HIPAA Compliance News

HHS Publishes Proposed Rule Establishing Information Blocking Disincentives for Healthcare Providers

Posted by Steve Alder

The Centers for Medicare and Medicaid Services (CMS) at the Department of Health and Human Services (HHS) has published a long-awaited proposed rule that establishes disincentives for healthcare providers that have committed information blocking, as called for by the 21st Century Cures Act. Information blocking is classed as knowingly or unreasonably interfering with the access, exchange, or use of electronic health information, except as required by law or covered by a regulatory exception.

The Cures Act requires the Office of Inspector General (OIG) to refer healthcare providers determined by OIG to have committed information blocking to the appropriate agency to be subject to appropriate disincentives using authorities under applicable Federal law, as the Secretary sets forth through notice and comment rulemaking. On June 27, 2023, the HHS OIG published its final rule that implemented information blocking penalties of $1 million per violation for health information technology (IT) developers of certified health IT and other entities offering certified health IT, health information exchanges, and health information networks. The penalties took effect on August 2, 2023.

The latest HHS proposed rule establishes penalties for healthcare providers found to have committed information blocking. The proposed disincentives are as follows:

  • Medicare Promoting Interoperability Program: An eligible hospital or critical access hospital (CAH) would not be a meaningful electronic health record (EHR) user in an applicable EHR reporting period. The impact on eligible hospitals would be the loss of 75 percent of the annual market basket increase; for CAHs, payment would be reduced to 100 percent of reasonable costs instead of 101 percent.
  • Promoting Interoperability performance category of the Merit-based Incentive Payment System (MIPS): An eligible clinician or group would not be a meaningful user of certified EHR technology in a performance period and would therefore receive a zero score in the Promoting Interoperability performance category of MIPS, if required to report on that category. The Promoting Interoperability performance category score typically can be a quarter of a clinician or group’s total MIPS score in a year.
  • Medicare Shared Savings Program: A health care provider that is an Accountable Care Organization (ACO), ACO participant, or ACO provider or supplier would be deemed ineligible to participate in the program for a period of at least one year. This may result in a healthcare provider being removed from an ACO or prevented from joining an ACO.

The proposed rule will be published in the Federal Register on November 1, 2023. A 60-day comment period will follow, with the comments made accessible for public inspection. Comments must be submitted by no later than January 2, 2024, at 11:59 p.m. The HHS will consider all comments before publishing the final rule, which is expected to be issued later in 2024. The Office of the National Coordinator for Health Information Technology (ONC) and the CMS will host an information session about the proposed rule in the coming weeks.

“HHS is committed to developing and implementing policies that discourage information blocking to help people and the health providers they allow to have access to their electronic health information,” said HHS Secretary Xavier Becerra. “We are confident the disincentives included in the proposed rule, if finalized, will further increase the appropriate sharing of electronic health information and establish a framework for potential additional disincentives in the future.”

The post HHS Publishes Proposed Rule Establishing Information Blocking Disincentives for Healthcare Providers appeared first on HIPAA Journal.

September 2023 Healthcare Data Breach Report

Posted by Steve Alder

September was a much better month for healthcare data privacy, with the lowest number of reported healthcare data breaches since February 2023. In September, 48 data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights (OCR), which is well below the 12-month average of 57 data breaches a month.

For the second successive month, there was a fall in the number of breached records, which dropped 36.6% month-over-month. Across the 48 reported data breaches, the protected health information of 7,556,174 individuals was exposed or impermissibly disclosed. September’s total was below the 12-month average of 7,906,890 records per month, but this year has seen two particularly bad months for data breaches. More healthcare records were exposed in May and June than were exposed in all of 2020!

The high number of breached records can partly be attributed to the mass exploitation of a zero-day vulnerability in Progress Software’s MOVEit solution, which is used by healthcare organizations and their business associates for transferring files. According to Emsisoft, which has been tracking the MOVEit data breaches, 2,553 organizations were affected by the attacks globally, and 19.2% of those were in the health sector. Most of these breaches are now believed to have been reported.

Largest Healthcare Data Breaches in September 2023

There were 16 data breaches reported in September that involved 10,000 or more records, four of which – including the largest data breach of the month – were due to the mass exploitation of the vulnerability that affected the MOVEit Transfer and MOVEit Cloud solutions (CVE-2023-34362). The healthcare industry continues to be targeted by ransomware and extortion gangs, including Clop, Rhysida, Money Message, NoEscape, Karakurt, Royal, and ALPHV (BlackCat). Three of the 10,000+ record data breaches were confirmed as ransomware attacks, although several more are likely to have involved ransomware or extortion. It is common for HIPAA-covered entities not to disclose details of hacking incidents.

