. Loss incidents fell from 16 to 13 year-over-year (-18.75%), improper disposal incidents fell from 11 to 9 (-18.18%), and theft incidents fell from 56 in 2017 to 42 in 2018 (-25%).

While there was a reduction in the number of cases of theft and improper disposal year-over-year, the severity of those two types of breaches increased in 2018. The mean breach size of theft incidents rose from 6,908 records in 2017 to 16,605 records in 2018 – A rise of 140.37%. Improper disposal incidents increased from a mean of 2,802 records in 2017 to 37,794 records in 2018 – A rise of 1,248.82%.

There was a slight reduction in the severity of loss incidents, which fell from an average of 2,461 records in 2017 to 2,305 – A fall of 6.33%.

records exposed by breach cause

Location of Breached Protected Health Information

The breakdown of 2018 healthcare data breaches by the location of breached PHI highlights the importance of increasing email security and providing further training to healthcare employees. 33.42% of all healthcare data breaches in 2018 involved email. Those breaches include phishing attacks, other unauthorized email access incidents and misdirected emails.
While healthcare organizations may be focused on preventing cyberattacks and improving technical defenses, care must still be taken with physical records. There were 81 breaches of physical PHI such as charts, documents, and films in 2018. Paper/films were involved in 22.19% of breaches.

The next most common location of breached PHI was network servers, which were involved in 20.27% of breaches in 2018. These incidents include hacks, ransomware attacks, and malware-related breaches.

Location of Breached Protected Health Information

2018 Healthcare Data Breaches by Covered Entity Type

Given the relative percentages of healthcare providers to health plans, it is no surprise that more healthcare provider data breaches occurred. 74.79% of the year’s breaches affected healthcare providers, 14.52% occurred at health plans, and 10.68% affected business associates of HIPAA-covered entities.

2018 Healthcare Data Breaches by Covered Entity

Business associate data breaches were the most severe, accounting for 42% of all exposed/stolen records in 2018, followed by healthcare provider breaches and breaches at health plans.  The mean breach size for business associate data breaches was 140,915 records, 53,471 records for health plan data breaches, and 17,974 records for healthcare provider data breaches.

2018 Healthcare Data Breaches by Covered Entity (records)

States Worst Affected By 2018 Healthcare Data Breaches

Being the two most populated states, it is no surprise that California and Texas were the worst affected by healthcare data breaches in 2018. Only four states avoided healthcare data breaches in 2018 – New Hampshire, South Carolina, South Dakota, Vermont.

Number of Breaches State
38 California
32 Texas
19 Illinois
18 Florida
18 Massachusetts
16 New York
14 Missouri
11 Pennsylvania
10 Iowa, Michigan, Minnesota, Wisconsin
9 Maryland, Ohio, Oregon
8 Arizona, North Carolina, Virginia
7 Georgia, New Jersey, Tennessee, Washington
6 Colorado, Kansas, Nevada
5 Arkansas, Indiana, Nebraska, New Mexico, Utah
4 Connecticut, Kentucky
3 Alaska, Louisiana, Mississippi, Montana, Rhone Island
2 Alabama, District of Columbia, Oklahoma, Wyoming
1 Hawaii, Idaho, Maine, North Dakota, West Virginia
0 New Hampshire, South Carolina, South Dakota, Vermont

HIPAA Fines and Settlements in 2018

The HHS’ Office for Civil Rights is the main enforcer of HIPAA Rules and has the authority to issue financial penalties for violations of Health Insurance Portability and Accountability Act (HIPAA) Rules. State attorneys general also play a role in the enforcement of HIPAA compliance and can also issue fines for HIPAA violations.

In 2018, OCR issued 10 financial penalties to resolve HIPAA violations that were discovered during the investigation of healthcare data breaches and complaints.

Summary of 2018 HIPAA Fines and Settlements

The financial penalties issued by OCR in 2018 totaled $25,683,400, making 2018 a record-breaking year for HIPAA penalties.

2018 HIPAA fines and penalties total

12 financial penalties were issued by state attorneys general over violations of HIPAA Rules.

You can read more about the – HIPAA fines and settlements in 2018 here.

The post Analysis of 2018 Healthcare Data Breaches appeared first on HIPAA Journal.

