HIPAA Compliance News

February 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

Healthcare data breaches continued to be reported at a rate of more than one a day in February. February saw 32 healthcare data breaches reported, one fewer than January.

Healthcare data breaches by month

The number of reported breaches may have fell by 3%, but February’s breaches were far more severe. More than 2.11 million healthcare records were compromised in February breaches – A 330% increase from the previous month.

Records exposed in Healthcare data breaches by month

Causes of Healthcare Data Breaches in February 2019

Commonly there is a fairly even split between hacking/IT incidents and unauthorized access/disclosure incidents; however, in February, hacking and IT incidents such as malware infections and ransomware attacks dominated the healthcare data breach reports.

75% of all reported breaches in February (24 incidents) were hacking/IT incidents and those incidents resulted in the theft/exposure of 96.25% of all records that were breached. All but one of the top ten healthcare data breaches in February were due to hacks and IT incidents.

There were four unauthorized access/disclosure incidents and 4 cases of theft of physical or electronic PHI. The unauthorized access/disclosure incidents involved 3.1% of all compromised records and 0.65% of records were compromised in the theft incidents.

Causes of Healthcare data breaches in February 2019

Largest Healthcare Data Breaches in February 2019

The largest healthcare data breach reported in February involved the accidental removal of safeguards on a network server, which allowed the protected health information of more than 973,000 patients of UW Medicine to be exposed on the internet. Files were indexed by the search engines and could be found with simple Google searches. Files stored on the network server were accessible for a period of more than 3 weeks.

The second largest data breach was due to a ransomware attack on Columbia Surgical Specialist of Spokane. While patient information may have been accessed, no evidence was found to suggest any ePHI was stolen by the attackers.

The 326,629-record breach at UConn Health was due to a phishing attack that saw multiple employees’ email accounts compromised, and one email account was compromised in a phishing attack on Rutland Regional Medical Center that contained the ePHi of more than 72,000 patients.

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 UW Medicine Healthcare Provider 973,024 Hacking/IT Incident
2 Columbia Surgical Specialist of Spokane Healthcare Provider 400,000 Hacking/IT Incident
3 UConn Health Healthcare Provider 326,629 Hacking/IT Incident
4 Rutland Regional Medical Center Healthcare Provider 72,224 Hacking/IT Incident
5 Delaware Guidance Services for Children and Youth, Inc. Healthcare Provider 50,000 Hacking/IT Incident
6 Rush University Medical Center Healthcare Provider 44,924 Unauthorized Access/Disclosure
7 AdventHealth Medical Group Healthcare Provider 42,161 Hacking/IT Incident
8 Reproductive Medicine and Infertility Associates, P.A. Healthcare Provider 40,000 Hacking/IT Incident
9 Memorial Hospital at Gulfport Healthcare Provider 30,642 Hacking/IT Incident
10 Pasquotank-Camden Emergency Medical Service Healthcare Provider 20,420 Hacking/IT Incident

 

Location of Breached Protected Health Information

Email is usually the most common location of compromised PHI, although in February there was a major rise in data breaches due to compromised network servers. 46.88% of all breaches reported in February involved ePHI stored on network servers, 25% involved ePHI stored in email, and 12.5% involved ePHI in electronic medical records.

Location of breached PHI

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected by data breaches in February 2019 with 24 incidents reported. There were five breaches reported by health plans, and three breaches reported by business associates of HIPAA-covered entities. A further seven breaches had some business associate involvement.

February 2019 healthcare data breaches by covered entity

Healthcare Data Breaches by State

The healthcare data breaches reported in February were spread across 22 states. California and Florida were the worst affected states with three breaches apiece. Two breaches were reported in each of Illinois, Kentucky, Maryland, Minnesota, Texas, and Washington, and one breach was reported in each of Arizona, Colorado, Connecticut, Delaware, Georgia, Kansas, Massachusetts, Mississippi, Montana, North Carolina, Virginia, Wisconsin, and West Virginia.

HIPAA Enforcement Actions in February 2019

2018 was a record year for HIPAA enforcement actions, although 2019 has started slowly. The HHS’ Office for Civil Rights has not issued any fines nor agreed any HIPAA settlements so far in 2019.

There were no enforcement actions by state attorneys general over HIPAA violations in February. The only 2019 penalty to date is January’s $935.000 settlement between California and Aetna.

The post February 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Are Google Home and Google Assistant HIPAA Compliant?