While hacking incidents often dominate the headlines, the healthcare industry suffers more insider breaches than other sectors, and September saw a major insider breach at a business associate. An employee of the business associate Maximus was discovered to have emailed the protected health information of 1,229,333 health plan members to a personal email account.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Breach
Arietis Health, LLC FL Business Associate 1,975,066 Hacking/IT Incident MOVEit Hack (Clop)
Virginia Dept. of Medical Assistance Services VA Health Plan 1,229,333 Hacking/IT Incident Employee of a business associate (Maximus) emailed documents to a personal email account
Nuance Communications, Inc. MA Business Associate 1,225,054 Hacking/IT Incident MOVEit Hack (Clop)
International Business Machines Corporation NY Business Associate 630,755 Unauthorized Access/Disclosure MOVEit Hack (Clop)
Temple University Health System, Inc. PA Healthcare Provider 430,381 Hacking/IT Incident Hacking incident at business associate (no information released)
Prospect Medical Holdings, Inc. CA Business Associate 342,376 Hacking/IT Incident Rhysida ransomware attack
United Healthcare Services, Inc. Single Affiliated Covered Entity CT Health Plan 315,915 Unauthorized Access/Disclosure MOVEit Hack (Clop)
Oak Valley Hospital District CA Healthcare Provider 283,629 Hacking/IT Incident Hacked network server
Bienville Orthopaedic Specialists LLC MS Healthcare Provider 242,986 Hacking/IT Incident Hacked network server (data theft confirmed)
Amerita KS Healthcare Provider 219,707 Hacking/IT Incident Ransomware attack on parent company (PharMerica) by Money Message group
Community First Medical Center IL Healthcare Provider 216,047 Hacking/IT Incident Hacked network server
OrthoAlaska, LLC AK Healthcare Provider 176,203 Hacking/IT Incident Hacking incident (no information released)
Acadia Health, LLC d/b/a Just Kids Dental AL Healthcare Provider 129,463 Hacking/IT Incident Ransomware attack – Threat group confirmed data deletion
Founder Project Rx, Inc. TX Healthcare Provider 30,836 Hacking/IT Incident Unauthorized access to email account
Health First, Inc. FL Healthcare Provider 14,171 Hacking/IT Incident Unauthorized access to email account
MedMinder Systems, Inc. MA Healthcare Provider 12,146 Hacking/IT Incident Hacked network server

Data Breach Types and Data Locations

Hacking and other IT incidents continue to dominate the breach reports. In September, hacking/IT incidents accounted for 81.25% of all reported data breaches of 500 or more records (39 incidents) and 87.23% of the exposed or stolen records (6,591,496 records). The average data breach size was 169,013 records and the median data breach size was 4,194 records.

There were 9 data breaches classified as unauthorized access/disclosure incidents, across which 964,678 records were impermissibly accessed by or disclosed to unauthorized individuals. The average data breach size was 107,186 records and the median breach size was 2,834 records.

There were no reported incidents involving the loss or theft of paper records or electronic devices containing ePHI, and no reported incidents involving the improper disposal of PHI.

Given the large number of hacking incidents, it is no surprise that network servers were the most common location of breached protected health information. 7 incidents involved unauthorized access to email accounts.

Where did the Data Breaches Occur?

The raw data from the OCR data breach portal shows healthcare providers were the worst affected entity in September, with 30 healthcare providers reporting data breaches. There were 11 data breaches reported by business associates and 7 breaches reported by health plans. These figures do not tell the full story, as the reporting entity may not be the entity that suffered a data breach. Many data breaches occur at business associates of HIPAA-covered entities but are reported to OCR by the covered entity rather than the business associate.

To better reflect this and to avoid the underrepresentation of business associates in the healthcare data breach statistics, the charts below show where the data breaches occurred rather than the entity that reported the data breach.

Business associate data breaches are often severe as if a hacker gains access to the network of a business associate, they can access the data of all clients of that business associate. In September the average size of a business associate data breach was 5,864,823 records (median: 2,729 records). The average size of a healthcare provider data breach was 1,372,101 records (median: 7,267 records), and the average health plan data breach involved 319,250 records (median: 2,834 records).

Geographical Distribution of Data Breaches

Healthcare data breaches of 500 or more records were reported by HPAA-regulated entities in 24 states. California, Florida, and New York were the worst affected states with 4 breaches each.

