HIPAA Compliance News

OCR Issues Telehealth Guidance for Providers and Patients

Posted by Steve Alder

The HHS’ Office for Civil Rights has issued new guidance for healthcare providers to help them educate patients about privacy and security risks when using remote communications technologies for telehealth visits and recommendations for patients on how they can protect and secure their health information.

During the pandemic, healthcare providers massively expanded their telehealth services to ensure that patients could access the medical services they needed while reducing the risk of contracting COVID-19. OCR issued a Notice of Enforcement Discretion covering the good faith provision of telehealth services to make it easier for healthcare providers to provide telehealth services during the pandemic by using non-public-facing communications platforms that are not fully HIPAA compliant, such as platforms where vendors would not enter into business associate agreements. Now that the COVID-19 public health emergency has been declared over, OCR’s telehealth Notice of Enforcement Discretion has expired; however, OCR continues to support telehealth services, which have proven popular with both providers and patients.

Telehealth Privacy and Security Risks

Healthcare providers must ensure that the communications platforms they use for providing telehealth services support HIPAA compliance. Even when ‘HIPAA-compliant’ platforms are used for telehealth there are still privacy and security risks that must be addressed and reduced to a low and acceptable level. In the summer of 2022, ahead of the telehealth flexibilities coming to an end, OCR issued guidance for healthcare providers on HIPAA and audio-only telehealth services.

While HIPAA does not require healthcare providers to educate patients about the privacy and security risks associated with telehealth, a Government Accountability Office (GAO) review of the Medicare telehealth services provided during the COVID-19 – Medicare Telehealth: Actions Needed to Strengthen Oversight and Help Providers Educate Patients on Privacy and Security Risks – recommended OCR issue guidance to help healthcare providers explain the privacy and security risks associated with telehealth services to patients.

During the review, GAO identified numerous complaints that had been made about the use of non-compliant technology during the pandemic, more than 3 dozen complaints had been filed about the presence of third parties during appointments, and there were instances where providers shared PHI without obtaining patient consent. GAO concluded that there was a need for additional education and outreach to help providers explain the privacy and security risks to patients associated with telehealth to make sure that those risks are fully understood. OCR concurred with the recommendation and agreed to publish new guidance.

New OCR Telehealth Privacy and Security Resources

Two guidance resources were published by OCR on October 18, 2023. The first guidance document is for healthcare providers to help them educate patients about the privacy and security risks associated with remote communication technologies, and the second guidance document is for patients and offers tips on privacy and security when taking advantage of telehealth services.

The provider guidance – Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth – offers suggestions for healthcare providers to help them discuss the telehealth options offered, the potential risks to protected health information associated with remote communications technologies, the privacy and security practices of vendors telehealth communication tools, and the applicability of civil rights laws.

The patient guidance – Telehealth Privacy and Security Tips for Patients – offers recommendations for patients on how they can protect and secure their protected health information, such as the importance of conducting telehealth visits in private settings, activating multi-factor authentication, using encryption, and avoiding using public Wi-Fi networks.

“Telehealth is a wonderful tool that can increase patients’ access to health care and improve health care outcomes,” said OCR Director Melanie Fontes Rainer.  “Health care providers can support telehealth by helping patients understand privacy and security risks and effective cybersecurity practices so patients are confident that their health information remains private.”

The post OCR Issues Telehealth Guidance for Providers and Patients appeared first on HIPAA Journal.

Healthcare Clearinghouse Settles Multi-state HIPAA Investigation for $1.4 Million

Posted by Steve Alder

Inmediata has agreed to a $1.4 million settlement to resolve a multi-state investigation of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) and state breach notification laws.

On January 15, 2019, the Department of Health and Human Services’ Office for Civil Rights (OCR) notified the Puerto Rico-based healthcare clearinghouse that a server containing the protected health information that it maintained had not been properly secured, resulting in files being indexed by search engines that could be found, accessed, and downloaded by anyone with Internet access. The files on the server contained the protected health information of 1,565,338 individuals and some of those files dated as far back as May 2016.

The HIPAA Breach Notification Rule requires HIPAA-covered entities to issue notifications to individuals affected by a data breach without undue delay and no later than 60 days from the discovery of a data breach. Despite being notified about the breach by OCR, the primary HIPAA regulator, Inmediata waited three months to mail notification letters, and when notification letters were mailed, a mailing error occurred, resulting in letters being sent to incorrect addresses.