Hospital Associations Call for Industry-Wide Effort to Accelerate Interoperability

Posted by HIPAA Journal

Seven leading hospital associations, including the American Hospital Association (AHA), are calling for an industry-wide effort to improve data sharing. The new report seeks to enlist and expand public and private stakeholder support to accelerate interoperability and help remove the barriers to data sharing.

In order to achieve the full potential of the nation’s healthcare system, health data must flow freely. Only then will it be possible to provide the best possible care to patients, properly engage people in their health, improve public health, and ensure new models of healthcare succeed.

Effective sharing of patient data strengthens care coordination, improves safety and quality, empowers patients and their families, increases efficiency, reduces healthcare costs, and supports the accurate tracking of diseases and the creation of robust public health registries.

The report explains that great progress is being made to improve interoperability of health IT systems and ensure that patients data can be accessed regardless of location or system. 93% of hospitals now allow patients to access their health records online, 87% allow health records to be downloaded by patients, 88% of hospitals send patient records to ambulatory care providers outside their system, and 84% of hospitals allow caregivers to access information on behalf of patients.

Interoperability improvements have required tremendous effort and have come at a significant cost. Progress has been made but hospitals still face substantial barriers that are preventing efficient data sharing. Health IT tools are often expensive, many do not easily support information sharing, and the use of different health IT and EHR systems make it difficult to efficiently share information.

It is now common for healthcare to be delivered across multiple settings and locations. Records generated in doctor’s offices, hospitals, laboratories, medical devices, and in non-clinical settings should all be accessible and capable of being transferred quickly, efficiently, and accurately to create a full patient record that can be accessed by patients and their healthcare providers.

The report notes that diplomats at the United Nations speak a wide variety of languages but, through translators, are able to communicate efficiently and effectively. Mobile phones can communicate with other devices, regardless of make, model, or operating system. Healthcare needs to operate in a similar way.

A final push is required to get interoperability where it needs to be. The challenges that need to be overcome are detailed in the report along with an agenda detailing the pathway to full interoperability.

In order to achieve true interoperability, all industry stakeholders need to collaborate and work toward the common goal. The roles that different stakeholders must play are detailed in the report.

The report – Sharing data, Saving Lives: The Hospital Agenda for Interoperability – can be downloaded on this link.

The post Hospital Associations Call for Industry-Wide Effort to Accelerate Interoperability appeared first on HIPAA Journal.

December 2018 Healthcare Data Breach Report

Posted by HIPAA Journal

November was a particularly bad month for healthcare data breaches, so it is no surprise that there was an improvement in December. November was the worst month of the year in terms of the number of healthcare records exposed (3,230,063) and the second worst for breaches (34). December was the second-best month for healthcare data breaches with 23 incidents reported, only one more than January.

2018 Healthcare Data Breaches

In total, 516,370 records were exposed, impermissibly disclosed, or stolen in breaches reported in December: A considerable improvement on November. Were it not for the late reporting of the Adams County breach, December would have been the best month of the year to date in terms of the records exposed. The Adams County breach was experienced in March 2018, confirmed on June 29, yet reporting to OCR was delayed until December 11.

2018 Healthcare Data Breaches - Records Exposed

Largest Healthcare Data Breaches in December 2018

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 Adams County Healthcare Provider 258,120 Unauthorized Access/Disclosure
2 JAND Inc. d/b/a Warby Parker Healthcare Provider 177,890 Hacking/IT Incident
3 University of Vermont Health Network – Elizabethtown Community Hospital Healthcare Provider 32,470 Hacking/IT Incident
4 The Podiatric Offices of Bobby Yee Healthcare Provider 24,000 Hacking/IT Incident
5 Choice Rehabilitation Business Associate 4,309 Hacking/IT Incident
6 Virtual Radiologic Professionals, LLC Healthcare Provider 2,568 Hacking/IT Incident
7 Kent County Community Mental Health Authority Healthcare Provider 2,284 Hacking/IT Incident
8 Butler County Board of County Commissioners Health Plan 1,912 Unauthorized Access/Disclosure
9 Barnes-Jewish Hospital Healthcare Provider 1,643 Hacking/IT Incident
10 Tift Regional Medical Center Healthcare Provider 1,045 Hacking/IT Incident

Causes of December 2018 Healthcare Data Breaches

The healthcare industry experiences more insider breaches than other industry sectors, although in December, hacking/IT Incidents outnumbered unauthorized/access disclosure incidents by almost two to one. Eight of the top ten data breaches for the month were hacks, ransomware attacks, and other IT incidents.