State Breaches
California, Florida & New York 4
Georgia, Illinois & Texas 3
Alabama, Connecticut, Massachusetts, Minnesota, Mississippi, Missouri, New Jersey, Pennsylvania & Virginia 2
Arizona, Arkansas, Indiana, Kansas, Kentucky, Maryland, Nevada, North Carolina & Tennessee 1

HIPAA Enforcement Activity in September 2023

All healthcare data breaches of 500 or more records are investigated by OCR to determine whether they were the result of non-compliance with the HIPAA Rules. OCR has a backlog of investigations due to budgetary constraints, and HIPAA violation cases can take some time to be resolved. In September, OCR announced that one investigation had concluded and a settlement had been reached. The case dates back to March 2014, when an online media source reported that members of the health plan were able to access the PHI of other members via its online member portal. The breach was reported to OCR as affecting fewer than 500 plan members and OCR launched a compliance review in February 2016. Three years later, another breach was reported – a mailing error, this time affecting 1,498 plan members.

OCR investigated LA Care Health Plan again and found multiple violations of the HIPAA Rules – A risk analysis failure, insufficient security measures, insufficient reviews of records of information system activity, insufficient evaluations in response to environmental/operational changes, insufficient recording and examination of activity in information systems, and an impermissible disclosure of the ePHI of 1,498 individuals. The case was settled, and LA Care Health Plan agreed to adopt a corrective action plan and pay a $1,300,000 penalty.

State attorneys general are also authorized to investigate healthcare data breaches and fine organizations for HIPAA violations. From 2019 to 2022, there were relatively few financial penalties imposed for HIPAA violations or equivalent violations of state laws, but there has been a significant increase in enforcement actions in 2023. Between 2019 and 2022 there were 12 enforcement actions by state attorneys general that resulted in financial penalties. 11 penalties have been imposed so far in 2023.

In September, three settlements were announced by state attorneys general. The first, and the largest, was in California, which fined Kaiser Foundation Health Plan Foundation Inc. and Kaiser Foundation Hospitals $49 million. Kaiser was found to have violated state laws by improperly disposing of hazardous waste and violating HIPAA and state laws by disposing of protected health information in regular trash bins.

The Indiana Attorney General announced that a settlement had been reached with Schneck Medical Center following an investigation of a data breach involving the PHI of 89,707 Indiana residents. The settlement resolved alleged violations of violations of the HIPAA Privacy, Security, and Breach Notification Rules, the Indiana Disclosure of Security Breach Act, and the Indiana Deceptive Consumer Sales Act. Schneck Medical Center paid a $250,000 penalty and agreed to improve its security practices.

The Colorado Attorney General announced that a settlement had been reached with Broomfield Skilled Nursing and Rehabilitation Center over a breach of the protected health information of 677 residents. The settlement resolved alleged violations of HIPAA data encryption requirements, state data protection laws, and deceptive trading practices. A penalty of $60,000 was paid to resolve the alleged violations, with $25,000 suspended, provided corrective measures are implemented.

The post September 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

OCR Issues Telehealth Guidance for Providers and Patients

Posted by Steve Alder

The HHS’ Office for Civil Rights has issued new guidance for healthcare providers to help them educate patients about privacy and security risks when using remote communications technologies for telehealth visits and recommendations for patients on how they can protect and secure their health information.

During the pandemic, healthcare providers massively expanded their telehealth services to ensure that patients could access the medical services they needed while reducing the risk of contracting COVID-19. OCR issued a Notice of Enforcement Discretion covering the good faith provision of telehealth services to make it easier for healthcare providers to provide telehealth services during the pandemic by using non-public-facing communications platforms that are not fully HIPAA compliant, such as platforms where vendors would not enter into business associate agreements. Now that the COVID-19 public health emergency has been declared over, OCR’s telehealth Notice of Enforcement Discretion has expired; however, OCR continues to support telehealth services, which have proven popular with both providers and patients.

Telehealth Privacy and Security Risks

Healthcare providers must ensure that the communications platforms they use for providing telehealth services support HIPAA compliance. Even when ‘HIPAA-compliant’ platforms are used for telehealth there are still privacy and security risks that must be addressed and reduced to a low and acceptable level. In the summer of 2022, ahead of the telehealth flexibilities coming to an end, OCR issued guidance for healthcare providers on HIPAA and audio-only telehealth services.