Posted by HIPAA Journal

Can Google Home and Google Assistant be used in medical practices? Is Google Assistant HIPAA compliant or would using it in the workplace constitute a HIPAA violation?

Connected home assistants such as Google Home devices are growing in popularity. According to a 2018 study by market research firm Cognilytica, 51% of people use voice assistants in the car, 39% use them at home, and 1% use them at work. Apple’s Siri has the greatest market share followed by Google Assistant, which powers Google Home smart speakers.

It may be tempting to bring a Google Home device into the office and use it to take notes, get quick answers to questions, launch applications, and schedule reminders and calls. In a normal office environment, a Google Home device could possibly be used, but in healthcare, there is considerable potential for a HIPAA violation.

Virtual assistants are being developed for use in healthcare and they have potential to change how physicians interact with medical records and deliver patient care, but currently most virtual assistants lack the required security safeguards to satisfy the requirements of HIPAA.

Google Home devices can be configured to record audio and video, which in a healthcare setting could easily violate the privacy of patients. If any medical information is dictated or otherwise recorded, that would be classed as a HIPAA violation unless the voice technology was covered by a business associate agreement.

Is Google Assistant HIPAA Compliant?

Google does sign business associate agreements with healthcare companies for a wide range of its products, but currently neither Google Home nor Google Assistant are covered by its BAA. Until such time that Google confirms that its voice assistant meets the requirements of HIPAA and includes devices and the voice technology that power them into its BAA, neither Google Home nor Google Assistant are HIPAA compliant and should not be used in a healthcare setting.

The post Are Google Home and Google Assistant HIPAA Compliant? appeared first on HIPAA Journal.

Is Calendly HIPAA Compliant?

Posted by HIPAA Journal

Calendly is a popular tool that is used by many businesses to schedule meetings and appointments, but can Calendly be used by healthcare organizations? Is Calendly HIPAA compliant?

Businesses can waste a considerable amount of time scheduling appointments and meetings. Lengthy email exchanges and phone tag are commonplace. Calendly aims to eliminate the time wasted attempting to connect with others and the platform can reduce no-show rates through automated email and text reminders. The solution integrates with Google Calendar, iCloud calendar, Office 365, Salesforce, and GoToMeeting and other popular software platforms and can also be integrated directly into business websites to allow customers to schedule appointments directly.

The platform is used by healthcare organizations for scheduling internal meetings, but in order to use Calendly with any electronic protected health information, healthcare organizations would first need to enter into a HIPAA-compliant business associate agreement with Calendly.

Is Calendly HIPAA Compliant?

Calendly explains on its website that the platform is secure and all data uploaded is protected. Data sent to and stored by the scheduling tool is protected by 256-bit encryption and Calendly is hosted on Amazon Web Services, which is a HIPAA-compliant hosting solution. Calendly cannot read medical charts and other private information as it only reads the busy/free status of calendar events to avoid double bookings.

While secure, Calendly explains in the help section of its website that “Calendly should not be used for collecting Protected Health Information” and that the solution should not be used for asking “any personal or medical questions in the question form invitees complete when scheduling.” Calendly also does not sign business associates with HIPAA covered entities.

As such, Calendly is not a HIPAA-compliant scheduling tool. The tool can be used by healthcare organizations, just not in connection with any ePHI. Healthcare organizations should ensure that only HIPAA-compliant scheduling tools are used for booking patient appointments.

The post Is Calendly HIPAA Compliant? appeared first on HIPAA Journal.

Is Evernote HIPAA Compliant?

Posted by HIPAA Journal

Evernote is a useful cloud-based service that allows users to take notes, create to do lists, plan projects, and collaborate with teams, but is Evernote HIPAA compliant? Can Evernote be used in healthcare by physicians and other healthcare professionals without violating HIPAA Rules?

Evernote serves as an easily accessible repository for a wide range of information, including documents, audio files, images, and video files. One of the key features of Evernote which makes it so useful is the ability to automatically synch files and notes across multiple devices.

Evernote is available as a free app or a paid service for businesses and does incorporate access controls and security features such as single sign-on (SSO) and two-factor authentication to prevent unauthorized use of the applications.  Evernote stores data on the Google Cloud platform, which can be HIPAA compliant. Encryption is also supported by Evernote for Mac and Evernote for Windows Desktop. In-note encryption uses an AES 128-bit key.

Evernote is designed to make data sharing as easy as possible, which should raise a red flag if you are thinking about using Evernote with protected health information or files containing protected health information – patients documents or dictated notes for instance.