While unauthorized access/disclosure incidents usually impact fewer individuals that hacking breaches, that was not the case in December. The largest breach of the month was the unauthorized accessing of a network server by a former employee of Adams County, WI.

In total, 264,049 healthcare records were exposed in the 7 unauthorized access/disclosure incidents reported in December. The mean breach size was 37,721 records and the median breach size was 911 records.

250,404 healthcare records were exposed in the 13 hacking/IT incidents. The mean breach size was 19,261 records and the median breach size was 1,643 records.

There were two theft incidents reported in December and one case of improper disposal of paper records. No lost devices were reported.

Causes of December 2018 Healthcare Data Breaches

Location of Breached Protected Health Information

Phishing attacks continue to plague healthcare organizations and December was no exception. The largest phishing incident reported in December affected 32,470 patients of Elizabethtown Community Hospital. The PHI was contained in a single email account.

Three email accounts were compromised at Kent County Community Mental Health Authority, although they only contained the PHI of 2,200 individuals.

The most common location of breached PHI in December was email, although network server breaches were more severe. The two largest December 2018 healthcare data breaches were network server incidents which impacted 436,010 individuals – 84.43% of the total number of breached records in December.

Location of Breached Protected Health Information

Data Breaches by Covered-Entity Type

Health plans made it through November without reporting any data breaches, although they didn’t fare so well in December. 6 health plan data breaches were announced in December; however, all were relatively small, with only the breach at Butler County Board of County Commissioners impacting more than 1,000 plan members (1,912).

One data breach was reported by a business associate of a HIPAA-covered entity, although a further three breaches had some business associate involvement. The remaining 16 breaches were reported by healthcare providers.

Data Breaches by Covered-Entity Type

Healthcare Data Breaches by State

In December 2018, healthcare organizations in 13 states reported PHI breaches. Minnesota was the worst affected state with a total of four breaches followed by Arizona with three. There were two breaches reported by healthcare organizations based in each of California, Missouri, New York, Ohio, and Wisconsin, and a single breach was experienced in each of Georgia, Illinois, Kentucky, Massachusetts, Michigan, and Pennsylvania.

HIPAA Fines and Settlements in December 2018

The Department of Health and Human Services’ Office for Civil Rights (OCR) agreed two settlements with HIPAA-covered entities in December to resolve violations of HIPAA Rules. OCR finished the year on ten fines and settlements, the same number as 2017. (You can view all 2018 HIPAA fines and settlements here).

Advanced Care Hospitalists, a Florida Contractor Physicians’ Group, was investigated by OCR following the submission of a breach report in April 2014. The report stated the PHI of 400 patients had been subject to unauthorized access, although the number of individuals affected was subsequently increased to 8,855 patients.

OCR confirmed there had been a preventable impermissible disclosure of PHI, and found that a business associate had been engaged without first entering into a business associate agreement. Additionally, insufficient security measures had been implemented and there had been no effort to comply with HIPAA Rules prior to April 1, 2014. Advanced Care Hospitalists and OCR settled the HIPAA violation case for $500,000.

On June 7, 2013, OCR received a complaint about Pagosa Springs Medical Center, a critical access hospital in Colorado, which had failed to terminate access to a web-based scheduling calendar after an employee’s contract had been terminated. The OCR investigation confirmed the former employee accessed the calendar on two occasions after leaving employment.

For the failure to terminate employee access and the lack of a business associate agreement with Google covering Google Calendar resulted in a financial penalty of $111,400 for Pagosa Springs Medical Center.

There were two financial penalties issued by state Attorneys General in December to resolve violations of HIPAA Rules.

The Massachusetts Attorney General fined McLean Hospital $75,000 over a breach of 1,500 patients PHI. The information was stored on backup tapes that had been taken offsite by an employee. When the employee was terminated, McLean Hospital was unable to recover two of the backup tapes.