While HIPAA does not require healthcare providers to educate patients about the privacy and security risks associated with telehealth, a Government Accountability Office (GAO) review of the Medicare telehealth services provided during the COVID-19 – Medicare Telehealth: Actions Needed to Strengthen Oversight and Help Providers Educate Patients on Privacy and Security Risks – recommended OCR issue guidance to help healthcare providers explain the privacy and security risks associated with telehealth services to patients.

During the review, GAO identified numerous complaints that had been made about the use of non-compliant technology during the pandemic, more than 3 dozen complaints had been filed about the presence of third parties during appointments, and there were instances where providers shared PHI without obtaining patient consent. GAO concluded that there was a need for additional education and outreach to help providers explain the privacy and security risks to patients associated with telehealth to make sure that those risks are fully understood. OCR concurred with the recommendation and agreed to publish new guidance.

New OCR Telehealth Privacy and Security Resources

Two guidance resources were published by OCR on October 18, 2023. The first guidance document is for healthcare providers to help them educate patients about the privacy and security risks associated with remote communication technologies, and the second guidance document is for patients and offers tips on privacy and security when taking advantage of telehealth services.

The provider guidance – Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth – offers suggestions for healthcare providers to help them discuss the telehealth options offered, the potential risks to protected health information associated with remote communications technologies, the privacy and security practices of vendors telehealth communication tools, and the applicability of civil rights laws.

The patient guidance – Telehealth Privacy and Security Tips for Patients – offers recommendations for patients on how they can protect and secure their protected health information, such as the importance of conducting telehealth visits in private settings, activating multi-factor authentication, using encryption, and avoiding using public Wi-Fi networks.

“Telehealth is a wonderful tool that can increase patients’ access to health care and improve health care outcomes,” said OCR Director Melanie Fontes Rainer.  “Health care providers can support telehealth by helping patients understand privacy and security risks and effective cybersecurity practices so patients are confident that their health information remains private.”

The post OCR Issues Telehealth Guidance for Providers and Patients appeared first on HIPAA Journal.

Healthcare Clearinghouse Settles Multi-state HIPAA Investigation for $1.4 Million

Posted by Steve Alder

Inmediata has agreed to a $1.4 million settlement to resolve a multi-state investigation of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) and state breach notification laws.

On January 15, 2019, the Department of Health and Human Services’ Office for Civil Rights (OCR) notified the Puerto Rico-based healthcare clearinghouse that a server containing the protected health information that it maintained had not been properly secured, resulting in files being indexed by search engines that could be found, accessed, and downloaded by anyone with Internet access. The files on the server contained the protected health information of 1,565,338 individuals and some of those files dated as far back as May 2016.

The HIPAA Breach Notification Rule requires HIPAA-covered entities to issue notifications to individuals affected by a data breach without undue delay and no later than 60 days from the discovery of a data breach. Despite being notified about the breach by OCR, the primary HIPAA regulator, Inmediata waited three months to mail notification letters, and when notification letters were mailed, a mailing error occurred, resulting in letters being sent to incorrect addresses.

Many Americans are unaware of the services provided by healthcare clearinghouses as they do not have any direct contact with them. Healthcare clearinghouses such as Inmediata facilitate transactions between healthcare providers and insurers and are classed as HIPAA-covered entities, which means they must ensure they are fully compliant with the HIPAA Privacy, Security, and Breach Notification Rules. The multi-state investigation found the content of the letters to lack clarity which resulted in confusion for some consumers as to why Inmediata had their data and caused some individuals to dismiss the notification letters as illegitimate.

The multi-state investigation was led by the Indiana Attorney General, assisted by an Executive Committee consisting of the attorneys general in Connecticut, Michigan, and Tennessee. Alabama, Arizona, Arkansas, Colorado, Connecticut, Delaware, Georgia, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Montana, Nebraska, New Hampshire, North Carolina, Oklahoma, Oregon, Pennsylvania, Puerto Rico, Rhode Island, South Carolina, Tennessee, Utah, Washington, West Virginia and Wisconsin also participated.

The attorneys general alleged violations of the HIPAA Security Rule for failing to implement reasonable and appropriate data security safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information, a failure to conduct a secure code review at any point prior to the data breach, and violations of the HIPAA Breach Notification Rule and state data breach notification laws for failing to provide the affected individuals with timely and complete information about the data breach.

The $1.4 million settlement will be divided among the participating states and Inmediata has also agreed to strengthen its data security and breach notification practices. The requirements include the implementation and maintenance of a comprehensive information security program, which must include secure code reviews and search engine crawling controls. An incident response plan must also be developed that includes specific policies and procedures regarding consumer notification letters, and Inmediata must undergo annual third-party security assessments for the next five years. Last year, Inmediata settled a class action lawsuit over the data breach for $1.125 million.