Is Evernote HIPAA Compliant?

So, with the above security controls, is Evernote HIPAA compliant? While the security controls mentioned above do offer some protection against unauthorized access, they are not currently sufficient to meet the requirements of the HIPAA Security Rule. Further, Evernote does not sign business associate agreements with HIPAA covered entities.

Therefore, Evernote is not a HIPAA compliant note taking app and it should therefore not be used in connection with any protected health information.

There are alternatives that can be used in its place.  You can read more about these on the links below:

Is Google Keep HIPAA Compliant?

Is Microsoft OneNote HIPAA Compliant?

The post Is Evernote HIPAA Compliant? appeared first on HIPAA Journal.

Is Return Path HIPAA Compliant?

Posted by HIPAA Journal

Return Path is an email marketing and optimization platform that allows businesses to automate and analyze their email marketing campaigns but is Return Path HIPAA compliant? Can the email marketing platform be used by healthcare organizations without violating HIPAA Rules?

Sending Marketing Emails to Patients and Health Plan Members

Before any healthcare organization can use an email service for sending marketing emails that contain electronic protected health information (ePHI) they must first:

  • Obtain consent from patients/plan members to receive marketing communications
  • Ensure that the service provider has appropriate security controls to protect the confidentiality of ePHI stored by or used by the platform
  • Ensure that ePHI can be uploaded to the platform securely without placing the information at risk of compromise
  • Enter into a HIPAA-compliant business associate agreement (BAA) with the service provider

Marketing messages are not included in the HIPAA Privacy Rule’s TPO definition. Consent must be obtained in writing from patients/members before ePHI can be used for marketing purposes.

A BAA is required, as the uploading of ePHI to a mailing service counts as a disclosure of ePHI. The service provider is considered a business associate and is required to be informed of its responsibilities with respect to HIPAA and must agree to abide by HIPAA Rules.

Provided the above conditions are met, a HIPAA-covered entity can use a third-party platform for sending marketing emails.

Is Return Path HIPAA Compliant?

Return Path naturally has a range of security protections in place to ensure the confidentiality, integrity, and availability data uploaded to its platform. However, Return Path makes no mention of HIPAA or business associate agreements in its terms and conditions.

Return Path also states in its T&Cs that it is the responsibility of users of its platform to ensure they comply with appropriate laws and regulations.

So, is Return Path HIPAA compliant? Without a BAA, Return Path is not a HIPAA compliant email service and cannot therefore be used in connection with any ePHI.

The post Is Return Path HIPAA Compliant? appeared first on HIPAA Journal.

Is Mandrill HIPAA Compliant?

Posted by HIPAA Journal

Is Mandrill HIPAA compliant? Can MailChimp’s transactional email service be used by healthcare organizations without violating HIPAA Rules?

Use of Mandrill by Healthcare Organizations

Mandrill is a transactional email offering from MailChimp, the leading automated email marketing platform. Mandrill allows businesses to automatically send emails to customers and individuals that interact with their web apps and connects to MailChimp via an API.

Transactional emails differ from marketing emails in that they are programmed to be triggered by events such as password resets, confirmation of placement of orders, welcome messages, and sending receipts. In contrast to marketing emails, which require an opt-in from patients/plan members under HIPAA Rules, in most cases, transactional emails do not.

That does not mean that there are no HIPAA issues for healthcare organizations that are considering using Mandrill. Any email service used by a healthcare organization that requires electronic protected health information (ePHI) to be uploaded would have to have privacy and security safeguards built into the platform to prevent unauthorized ePHI access and an audit trail would need to be maintained. Any ePHI uploaded would need to be secured in transit, and stored data would need to be encrypted.

If the service is to be used with any ePHI, the service provider would be classed as a business associate and a business associate agreement would therefore be required.

Most service providers that support HIPAA compliance and are prepared to enter into a business associate agreement with HIPAA-covered entities make it clear that they support HIPAA compliance and offer a BAA.

Is Mandrill HIPAA Compliant?

Users of Mandrill are bound by the terms and conditions of MailChimp. You can find out more about Mailchimp and HIPAA compliance here, but to summarize that post, MailChimp states that “You’re responsible for determining whether the Service is suitable for you to use in light of your obligations under any regulations like HIPAA” and since, at the time of writing, MailChimp does not offer a BAA, neither MailChimp or Mandrill are HIPAA compliant.