The New Jersey Attorney General issued a financial penalty of $100,000 to EmblemHealth over an impermissible disclosure of PHI. In 2016, an EmblemHealth mailing had Social Security numbers printed on the outside of envelopes. This was the second fine for EmblemHealth in relation to the breach. The New York Attorney General had previously settled its case with EmblemHealth for $575,000 earlier in the year.

 

The post December 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

Department of Defense Health Agency Security Failures Placed Patient Health Information at Risk

Posted by HIPAA Journal

According to a recent Department of Defense (DoD) Office of Inspector General report (PDF), the Defense Health Agency (DHA) failed to consistently implement security protocols to protect against the unauthorized accessing of systems that stored, processed, and transmitted electronic health records and other sensitive patient information.

The failures are detailed in the DoD OIG Report – DODIG-2017-085, “Protection of Electronic Patient Health Information at Army Military Treatment Facilities.”

The DoD OIG found that Common Access Cards (CACs) were not used to access three DoD EHR systems and two Army-specific systems. System administrators claimed that the CAC software was not compatible with some of the software used by older systems and it was not possible for multiple users to login and out of the system without rebooting local terminals.

DoD password complexity requirements had been set; however, the DHA failed to comply with those requirements for its Clinical Information System/Essentris Inpatient System and two Army-specific systems. System administrators believed that existing network authentication requirements were sufficient to control access.

Three further cybersecurity failures were identified at the Brooke Army Medical Center, Evans Army Community Hospital, and Kimbrough Ambulatory Care Center. Network and system administrators failed to grant user access to three EHR systems and four Army-specific systems based on assigned duties, did not require user justifications for access, and did not align user responsibilities to specific system roles.

Five Army-specific systems and two EHR systems were not configured to lock users out after 15 minutes of inactivity. According to the report, the CIOs in those facilities failed to implement to lockout as they did not want to negatively affect system availability.

Additionally, standard operating procedures were not developed to manage access to systems as they did not consider documented procedures to be necessary.

According to the DoD OIG, “Without well-defined, effectively implemented system security protocols, the DHA and Army introduced unnecessary risks that could compromise the integrity, confidentiality, and availability of patient health information.”

The DoD OIG pointed out that the failure to implement security protocols and the ineffective application of security protocols increases the risk of a cyberattack, data breach, loss of data, data manipulation, and unauthorized disclosures of patients’ health information.

In addition to threat to the confidentiality, integrity, and availability of patient data, the failure to adhere to HIPAA Rules exposed the Defense Health Agency to HIPAA compliance fines  of up to $1.5 million, per violation category, per year.

The DoD OIG made 39 NIST Cybersecurity Framework-based recommendations to correct the security failures, which included use of CACs when accessing DoD EHR and Army-specific systems and to ensure that password complexity requirements were met for those systems.

Three of the recommendations were closed after the DHA Chief of Staff provided reports from the three sites detailing one or more specific security-related performance standards for complying with security requirements and protecting patients’ PHI. One of the standards was to hold CIOs accountable for the protection of patient health information.

According to the DoD OIG, six of the recommendations remained unresolved as the measures implemented failed to address the identified issues. On September 30, 2018, 36 of the recommendations remained open.

The post Department of Defense Health Agency Security Failures Placed Patient Health Information at Risk appeared first on HIPAA Journal.

Physician Receives Probation for Criminal HIPAA Violation

Posted by HIPAA Journal

A physician who pleaded guilty to a criminal violation of HIPAA Rules has received 6 months’ probation rather than a jail term and fine for the wrongful disclosure of patients’ PHI to a pharmaceutical firm.

The case was prosecuted by the Department of Justice in Massachusetts in conjunction with a case against Massachusetts-based pharma firm Aegerion.

In September 2017, the Novelion Therapeutics subsidiary Aegerion agreed to plead guilty to mis-branding the prescription drug Juxtapid. The case also included deferred prosecution related to criminal liability under HIPAA for causing false claims to be submitted to federal healthcare programs for the drug.

Aegerion admitted to conspiring to obtain the individually identifiable health information of patients without authorization for financial gain, in violation of 42 U.S.C. §§ 1320d-6(a) and 1320-6(b)(3) and HIPAA Rules. Aegerion agreed to pay more than $35 million in fines to resolve criminal and civil liability.