“Inmediata maintained some of our most sensitive and private health information and they had an obligation to keep it secure. Their coding error left sensitive patient information exposed on public online searches for months, with no notification to impacted patients. Their failures violated numerous state consumer protection laws, breach notification laws, and HIPAA requirements. Our multistate settlement forces Inmediata to pay a significant fine and requires strong security practices going forward to ensure these types of inexcusable security lapses never occur again,” said Connecticut Attorney General, William Tong.

The post Healthcare Clearinghouse Settles Multi-state HIPAA Investigation for $1.4 Million appeared first on HIPAA Journal.

Patient Consent Not Required for Disclosures of PHI for Fundraising, Rules Minnesota Supreme Court

Posted by Steve Alder

Healthcare organizations in Minnesota are permitted to use patient data for fundraising purposes without obtaining patient consent, according to Minnesota Supreme Court Chief Justice Natalie Hudson.

The Supreme Court was petitioned to review a lower court’s decision to dismiss a lawsuit against Children’s Health Care, which does business as Children’s Hospital and Clinics (Children’s). Legal action was taken against Children’s following a data breach at a third-party vendor that was used for fundraising purposes. The plaintiffs, Kelly and Evarist Schneider, were informed that their child’s name, age, date of birth, and treatment details were in the healthcare provider’s fundraising database and had potentially been compromised. They believed the hospital should have obtained permission before disclosing their child’s protected health information to the foundation’s fundraising database and argued that the disclosure violated the Minnesota Health Records Act (MHRA).

The case concerned the interpretation of the MHRA, which prohibits the disclosure of protected health information without “specific authorization in law.” Children’s moved to have the lawsuit dismissed and argued that the federal Health Insurance Portability and Accountability Act (HIPAA) is a specific authorization in law and that HIPAA permits the disclosure of protected health information for fundraising purposes without patient consent.

The district court denied Children’s motion to dismiss, as while HIPAA was determined to be a specific authorization in law under the MHRA, it was unclear whether Children’s had complied with the privacy notice requirements of the HIPAA Privacy Rule. Children’s moved for summary judgment, which the district court granted. The district court reiterated its conclusion that the disclosure was permitted under the MHRA and HIPAA and found there was no dispute about whether the required privacy practices had been provided. The court of appeals affirmed the district court’s ruling.

The plaintiffs argued that states are permitted to implement more stringent privacy regulations than HIPAA and that the MHRA preempted the HIPAA fundraising exception; however, the court of appeals rejected that argument as the MHRA was determined not to be more stringent than HIPAA with respect to disclosures of protected health information for fundraising purposes. The plaintiffs petitioned the Supreme Court for review on whether the MHRA’s reference to a “specific authorization in law” includes the fundraising exception in the HIPAA Privacy Rule. Chief Justice Hudson ruled that the HIPAA Privacy Rule permits a hospital to disclose a patient’s protected health information to a foundation or business associate for fundraising purposes without requiring patient consent and that HIPAA is a “specific authorization in law” under the Minnesota Health Records Act.

The post Patient Consent Not Required for Disclosures of PHI for Fundraising, Rules Minnesota Supreme Court appeared first on HIPAA Journal.

Schneck Medical Center Settles HIPAA Lawsuit with Indiana AG

Posted by Steve Alder

Seymour, IN-based Schneck Medical Center has settled a lawsuit with the Indiana attorney general, Todd Rokita, over a 2021 ransomware attack and data breach that affected 89,707 Indiana residents. Schneck Medical Center has agreed to pay a penalty of $250,000 to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) and state laws and will implement additional safeguards to prevent further data breaches.

According to the lawsuit, Schneck Medical Center conducted a risk analysis in December 2020 which revealed many critical security issues, but Schneck Medical Center failed to address them. 9 months later, on or around September 29, 2021, security flaws were exploited by a malicious actor who gained access to the network, exfiltrated sensitive patient data, and then deployed ransomware to encrypt files. The information stolen in the attack included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account information, payment card information, diagnoses, and health insurance information.

Schneck Medical Center was quick to alert patients to the cyberattack through a statement on its website on September 29, 2021; however, the Indiana AG alleged that Schneck Medical Center failed to disclose the risk patients faced and did not encourage them to take steps to protect themselves against identity theft and fraud, even though Schneck Medical Center was aware at the time that a large quantity of sensitive data had been stolen.