Many Americans are unaware of the services provided by healthcare clearinghouses as they do not have any direct contact with them. Healthcare clearinghouses such as Inmediata facilitate transactions between healthcare providers and insurers and are classed as HIPAA-covered entities, which means they must ensure they are fully compliant with the HIPAA Privacy, Security, and Breach Notification Rules. The multi-state investigation found the content of the letters to lack clarity which resulted in confusion for some consumers as to why Inmediata had their data and caused some individuals to dismiss the notification letters as illegitimate.

The multi-state investigation was led by the Indiana Attorney General, assisted by an Executive Committee consisting of the attorneys general in Connecticut, Michigan, and Tennessee. Alabama, Arizona, Arkansas, Colorado, Connecticut, Delaware, Georgia, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Montana, Nebraska, New Hampshire, North Carolina, Oklahoma, Oregon, Pennsylvania, Puerto Rico, Rhode Island, South Carolina, Tennessee, Utah, Washington, West Virginia and Wisconsin also participated.

The attorneys general alleged violations of the HIPAA Security Rule for failing to implement reasonable and appropriate data security safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information, a failure to conduct a secure code review at any point prior to the data breach, and violations of the HIPAA Breach Notification Rule and state data breach notification laws for failing to provide the affected individuals with timely and complete information about the data breach.

The $1.4 million settlement will be divided among the participating states and Inmediata has also agreed to strengthen its data security and breach notification practices. The requirements include the implementation and maintenance of a comprehensive information security program, which must include secure code reviews and search engine crawling controls. An incident response plan must also be developed that includes specific policies and procedures regarding consumer notification letters, and Inmediata must undergo annual third-party security assessments for the next five years. Last year, Inmediata settled a class action lawsuit over the data breach for $1.125 million.

“Inmediata maintained some of our most sensitive and private health information and they had an obligation to keep it secure. Their coding error left sensitive patient information exposed on public online searches for months, with no notification to impacted patients. Their failures violated numerous state consumer protection laws, breach notification laws, and HIPAA requirements. Our multistate settlement forces Inmediata to pay a significant fine and requires strong security practices going forward to ensure these types of inexcusable security lapses never occur again,” said Connecticut Attorney General, William Tong.

The post Healthcare Clearinghouse Settles Multi-state HIPAA Investigation for $1.4 Million appeared first on HIPAA Journal.

Patient Consent Not Required for Disclosures of PHI for Fundraising, Rules Minnesota Supreme Court

Posted by Steve Alder

Healthcare organizations in Minnesota are permitted to use patient data for fundraising purposes without obtaining patient consent, according to Minnesota Supreme Court Chief Justice Natalie Hudson.

The Supreme Court was petitioned to review a lower court’s decision to dismiss a lawsuit against Children’s Health Care, which does business as Children’s Hospital and Clinics (Children’s). Legal action was taken against Children’s following a data breach at a third-party vendor that was used for fundraising purposes. The plaintiffs, Kelly and Evarist Schneider, were informed that their child’s name, age, date of birth, and treatment details were in the healthcare provider’s fundraising database and had potentially been compromised. They believed the hospital should have obtained permission before disclosing their child’s protected health information to the foundation’s fundraising database and argued that the disclosure violated the Minnesota Health Records Act (MHRA).

The case concerned the interpretation of the MHRA, which prohibits the disclosure of protected health information without “specific authorization in law.” Children’s moved to have the lawsuit dismissed and argued that the federal Health Insurance Portability and Accountability Act (HIPAA) is a specific authorization in law and that HIPAA permits the disclosure of protected health information for fundraising purposes without patient consent.

The district court denied Children’s motion to dismiss, as while HIPAA was determined to be a specific authorization in law under the MHRA, it was unclear whether Children’s had complied with the privacy notice requirements of the HIPAA Privacy Rule. Children’s moved for summary judgment, which the district court granted. The district court reiterated its conclusion that the disclosure was permitted under the MHRA and HIPAA and found there was no dispute about whether the required privacy practices had been provided. The court of appeals affirmed the district court’s ruling.