The DOJ also charged a Georgia-based pediatric cardiologist with criminal violations of HIPAA Rules for allowing a sales representative of Aegerion to access the confidential health information of patients without first obtaining patient consent. The sales rep was allowed to view the information of patients who had not been diagnosed with a medical condition that could be treated with Juxtapid (lomitapide) in order to identify new potential candidates for the drug.

This is the second such criminal HIPAA violation case in Massachusetts in the past four months to result in probation rather than a jail term or fine. In September, Massachusetts gynecologist Rita Luthra was given 1 year of probation over payments received by a pharmaceutical firm (Warner Chilcott) for providing sales reps with access to the individually identifiable health information of patients for financial gain. While prosecutors were pushing for a fine and a jail term to act as a deterrent, Judge Mastroianni explained in his ruling, “Her loss of license and ability to practice is a substantial deterrent.”

While probation was received in both of these cases, a substantial fine, jail term, and loss of license are real possibilities for physicians found to have criminally violated HIPAA Rules. Both physicians could have received a fine of up to $50,000 for the violations and up to one year in jail.

The post Physician Receives Probation for Criminal HIPAA Violation appeared first on HIPAA Journal.

OCR Seeks Permanent Deputy Director for Health Information Privacy

Posted by HIPAA Journal

The U.S. Department of Health and Human Services’ Office for Civil Rights has advertised for a permanent Deputy Director for Health Information Privacy. The position was posted on USAJOBS on January 14, 2019.

The last permanent Deputy Director was Deven McGraw, who left OCR in October 2017 for the private sector. Iliana Peters, OCR’s Senior Advisor for Compliance and Enforcement, took on the role of acting Deputy Director for Health Information Privacy but also left the post for the private sector in February 2018. Timothy Noonan, the former regional manager for the HHS Office for Civil Rights in Atlanta, replaced Peters in February 2018.

The role involves leading OCR’s day-to-day HIPAA privacy and security program operations, development of privacy and security policies, administrative rulemaking, interpretation of current regulations, providing technical assistance to the department’s regional offices, and coordinating HIPAA Privacy and Security Rule compliance activities to ensure consistent application of policies across all regional offices.

The Deputy Director for Health Information Privacy is a key player in the development of departmental policies, legislative, and regulatory proposals, and special OCR initiatives to ensure health information is protected and remains private.

The role involves advising OCR Director Roger Severino and senior OCR officials on HIPAA policies and application of those policies. The successful applicant will be required to work closely with the OCR Director and assist with the planning, organization, and formulation of policies and procedures for OCR and health privacy and security policies across the HHS.

According to the posting, the Deputy Director represents the Director and OCR on health information privacy and security matters and coordinates work where problems and issues involve more than one component of the HHS. The Deputy Director is also required to maintain relationships concerning health information privacy and security issues at a number of senior management levels.

Applications are being accepted until February 5, 2019.

The post OCR Seeks Permanent Deputy Director for Health Information Privacy appeared first on HIPAA Journal.

Summary of 2018 HIPAA Fines and Settlements

Posted by HIPAA Journal

This post summarizes the 2018 HIPAA fines and settlements that have resulted from the enforcement activities of the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general.

Another Year of Heavy OCR HIPAA Enforcement

In 2016, there was a significant increase in HIPAA files and settlements compared to the previous year. In 2016, one civil monetary penalty was issued by OCR and 12 settlements were agreed with HIPAA covered entities and their business associates. In 2015, OCR only issued 6 financial penalties.

The high level of HIPAA enforcement continued in 2017 with 9 settlements agreed and one civil monetary penalty issued.

While there were two settlements agreed in February 2018 to resolve HIPAA violations, there were no further settlements or penalties until June. By the end of the summer it was looking like OCR had eased up on healthcare organizations that failed to comply with HIPAA Rules.

However, in September, a trio of settlements were agreed with hospitals that had allowed a film crew to record footage of patients without first gaining consent. Further settlements were agreed in October, November, and December and OCR finished the year on one civil monetary penalty and 9 settlements to resolve HIPAA violations.