Another statement was released two months later on November 26, 2021, confirming that files had been stolen in the attack; however, Schneck Medical Center failed to disclose that protected health information had been exposed, despite being aware that PHI had been stolen. Schneck Medical Center also failed to issue timely individual notifications, which were not mailed until May 13, 2022 – 226 days after the discovery of the data breach. Schneck Medical Center also claimed in a May 13, 2022, substitute breach notice that data theft was discovered on March 17, 2022, when Schneck Medical Center was aware on September 29, 2023, that data had been stolen.

The Indiana attorney general alleged multiple violations of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule and violations of the Indiana Disclosure of Security Breach Act and the Indiana Deceptive Consumer Sales Act.

Schneck Medical Center Compensates Patients for Losses

Schneck Medical Center has also recently settled a consolidated class action lawsuit for $1.3 million. Two lawsuits were filed in response to the ransomware attack and data breach by patients Jalen Nierman, Bryce Sheaffer, Jennifer Renoll, Patricia White, and Nigel Myers who sought compensation for the data breach. The plaintiffs alleged Schneck Medical Center failed to implement reasonable and appropriate safeguards to ensure the confidentiality of patient data. Schneck Medical Center agreed to a settlement with no admission of wrongdoing.

Under the terms of the settlement, class members are entitled to claim up to $500 in ordinary expenses, including up to 4 hours of lost time at $15 per hour. Individuals who incurred extraordinary expenses due to the data breach can claim up to $6,000. Claims may be paid pro rata, depending on the number of claims received. The settlement also includes 27 months of free credit monitoring and identity theft protection services and coverage through a $1 million identity theft insurance policy.

The post Schneck Medical Center Settles HIPAA Lawsuit with Indiana AG appeared first on HIPAA Journal.

L.A. Care Health Plan Settles Multiple HIPAA Violations for $1.3 Million

Posted by Steve Alder

The Local Initiative Health Authority for Los Angeles County, operating as L.A. Care Health Plan, has settled multiple violations of the HIPAA Privacy and Security Rules with the HHS’ Office for Civil Rights (OCR) and will pay a $1,300,000 penalty and adopt a robust corrective action plan.

L.A. Care Health Plan is the largest publicly operated health plan in the United States and has more than 2.7 million members. OCR said it launched two separate investigations of L.A. Care Health Plan to assess the state of HIPAA compliance, the first of which was in response to a media report about impermissible disclosures of protected health information (PHI) via its member portal and the second was in response to a breach that was reported to OCR involving the PHI of 1,498 members.

In 2016, a media outlet reported that members of the health plan were able to access the protected health information (PHI) of other members via the online member portal over a 2-day period in 2014 due to a manual processing error. OCR informed L.A. Care Health Plan it had initiated a compliance review and in February 2016, L.A. Care Health Plan reported the breach to OCR as affecting fewer than 500 individuals. In March 2019, L.A. Care Health Plan notified OCR about a 1,498-record data breach caused by a mailing error that saw members receive the ID cards of other health plan members.

OCR determined that there had been several failures to fully comply with the requirements of the HIPAA Privacy and Security Rules. The resolution agreement lists 6 potential HIPAA violations identified by its investigators.

  1. A failure to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI – 45 C.F.R. § 164.308(a)(1)(ii)(A).
  2. A failure to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level – 45 C.F.R. § 164.308(a)(1)(ii)(B).
  3. A failure to implement sufficient procedures to regularly review records of information system activity – 45 C.F.R. § 164.308(a)(1)(ii)(D).
  4. A failure to perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of ePHI – 45 CFR F.R. § 164.308(a)(8).
  5. A failure to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI – 45 C.F.R. 164.312(b).
  6. The impermissible disclosure of the ePHI of 1,498 individuals – 45 C.F.R. § 164.502(a).

L.A. Care Health Plan chose to settle the investigations with no admission of liability and agreed to pay a $1,300,000 financial penalty and adopt a corrective action plan to correct the alleged HIPAA violations. The corrective action plan includes the requirement to conduct a comprehensive, organization-wide risk analysis, develop a risk management plan, develop, implement, and distribute policies and procedures for a risk analysis and risk management plan, report to OCR when evaluations of environmental and operational changes are conducted, and to report HIPAA violations by employees to OCR within 30 days.

“Breaches of protected health information by a HIPAA-regulated entity often reveal systemic, noncompliance with the HIPAA Rules,” said OCR Director Melanie Fontes Rainer.  “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies.  Entities such as LA Care must protect the health information of its insureds while providing health care for the most vulnerable residents of Los Angeles County through its coverage, which includes Medicaid, Medicare, and Affordable Care Act health plans.”