The plaintiffs argued that states are permitted to implement more stringent privacy regulations than HIPAA and that the MHRA preempted the HIPAA fundraising exception; however, the court of appeals rejected that argument as the MHRA was determined not to be more stringent than HIPAA with respect to disclosures of protected health information for fundraising purposes. The plaintiffs petitioned the Supreme Court for review on whether the MHRA’s reference to a “specific authorization in law” includes the fundraising exception in the HIPAA Privacy Rule. Chief Justice Hudson ruled that the HIPAA Privacy Rule permits a hospital to disclose a patient’s protected health information to a foundation or business associate for fundraising purposes without requiring patient consent and that HIPAA is a “specific authorization in law” under the Minnesota Health Records Act.

The post Patient Consent Not Required for Disclosures of PHI for Fundraising, Rules Minnesota Supreme Court appeared first on HIPAA Journal.

Schneck Medical Center Settles HIPAA Lawsuit with Indiana AG

Posted by Steve Alder

Seymour, IN-based Schneck Medical Center has settled a lawsuit with the Indiana attorney general, Todd Rokita, over a 2021 ransomware attack and data breach that affected 89,707 Indiana residents. Schneck Medical Center has agreed to pay a penalty of $250,000 to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) and state laws and will implement additional safeguards to prevent further data breaches.

According to the lawsuit, Schneck Medical Center conducted a risk analysis in December 2020 which revealed many critical security issues, but Schneck Medical Center failed to address them. 9 months later, on or around September 29, 2021, security flaws were exploited by a malicious actor who gained access to the network, exfiltrated sensitive patient data, and then deployed ransomware to encrypt files. The information stolen in the attack included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account information, payment card information, diagnoses, and health insurance information.

Schneck Medical Center was quick to alert patients to the cyberattack through a statement on its website on September 29, 2021; however, the Indiana AG alleged that Schneck Medical Center failed to disclose the risk patients faced and did not encourage them to take steps to protect themselves against identity theft and fraud, even though Schneck Medical Center was aware at the time that a large quantity of sensitive data had been stolen.

Another statement was released two months later on November 26, 2021, confirming that files had been stolen in the attack; however, Schneck Medical Center failed to disclose that protected health information had been exposed, despite being aware that PHI had been stolen. Schneck Medical Center also failed to issue timely individual notifications, which were not mailed until May 13, 2022 – 226 days after the discovery of the data breach. Schneck Medical Center also claimed in a May 13, 2022, substitute breach notice that data theft was discovered on March 17, 2022, when Schneck Medical Center was aware on September 29, 2023, that data had been stolen.

The Indiana attorney general alleged multiple violations of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule and violations of the Indiana Disclosure of Security Breach Act and the Indiana Deceptive Consumer Sales Act.

Schneck Medical Center Compensates Patients for Losses

Schneck Medical Center has also recently settled a consolidated class action lawsuit for $1.3 million. Two lawsuits were filed in response to the ransomware attack and data breach by patients Jalen Nierman, Bryce Sheaffer, Jennifer Renoll, Patricia White, and Nigel Myers who sought compensation for the data breach. The plaintiffs alleged Schneck Medical Center failed to implement reasonable and appropriate safeguards to ensure the confidentiality of patient data. Schneck Medical Center agreed to a settlement with no admission of wrongdoing.

Under the terms of the settlement, class members are entitled to claim up to $500 in ordinary expenses, including up to 4 hours of lost time at $15 per hour. Individuals who incurred extraordinary expenses due to the data breach can claim up to $6,000. Claims may be paid pro rata, depending on the number of claims received. The settlement also includes 27 months of free credit monitoring and identity theft protection services and coverage through a $1 million identity theft insurance policy.

The post Schneck Medical Center Settles HIPAA Lawsuit with Indiana AG appeared first on HIPAA Journal.

L.A. Care Health Plan Settles Multiple HIPAA Violations for $1.3 Million

Posted by Steve Alder

The Local Initiative Health Authority for Los Angeles County, operating as L.A. Care Health Plan, has settled multiple violations of the HIPAA Privacy and Security Rules with the HHS’ Office for Civil Rights (OCR) and will pay a $1,300,000 penalty and adopt a robust corrective action plan.

L.A. Care Health Plan is the largest publicly operated health plan in the United States and has more than 2.7 million members. OCR said it launched two separate investigations of L.A. Care Health Plan to assess the state of HIPAA compliance, the first of which was in response to a media report about impermissible disclosures of protected health information (PHI) via its member portal and the second was in response to a breach that was reported to OCR involving the PHI of 1,498 members.