Summary of 2018 HIPAA Fines and Settlements

While 2018 was not a record-breaking year in terms of the number of financial penalties for HIPAA violations, it was a record-breaker in terms of the total penalty amounts paid. OCR received $25,683,400 in financial penalties in 2018. The mean financial penalty was $2,568,340.

2018 HIPAA fines and penalties total

The median HIPAA fine in 2018 was $442,000: Much lower than 2017 median of $2,250,000. It was also the lowest median fine amount of the last 5 years, although 2018 did see the largest ever HIPAA violation penalty.

In October 2018, Anthem Inc., settled its HIPAA violation case with OCR for $16,000,000. The massive fine was due to the extent of the HIPAA violations discovered by OCR and the scale of its 2015 data breach, which saw the protected health information of around 78,800,000 plan members stolen by hackers.

2018 HIPAA Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
February 2018 Fresenius Medical Care North America $3,500,000 Settlement Risk analysis failures, impermissible disclosure of ePHI; Lack of policies covering electronic devices; Lack of encryption; Insufficient security policies; Insufficient physical safeguards
February 2018 Filefax, Inc. $100,000 Settlement Impermissible disclosure of PHI
June 2018 University of Texas MD Anderson Cancer Center $4,348,000 Civil Monetary Penalty Impermissible disclosure of ePHI; No Encryption
September 18 Massachusetts General Hospital $515,000 Settlement Filming patients without consent
September 18 Brigham and Women’s Hospital $384,000 Settlement Filming patients without consent
September 18 Boston Medical Center $100,000 Settlement Filming patients without consent
October 2018 Anthem Inc $16,000,000 Settlement Risk Analysis failures; Insufficient reviews of system activity; Failure related to response to a detected breach; Insufficient technical controls to prevent unauthorized ePHI access
November 2018 Allergy Associates of Hartford $125,000 Settlement PHI disclosure to reporter; No sanctions against employee
December 2018 Advanced Care Hospitalists $500,000 Settlement Impermissible PHI Disclosure; No BAA; Insufficient security measures; No HIPAA compliance efforts prior to April 1, 2014
December 2018 Pagosa Springs Medical Center $111,400 Settlement Failure to terminate employee access; No BAA

State Attorneys General HIPAA Enforcement Activities

It is difficult to obtain meaningful statistics on HIPAA fines and settlements by state attorneys general. While state attorneys general can issue fines for violations of HIPAA Rules, in many cases, financial penalties instead issued for violations of state laws. That said, 2018 did see a major increase in HIPAA enforcement activity by state attorneys general.

There were 12 HIPAA-related financial penalties issued in 2018 by state attorneys general. The New Jersey attorney general was the most active HIPAA enforcer behind OCR with 4 HIPAA fines, followed by New York with 3, Massachusetts with 2, and 1 financial penalty issued by each of Connecticut, District of Columbia, and Washington.

The largest attorney general HIPAA fine of 2018 – Aetna’s $1,150,000 penalty – was issued by New York. Aetna was also fined a total of $640,171 in a multi-state action by Connecticut, New Jersey, Washington, and the District of Columbia. Washington has yet to agree to a settlement amount with Aetna.

EmblemHealth was fined a total of $675,000 for a 2016 data breach: $575,000 by New York and $100,000 by New Jersey.

State Covered Entity Amount State Residents Affected
Massachusetts McLean Hospital $75,000 1,500
New Jersey EmblemHealth $100,000 6,443
New Jersey Best Transcription Medical $200,000 1,650
Washington Aetna TBA* 13,160 (multi-state total)
Connecticut Aetna $99,959 13,160 (multi-state total)
New Jersey Aetna $365,211.59 13,160 (multi-state total)
District of Columbia Aetna $175,000 13,160 (multi-state total)
Massachusetts UMass Memorial Medical Group / UMass Memorial Medical Center $230,000 15,000
New York Arc of Erie County $200,000 3,751
New Jersey Virtua Medical Group $417,816 1,654
New York EmblemHealth $575,000 81,122
New York Aetna $1,150,000 13,160 (multi-state total)

*Washington yet to determine settlement amount

The post Summary of 2018 HIPAA Fines and Settlements appeared first on HIPAA Journal.