MailChimp and Mandrill can be used by healthcare organizations, but since they are not HIPAA compliant they cannot be used in connection with any ePHI.

The post Is Mandrill HIPAA Compliant? appeared first on HIPAA Journal.

Former Patient Care Coordinator Pleads Guilty to Disclosing Patients’ PHI with Intent to Cause Harm

Posted by HIPAA Journal

A former employee of an affiliate of University of Pittsburgh Medical Center (UPMC) who was discovered to have accessed the medical records of patients without authorization has pleaded guilty to one count of wrongful disclosure of health information and now faces a fine and jail term for the HIPAA violation.

Ms. Linda Sue Kalina, 61, of Butler, PA, had previously worked as a patient care coordinator at Tri Rivers Musculoskeletal (TRM) between March 7, 2016 and June 23, 2017 before moving to Allegheny Health Network (AHN) where she worked from July 24, 2017 to August 17, 2017.

Between December 2016 and August 2017, Ms. Kalina was accused of accessing the files of 111 UPMC patients and 2 AHN patients without authorization or any legitimate work reason for doing so. According to her indictment, she also disclosed the PHI of four of those patients to individuals not authorized to receive the information.

Prior to working at TRM, Ms. Kalina had been employed at Frank J. Zottola Construction for 24 years until she was fired from the position of office manager. While at TRM and AHN, Ms. Kalina had impermissibly accessed the medical records of employees of the construction firm, including the gynecological records of the woman who replaced her.

Ms. Kalina was accused of sending an email to the company controller in June 2017 in which she disclosed the woman’s gynecological records and also left a voicemail revealing information from those records to another Zottola employee in August 2017.

Zottola contacted UPMC to complain about the privacy violation, and after an internal investigation, Ms. Kalina was fired. The HIPAA violation case was then pursued by the Department of Justice.

Ms. Kalina was indicted on six counts in the summer of 2018 in relation to wrongfully obtaining and disclosing PHI in violation of HIPAA, including disclosing PHI with intent to cause malicious harm.

In federal court, Ms. Kalina pleaded guilty to one count of wrongful disclosure of ePHI with intent to cause harm – leaving the voicemail message and admitted having accessed the medical records of more than 100 individuals without authorization.

U.S. District Judge Arthur Schwab agreed to release Ms. Kalina on bond pending sentencing on June 25, 2019. Ms. Kalina was ordered not to make contact with any of the victims and the victims were instructed not to make contact with Ms. Kalina.

Ms. Kalina faces a fine of up to $250,000 for the HIPAA violations and a sentence of up to 10 years in jail.

The post Former Patient Care Coordinator Pleads Guilty to Disclosing Patients’ PHI with Intent to Cause Harm appeared first on HIPAA Journal.

Is Marketo HIPAA Compliant?

Posted by HIPAA Journal

Marketo is a marketing automation solution for lead management and email marketing that was recently acquired by Adobe. Can Marketo be used by healthcare organizations in connection with ePHI? Is Marketo HIPAA compliant?

Healthcare Marketing

Healthcare organizations looking for a marketing automation platform need to ensure the platform provider complies with HIPAA regulations if the platform is to be used in connection with electronic protected health information.

Healthcare organizations can use marketing automation platforms for a range of purposes without having to enter into a business associate agreement (BAA) with the solution provider, but if the solution is to be used with ePHI, a BAA is essential.

HIPAA places restrictions on uses and disclosures of ePHI by HIPAA covered entities. ePHI can be used and disclosed for the purposes of providing treatment, in relation to payment for healthcare, or for healthcare operations (TPO) without having to obtain authorization from patients. Other uses and disclosures, which include marketing, require authorizations from patients.

HIPAA defines marketing as “communication to an individual about a product or service that encourages the individual to purchase or use that product or service.” – See 45 CFR 164.501(1).

Prior to sending any marketing communications, HIPAA-covered entities must obtain authorization from patients/members in writing, either physically or electronically with an e-signature.

Is Marketo HIPAA Compliant?

Marketo states on its website that its platform has Privacy Shield certification and has been SOC2 certified and Marketo has implemented safeguards to ensure customer data are kept private and confidential.

Connections to Marketo are encrypted using high-grade 2048-bit certificates and user sessions are protected by unique session tokens and require re-verification for each transaction. Marketo performs regular scans of its network and systems for vulnerabilities and patches are applied promptly. Marketo also performs pen tests and has its products assessed by independent third parties. Physical, technical and administrative safeguards are implemented to keep software, hardware, and data secured and all clients’ data are stored in separate databases.