The post L.A. Care Health Plan Settles Multiple HIPAA Violations for $1.3 Million appeared first on HIPAA Journal.

Kaiser Pays $49 Million to Settle Improper Disposal Investigation

Posted by Steve Alder

California Attorney General Rob Bonta has announced a $49 million settlement has been reached with Kaiser Foundation Health Plan Foundation Inc. and Kaiser Foundation Hospitals to resolve allegations of improper disposal of hazardous waste, medical waste, and protected health information.

Oakland, CA-based Kaiser is the largest healthcare provider in California with more than 700 healthcare facilities in the state, serving more than 8.8 million patients. An investigation was launched by 6 district attorneys from Alameda, San Bernardino, San Francisco, San Joaquin, San Mateo, and Yolo counties into the unlawful dumping of dangerous items.  Undercover staff from the district attorneys’ offices inspected dumpsters at 16 different Kaiser facilities. The dumpsters were not secured and the contents were destined for disposal in landfill sites.

The inspectors found hundreds of items of hazardous and medical waste, including aerosols, cleansers, sanitizers, batteries, syringes, medical tubing containing body fluids, pharmaceuticals, and electronic wastes. The dumpsters also contained more than 10,000 paper records that contained the protected health information of 7,700 patients. The California Department of Justice later joined the investigation and expanded it statewide at other Kaiser facilities. Kaiser was alleged to have violated the Health Insurance Portability and Accountability Act (HIPAA), and California’s Hazardous Waste Control Law, Medical Waste Management Act, Confidentiality of Medical Information Act, Customer Records Law, and Unfair Competition Law.

In response to the investigation, Kaiser engaged a third-party consultant to conduct more than 1,100 trash audits at its facilities and its operating procedures have been updated to ensure proper waste disposal across its facilities in California. The settlement consists of $37,513,000 in civil penalties, $4,832,000 in attorneys’ fees and costs, and $4,905,000 for supplemental environmental projects. A further $1.75 million in civil monetary penalties must be paid if Kaiser has not invested a further $3.5 million in its Californian facilities to provide enhanced environmental compliance measures.

Kaiser is also required to retain an independent third-party auditor to conduct more than 520 trash compactor audits at its California facilities to make sure hazardous items and protected health information are not being disposed of in regular trash, and at least 40 programmatic field audits must be conducted each year for the next 5 years to evaluate compliance with its policies covering hazardous waste, medical waste, and protected health information.

“The illegal disposal of hazardous and medical waste puts the environment, workers, and the public at risk. It also violates numerous federal and state laws,” said Attorney General Bonta. “As a healthcare provider, Kaiser should know that it has specific legal obligations to properly dispose of medical waste and safeguard patients’ medical information. I am pleased that Kaiser has been cooperative with my office and the district attorneys’ offices, and that it took immediate action to address the alleged violations.”

The post Kaiser Pays $49 Million to Settle Improper Disposal Investigation appeared first on HIPAA Journal.

OCR, FTC Publish Online Tracking Technology Warning Letters

Posted by Steve Alder

The Department of Health and Human Services’ Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) have published the letters that were sent to hospital systems and telehealth providers in July 2023 advising them about the privacy risks associated with website tracking technologies such as Meta Pixel and Google Analytics.

The widespread use of these tools on hospital websites and the risk of impermissible disclosures of protected health information (PHI) prompted OCR to issue guidance for HIPAA-regulated entities in December 2022. OCR stated in the guidance that these tools are not permitted under HIPAA unless consent is obtained via HIPAA authorizations or if there is a valid business associate relationship with the technology provider and a corresponding HIPAA-compliant business associate agreement (BAA). The FTC has also taken an interest in these tools and has taken action against non-HIPAA-regulated entities for alleged violations of the FTC Act and the FTC’s Health Breach Notification Rule with respect to tracking technologies.

The July 2023 letters explain that serious privacy and security risks have been identified with online tracking technologies and the recipients of the letters were warned that their websites and mobile applications may have these tracking tools in place that could be disclosing consumers’ sensitive personal health information to third parties. The types of information disclosed would depend on where the tracking technologies have been added. If they have been added to appointment scheduling apps or behind the logins of patient portals they could disclose highly sensitive information to third parties such as health conditions, diagnoses, medications, treatment information, treatment locations, frequency of visits, and more, along with identifiers that link that information to individuals. The disclosed information could be used by third parties for advertising purposes and could potentially result in identity theft, financial loss, discrimination, stigma, mental anguish, or other serious negative consequences to the reputation, health, or physical safety of the individual or to others.