In 2016, a media outlet reported that members of the health plan were able to access the protected health information (PHI) of other members via the online member portal over a 2-day period in 2014 due to a manual processing error. OCR informed L.A. Care Health Plan it had initiated a compliance review and in February 2016, L.A. Care Health Plan reported the breach to OCR as affecting fewer than 500 individuals. In March 2019, L.A. Care Health Plan notified OCR about a 1,498-record data breach caused by a mailing error that saw members receive the ID cards of other health plan members.

OCR determined that there had been several failures to fully comply with the requirements of the HIPAA Privacy and Security Rules. The resolution agreement lists 6 potential HIPAA violations identified by its investigators.

  1. A failure to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI – 45 C.F.R. § 164.308(a)(1)(ii)(A).
  2. A failure to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level – 45 C.F.R. § 164.308(a)(1)(ii)(B).
  3. A failure to implement sufficient procedures to regularly review records of information system activity – 45 C.F.R. § 164.308(a)(1)(ii)(D).
  4. A failure to perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of ePHI – 45 CFR F.R. § 164.308(a)(8).
  5. A failure to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI – 45 C.F.R. 164.312(b).
  6. The impermissible disclosure of the ePHI of 1,498 individuals – 45 C.F.R. § 164.502(a).

L.A. Care Health Plan chose to settle the investigations with no admission of liability and agreed to pay a $1,300,000 financial penalty and adopt a corrective action plan to correct the alleged HIPAA violations. The corrective action plan includes the requirement to conduct a comprehensive, organization-wide risk analysis, develop a risk management plan, develop, implement, and distribute policies and procedures for a risk analysis and risk management plan, report to OCR when evaluations of environmental and operational changes are conducted, and to report HIPAA violations by employees to OCR within 30 days.

“Breaches of protected health information by a HIPAA-regulated entity often reveal systemic, noncompliance with the HIPAA Rules,” said OCR Director Melanie Fontes Rainer.  “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies.  Entities such as LA Care must protect the health information of its insureds while providing health care for the most vulnerable residents of Los Angeles County through its coverage, which includes Medicaid, Medicare, and Affordable Care Act health plans.”

The post L.A. Care Health Plan Settles Multiple HIPAA Violations for $1.3 Million appeared first on HIPAA Journal.

Kaiser Pays $49 Million to Settle Improper Disposal Investigation

Posted by Steve Alder

California Attorney General Rob Bonta has announced a $49 million settlement has been reached with Kaiser Foundation Health Plan Foundation Inc. and Kaiser Foundation Hospitals to resolve allegations of improper disposal of hazardous waste, medical waste, and protected health information.

Oakland, CA-based Kaiser is the largest healthcare provider in California with more than 700 healthcare facilities in the state, serving more than 8.8 million patients. An investigation was launched by 6 district attorneys from Alameda, San Bernardino, San Francisco, San Joaquin, San Mateo, and Yolo counties into the unlawful dumping of dangerous items.  Undercover staff from the district attorneys’ offices inspected dumpsters at 16 different Kaiser facilities. The dumpsters were not secured and the contents were destined for disposal in landfill sites.

The inspectors found hundreds of items of hazardous and medical waste, including aerosols, cleansers, sanitizers, batteries, syringes, medical tubing containing body fluids, pharmaceuticals, and electronic wastes. The dumpsters also contained more than 10,000 paper records that contained the protected health information of 7,700 patients. The California Department of Justice later joined the investigation and expanded it statewide at other Kaiser facilities. Kaiser was alleged to have violated the Health Insurance Portability and Accountability Act (HIPAA), and California’s Hazardous Waste Control Law, Medical Waste Management Act, Confidentiality of Medical Information Act, Customer Records Law, and Unfair Competition Law.

In response to the investigation, Kaiser engaged a third-party consultant to conduct more than 1,100 trash audits at its facilities and its operating procedures have been updated to ensure proper waste disposal across its facilities in California. The settlement consists of $37,513,000 in civil penalties, $4,832,000 in attorneys’ fees and costs, and $4,905,000 for supplemental environmental projects. A further $1.75 million in civil monetary penalties must be paid if Kaiser has not invested a further $3.5 million in its Californian facilities to provide enhanced environmental compliance measures.