Marketo’s use policy states that customers must not provide Marketo access to or upload “any of the following categories of data: social security numbers; passport or visa numbers; driver’s license numbers; taxpayer or employee ID; financial account or payment card information; passwords; medical or health records or information reflecting the payment of such treatment.”

So, is Marketo HIPAA compliant?

 

The Marketo website and associated forums contain no mention of a BAA. Without a BAA the solution cannot be considered HIPAA compliant and should not be used with ePHI.

That does not mean Marketo cannot be used by healthcare organizations. Many healthcare organizations, including GE Healthcare, Kindred Healthcare, Boston Children’s Hospital and EHR provider Allscripts use the platform. It is the responsibility of users of the platform to ensure that HIPAA Rules are followed.

The post Is Marketo HIPAA Compliant? appeared first on HIPAA Journal.

HIPAA Compliance at Odds with Healthcare Cybersecurity

Posted by HIPAA Journal

The College of Healthcare Information Management Executives (CHIME) has told Congress that complying with HIPAA Rules is not enough to prevent data breaches and HIPAA compliance can, in some cases, result in a lessening of healthcare cybersecurity defenses.

Russell P. Branzell, President and CEO of CHIME and Shafiq Rab, CHCIO Chair of the CHIME Board of Trustees recently responded to a request for information (RFI) by Congress on ways to address rising healthcare costs.

In a March 1, 2019 letter to Lamar Alexander, Chairman of the Committee on Health, Education, Labor, and Pensions (HELP), they explained that the use of technology in healthcare helps to reduce costs and can, if harnessed correctly, improve efficiency as well as outcomes.

“Significant advancements in healthcare technology have been made possible through policy, however, often overly stringent prescriptive mandates have added to healthcare costs, impeded innovation and increased burdens on clinicians.”

The use of technology and data sharing are essential for improving the level of care that can be provided to patients, yet both introduce new risks to the confidentiality, integrity, and availability of healthcare data. While policies are being introduced to encourage the use of technology and improve interoperability, it is also essential for cybersecurity measures to be implemented to protect patient data. Any policy recommendations must also include security requirements.

“As we increase interoperability, additional threats to data integrity will arise. Without proper safeguards, the safe and secure transmission of sensitive data will continue to be a challenge and will hinder efforts to care outcomes,” wrote CHIME.

Healthcare organizations that comply with HIPAA Rules will have met the minimum standards for healthcare data privacy and security set by the HHS. That does not mean that HIPAA-compliant organizations are well protected against cyberattacks. HIPAA is complex and compliance requires a significant amount of resources. That can mean fewer resources are then available to tackle cybersecurity issues and protect against actual cyber threats.

Healthcare providers are devoting resources to meeting standards set by the HHS and its Office for Civil Rights (OCR), even though the measures introduced for HIPAA compliance may not address the most serious threats. As a result, their ability to protect patient data could be diminished rather than increased as a result.

CHIME also pointed out that enforcement of compliance with HIPAA Rules, via breach investigations and compliance audits, are unduly punitive. OCR appears to be more focused on punishment rather than helping healthcare providers recover from a breach, learn from it, and share the lessons learned with other healthcare organizations.

Healthcare providers should not have the burden of protecting PHI in areas outside their control. CHIME suggests safe harbors should be introduced “for organizations that demonstrate, and certify, cybersecurity readiness.” That may require amendments to the HITECH Act, along with a change to the language used for the definition of a breach so it no longer presumes guilt.

CHIME has also called for the HHS to issue better guidance for healthcare providers to help them assess threats that are within their control. Healthcare providers should not have full responsibility for protecting PHI outside of their domain. CHIME has also suggested that the balance of responsibility for security needs to be split more evenly between covered entities and their business associates.

When considering enforcement actions, OCR should assess the level of effort that has gone into protecting systems and PHI and policies should be pursued that reward healthcare providers for good faith efforts to prevent cyberattacks, such as demonstrating sufficient compliance with NIST’s Cybersecurity Framework (CSF).

These measures will help encourage healthcare providers to invest more in cybersecurity, which in turn will help to prevent more breaches and allow healthcare providers to avoid the high costs of mitigating those breaches, thus helping to reduce healthcare costs.

The post HIPAA Compliance at Odds with Healthcare Cybersecurity appeared first on HIPAA Journal.