The recipients of the letters, which include a diverse range of HIPAA-regulated entities and non-HIPAA-covered entities that collect health information, have been advised to review OCR and FTC guidance, assess the extent to which tracking technologies are in use, and ensure they are fully protecting the privacy and security of individuals’ health information.

The recipients of the letters have now been made public in the 387-page PDF document jointly published by OCR and FTC on their websites. While OCR and the FTC had reason to issue the letters to these organizations, receipt of a letter does not mean that tracking technologies are currently being used or HIPAA, the FTC Act, or the Health Breach Notification Rule have been violated. The recipients of the letters are listed below.

ADHD Online, MI DearBrightly, CA Kick Health, WA Peace Health, WA Strut Health, TX
Advocate Aurora Health, WI Done, CA KwikMed, AZ Penn Medicine Chester County Hospital, PA Talkiatry, NY
Alfie, NY Dorsal, NY LCMC Health System, LA Penn Medicine, PA Talkspace, NY
Alpha, CA Duke University Health System, NC Lemonaid, CA Picnic, NY Tampa General Hospital, FL
Apostrophe, CA El Camino Hospital, CA Loyola Medicine, IL Piedmont Healthcare, GA Texas Health Resources, TX
Array Behavioral Care, NJ Eleanor Health, MA Mantra Health, NY Plume, CO The Wellness Company, RI
Ascension, MO Elektra Health, NY Marshall Medical Center, CA PRJKT RUBY, AZ Thomas Jefferson Hospital, PA
Barnes-Jewish Hospital, MO Everlywell, TX MedStar Health, MD Push Health, CA Tufts Medical Center, MA
Barton Healthcare System, CA Facet, NY Memorial Healthcare System, FL QCare Plus, FL UC Davis Health, CA
Beaumont Health System, MI Favor, CA MemorialCare Long Beach Medical Center, CA Quick MD, CA UCLA Reagan Medical Center, CA
Bellin Health, WI Folx, MA Mercy Medical Center, MD Relief Labs, Inc. d/b/a Clearing, NY UCSF Office of Legal Affairs, CA
Bicycle Health, MA Found, CA Middlesex Health, CT Remedy Psychiatry, CA UnityPoint Health, IA
Bon Secours Mercy Health, OH Froedtert Hospital and the Medical College of Wisconsin, WI Mindbloom, FL Renown Health, NV University Hospitals Cleveland Medical Center, OH
Boulder Care, OR Gennev, WA Minded, NY Riverside Health System, VA University of Chicago Medicine, IL
Brigham and Women’s Faulkner Hospital, MA Grady Health System, GA Mistr, FL Rochester Regional Health, NY University of Iowa Hospitals and Clinics, IA
Brightline, CA Henry Ford Hospital, MI MultiCare Health System, WA Roman, NY University of Kansas Health System, KS
Brightside, CA Hers, CA Musely, CA Rush University Medical Center, IL University of Pittsburgh Medical Center, PA
Calibrate, NY Hims, CA My Ketamine Home, FL Salem Health, OR University of Texas Southwestern Medical Center, TX
CallonDoc, TX Hone Health, NY Nemours Children’s Health, FL Sanford USD Medical Center, SD University of Vermont Health Network, VT
Cedars-Sinai Medical Center, CA Honor Health, AZ New York Presbyterian Hospital, NY Sarasota Memorial Health Care System, FL Wexner Medical Center, OH
Chesapeake Regional Healthcare, VA Houston Methodist, TX Northwestern Medicine Central DuPage Hospital, IL Scripps Memorial Hospital La Jolla – Scripps Health, CA Willis-Knighton Health System, LA
Children’s Wisconsin, WI Inova Health System, VA Northwestern Memorial Healthcare, IL Sharp Healthcare, CA Wisp, CA
Cone Health, NC Invigor Medical, WA Nue Life, FL Sparrow Health Systems, MI Wondermed, CA
Cove, NY Johns Hopkins Hospital, MD Nurx, CA St. Joseph Mercy Health System, MI Workit, FL
Covenant Health, TN K Health, NY Oar, NY St. Luke’s Health System, ID Yale New Haven Health, CT
Curology, CA Keeps, NY Ophelia, NY St. Tammany Health System, LA

The post OCR, FTC Publish Online Tracking Technology Warning Letters appeared first on HIPAA Journal.