Kaiser is also required to retain an independent third-party auditor to conduct more than 520 trash compactor audits at its California facilities to make sure hazardous items and protected health information are not being disposed of in regular trash, and at least 40 programmatic field audits must be conducted each year for the next 5 years to evaluate compliance with its policies covering hazardous waste, medical waste, and protected health information.

“The illegal disposal of hazardous and medical waste puts the environment, workers, and the public at risk. It also violates numerous federal and state laws,” said Attorney General Bonta. “As a healthcare provider, Kaiser should know that it has specific legal obligations to properly dispose of medical waste and safeguard patients’ medical information. I am pleased that Kaiser has been cooperative with my office and the district attorneys’ offices, and that it took immediate action to address the alleged violations.”

The post Kaiser Pays $49 Million to Settle Improper Disposal Investigation appeared first on HIPAA Journal.

OCR, FTC Publish Online Tracking Technology Warning Letters

Posted by Steve Alder

The Department of Health and Human Services’ Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) have published the letters that were sent to hospital systems and telehealth providers in July 2023 advising them about the privacy risks associated with website tracking technologies such as Meta Pixel and Google Analytics.

The widespread use of these tools on hospital websites and the risk of impermissible disclosures of protected health information (PHI) prompted OCR to issue guidance for HIPAA-regulated entities in December 2022. OCR stated in the guidance that these tools are not permitted under HIPAA unless consent is obtained via HIPAA authorizations or if there is a valid business associate relationship with the technology provider and a corresponding HIPAA-compliant business associate agreement (BAA). The FTC has also taken an interest in these tools and has taken action against non-HIPAA-regulated entities for alleged violations of the FTC Act and the FTC’s Health Breach Notification Rule with respect to tracking technologies.

The July 2023 letters explain that serious privacy and security risks have been identified with online tracking technologies and the recipients of the letters were warned that their websites and mobile applications may have these tracking tools in place that could be disclosing consumers’ sensitive personal health information to third parties. The types of information disclosed would depend on where the tracking technologies have been added. If they have been added to appointment scheduling apps or behind the logins of patient portals they could disclose highly sensitive information to third parties such as health conditions, diagnoses, medications, treatment information, treatment locations, frequency of visits, and more, along with identifiers that link that information to individuals. The disclosed information could be used by third parties for advertising purposes and could potentially result in identity theft, financial loss, discrimination, stigma, mental anguish, or other serious negative consequences to the reputation, health, or physical safety of the individual or to others.

The recipients of the letters, which include a diverse range of HIPAA-regulated entities and non-HIPAA-covered entities that collect health information, have been advised to review OCR and FTC guidance, assess the extent to which tracking technologies are in use, and ensure they are fully protecting the privacy and security of individuals’ health information.

The recipients of the letters have now been made public in the 387-page PDF document jointly published by OCR and FTC on their websites. While OCR and the FTC had reason to issue the letters to these organizations, receipt of a letter does not mean that tracking technologies are currently being used or HIPAA, the FTC Act, or the Health Breach Notification Rule have been violated. The recipients of the letters are listed below.

ADHD Online, MI DearBrightly, CA Kick Health, WA Peace Health, WA Strut Health, TX
Advocate Aurora Health, WI Done, CA KwikMed, AZ Penn Medicine Chester County Hospital, PA Talkiatry, NY
Alfie, NY Dorsal, NY LCMC Health System, LA Penn Medicine, PA Talkspace, NY
Alpha, CA Duke University Health System, NC Lemonaid, CA Picnic, NY Tampa General Hospital, FL
Apostrophe, CA El Camino Hospital, CA Loyola Medicine, IL Piedmont Healthcare, GA Texas Health Resources, TX
Array Behavioral Care, NJ Eleanor Health, MA Mantra Health, NY Plume, CO The Wellness Company, RI
Ascension, MO Elektra Health, NY Marshall Medical Center, CA PRJKT RUBY, AZ Thomas Jefferson Hospital, PA
Barnes-Jewish Hospital, MO Everlywell, TX MedStar Health, MD Push Health, CA Tufts Medical Center, MA
Barton Healthcare System, CA Facet, NY Memorial Healthcare System, FL QCare Plus, FL UC Davis Health, CA
Beaumont Health System, MI Favor, CA MemorialCare Long Beach Medical Center, CA Quick MD, CA UCLA Reagan Medical Center, CA
Bellin Health, WI Folx, MA Mercy Medical Center, MD Relief Labs, Inc. d/b/a Clearing, NY UCSF Office of Legal Affairs, CA
Bicycle Health, MA Found, CA Middlesex Health, CT Remedy Psychiatry, CA UnityPoint Health, IA
Bon Secours Mercy Health, OH Froedtert Hospital and the Medical College of Wisconsin, WI Mindbloom, FL Renown Health, NV University Hospitals Cleveland Medical Center, OH
Boulder Care, OR Gennev, WA Minded, NY Riverside Health System, VA University of Chicago Medicine, IL
Brigham and Women’s Faulkner Hospital, MA Grady Health System, GA Mistr, FL Rochester Regional Health, NY University of Iowa Hospitals and Clinics, IA
Brightline, CA Henry Ford Hospital, MI MultiCare Health System, WA Roman, NY University of Kansas Health System, KS
Brightside, CA Hers, CA Musely, CA Rush University Medical Center, IL University of Pittsburgh Medical Center, PA
Calibrate, NY Hims, CA My Ketamine Home, FL Salem Health, OR University of Texas Southwestern Medical Center, TX
CallonDoc, TX Hone Health, NY Nemours Children’s Health, FL Sanford USD Medical Center, SD University of Vermont Health Network, VT
Cedars-Sinai Medical Center, CA Honor Health, AZ New York Presbyterian Hospital, NY Sarasota Memorial Health Care System, FL Wexner Medical Center, OH
Chesapeake Regional Healthcare, VA Houston Methodist, TX Northwestern Medicine Central DuPage Hospital, IL Scripps Memorial Hospital La Jolla – Scripps Health, CA Willis-Knighton Health System, LA
Children’s Wisconsin, WI Inova Health System, VA Northwestern Memorial Healthcare, IL Sharp Healthcare, CA Wisp, CA
Cone Health, NC Invigor Medical, WA Nue Life, FL Sparrow Health Systems, MI Wondermed, CA
Cove, NY Johns Hopkins Hospital, MD Nurx, CA St. Joseph Mercy Health System, MI Workit, FL
Covenant Health, TN K Health, NY Oar, NY St. Luke’s Health System, ID Yale New Haven Health, CT
Curology, CA Keeps, NY Ophelia, NY St. Tammany Health System, LA

The post OCR, FTC Publish Online Tracking Technology Warning Letters appeared first on HIPAA Journal.

Judge Questions Whether Website Metadata is Regulated by HIPAA

Posted by Steve Alder

The HHS’ Office for Civil Rights released guidance in 2022 on HIPAA and website tracking technologies and confirmed disclosures of protected health information to third parties via website tracking technologies is a HIPAA violation unless authorization has been received from patients or if there is a valid business associate agreement in place. OCR and the Federal Trade Commission also wrote to 130 healthcare and telehealth providers to warn them about tracking technologies on their websites and OCR has made HIPAA violations related to website tracking tools an enforcement priority.

However, OCR’s interpretation that metadata is regulated under the Health Insurance Portability and Accountability Act has been questioned by an Illinois court in a ruling on a class action lawsuit that was filed against a healthcare provider over the disclosure of patient data via website tracking technologies.

The lawsuit – Marguerite Kurowski and Brenda McClendon v. Rush System for Health d/b/a Rush University System for Health – was filed in District Court for the Northern District of Illinois, Eastern Division and alleged that third-party tracking code had been placed on the defendant’s website and MyChart patient portal which resulted in the plaintiffs’ individually identifiable health information (IIHI) being disclosed to Facebook, Google, and Bidtellect for advertising purposes.

The lawsuit was initially dismissed for the failure to state a claim aside from the request for injunctive relief, then an amended complaint was filed that asserted the same 5 claims plus a further 6. The lawsuit alleged violations of the federal Wiretap Act as amended by the Electronic Communications Privacy Act of 1986, breach of an implied duty of confidentiality, violations of the Illinois Consumer Fraud and Deceptive Business Practices Act, violations of the Illinois Uniform Deceptive Trade Practices Act, intrusion upon seclusion, publication of private facts, trespass to chattels, breach of contract, breach of the duty of good faith and fair dealing, unjust enrichment, and violations of the Illinois Eavesdropping Act.

Rush moved to have the amended lawsuit dismissed and the court granted the motion for all counts aside from the breach of contract and Illinois Eavesdropping Act claims. The lawsuit claimed that per OCR guidance, the disclosure of IIHI to Meta, Google, and Bidtellect was a HIPAA violation; however, in the ruling dismissing the wiretapping claim, the court rejected using the HHS bulletin as a basis for assessing liability under federal wiretapping laws and also questioned whether website metadata actually qualified as IIHI.

“The interpretation of IIHI offered by HHS in its guidance goes well beyond the meaning of what the statute can bear. As just described, IIHI under section 1320d(6) must, in addition to other requirements, “relate to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual,” wrote District Judge, Matthew F. Kennelly. “The type of metadata that Kurowski alleges was transmitted via third-party source code does not in the least bit fit into that category.”

While it is possible that information disclosed in private communications between the plaintiff and the defendant via the website may have been transmitted to third parties and the transmitted information may qualify as IIHI, the plaintiff contended that it was unreasonable to expect her to disclose that type of intimate information she transmitted to the defendant in her complaint. “Kurowski could have requested to file the complaint under seal,” wrote Kennelly. “Kurowski cannot reasonably expect to bring a lawsuit related to the invasion of her medical privacy and completely evade revealing what it is that she alleges Rush disclosed to third parties.”

The post Judge Questions Whether Website Metadata is Regulated by HIPAA appeared first on HIPAA Journal.

Joint Commission Issues Guidance on Ensuring Patient Safety After a Cyberattack

Posted by Steve Alder

The Joint Commission has issued a Sentinel Event Alert offering guidance on preserving patient safety following a cyberattack. Healthcare cyberattacks have been increasing in number and sophistication and it is no longer a case of if a healthcare organization will be attacked but when.

Cyberattacks can cause considerable disruption to healthcare operations and put patient care at risk so it is critical that healthcare organizations do all they can to prevent cyberattacks, such as decreasing the attack surface, updating software and patching promptly, providing phishing awareness training, and implementing a range of cybersecurity solutions. Healthcare organizations must also plan for the worst case scenario and must assume that their defenses will be breached. They must therefore have a tried and tested incident response plan that can be activated immediately in the event of a cyberattack.

When defenses are breached and unauthorized individuals have established a foothold in internal networks, a great deal of the recovery process will be handled by the IT department; however, all hospital staff members must be prepared to operate during such an emergency and must be included in the incident response planning process. A good starting point is the hazards vulnerability analysis (HVA), which is required by the Joint Commission. The HVA must cover human-related hazards, which include cyberattacks. The HVA helps hospitals identify and implement mitigation and preparedness actions to reduce the disruption of services and functions and ensure patient safety in the event of an attack. The Joint Commission also requires a continuity of operations plan, disaster recovery plan, emergency management education and training program, and these must be evaluated annually.

The Sentinel Event Alert provides recommendations on these processes specific to cyberattacks:

  • Evaluate HVA findings and prioritize hospital services that must remain operational and safe during extended downtime.
  • Form a downtime planning committee to develop preparedness actions and mitigations. The planning committee should include representation from all stakeholders.
  • Develop downtime plans, procedures, and resources and ensure they are regularly updated.
  • Designate response teams – An interdisciplinary team should be created that can be mobilized following a cyberattack.
  • Train team leaders, teams, and all staff on operating procedures during downtimes. Develop drills and exercises to ensure staff members are familiar with downtime resources.
  • Establish situational awareness with effective communication throughout the organization and with patients and families.
  • Following a cyberattack, regroup, evaluate, and make necessary improvements to the incident response plan and improve protections for systems to address the specific failures that allowed the attack to succeed.

“Cyberattacks cause a variety of care disruptions – leading to patient harm and severe financial repercussions,” said David W. Baker, MD, MPH, FACP, the Joint Commission’s executive vice president for healthcare quality evaluation and improvement. “Taking action now can help prepare healthcare organizations to deliver safe patient care in the event of future cyberattacks. The recommendations in the Sentinel Event Alert, as well as The Joint Commission’s related requirements on establishing and following a continuity of operations plan, disaster recovery plan and more, can help healthcare organizations successfully respond to a cyber emergency.”

The post Joint Commission Issues Guidance on Ensuring Patient Safety After a Cyberattack appeared first on HIPAA Journal.