HIPAA Compliance News

$200,000 Settlement Agreed with Business Associate Behind Virtua Medical Data Breach

Posted by HIPAA Journal

New Jersey Attorney General Gurbir S. Grewal has announced a $200,000 settlement has been agreed with Best Medical Transcription to resolve violations of the Health Insurance Portability and Accountability Act that were discovered during an investigation of a 2016 breach of 1,650 individuals’ protected health information.

Protected Health Information of 1,654 Patients Was Accessible Through Search Engines

Best Medical Transcription was a business associate of Virtua Medical Group, a network of medical and surgical practices in southern New Jersey. Best Medical Transcription was provided with dictated medical notes, letters, and reports which were transcribed for Virtua Medical Group physicians.

In January 2016, it was discovered that transcribed documents had been uploaded to File Transfer Protocol (FTP) website that was accessible over the Internet without the need for any authentication. The files had been indexed by Google and could be found using search terms including information contained in the files. Password-protection had been removed when software on the website was updated.

In total, 1,654 patients had their protected health information exposed. Affected patients were notified of the breach and Virtua Medical Group terminated its relationship with Best Medical Transcription. In 2017 Best Medical Transcription was dissolved.

The New Jersey attorney general and the New Jersey Division of Consumer Affairs investigated the breach, and Virtua Medical Group was held accountable for failing to protect patients’ data. Virtua Medical Group settled with New Jersey for $417,816 in April 2018 to resolve the HIPAA violations and agreed to improve its data protection protocol.

While covered entities can be held accountable for data breaches experienced by their business associates, vendors can also be fined directly for HIPAA violations. New Jersey also filed charges against ATA Consulting LLC, dba Best Medical Transcription, and the owner of the business, Tushar Mathur.

New Jersey alleged Best Medical Transcription had violated the HIPAA Privacy Rule, HIPAA Security Rule and HIPAA Breach Notification Rule. Specifically, it was alleged that Best Medical Transcription failed to conduct an accurate and thorough risk assessment of potential risks to the confidentiality, integrity, and availability of ePHI. There was also an alleged failure to implement appropriate safeguards to reduce risks and vulnerabilities to a reasonable and appropriate level and policies and procedures had not been implemented to prevent the improper alteration or destruction of ePHI. Best Medical Transcription also failed to notify Virtua Medical Group about the breach and the improper disclosure of ePHI was a violation of its business associate agreement with Virtua Medical Group.

Tushar Mathur agreed to pay New Jersey a civil monetary penalty of $191,492 to resolve the HIPAA violations and $8,508 to cover attorneys’ fees and costs. Mathur has also been barred from managing or owning a business in New Jersey.

“We will continue to protect the privacy of New Jersey patients by vigorously enforcing the laws safeguarding their personal health information,” said Attorney General Grewal. “Our action against Best Medical Transcription demonstrates that any entity that fails to comply with its duty to protect private health records of New Jersey patients will be held accountable… Our settlement with Best Medical Transcription sends a message that New Jersey requires compliance from all entities bound by patient privacy standards.”

HIPAA-Related Fines and Settlements with Attorneys General in 2018

While the number of HHS’ Office for Civil Rights HIPAA violation settlements and civil monetary penalties has fallen in 2018, state attorneys general have increased their enforcement actions to resolve HIPAA violations. The latest settlement brings the total number of HIPAA-related fines in 2018 to 10.

State Covered Entity Amount Individuals affected Settlement/CMP
New Jersey Best Transcription Medical $200,000 1,650 Settlement
Washington Aetna TBA 13,160 Settlement (Multi-state action)
Connecticut Aetna $99,959 13,160 Settlement (Multi-state action)
New Jersey Aetna $365,211.59 13,160 Settlement (Multi-state action)
District of Columbia Aetna $175,000 13,160 Settlement (Multi-state action)
Massachusetts UMass Memorial Medical Group / UMass Memorial Medical Center $230,000 15,000 Settlement
New York Arc of Erie County $200,000 3,751 Settlement
New Jersey Virtua Medical Group $417,816 1,654 Settlement
New York EmblemHealth $575,000 81,122 Settlement
New York Aetna $1,150,000 12,000 Settlement

The post $200,000 Settlement Agreed with Business Associate Behind Virtua Medical Data Breach appeared first on HIPAA Journal.

Important Cybersecurity Best Practices for Healthcare Organizations

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has drawn attention to basic cybersecurity safeguards that can be adopted by healthcare organizations to improve cyber resilience and reduce the impact of attempted cyberattacks.

The advice comes at the end of cybersecurity awareness month – a four-week coordinated effort between government and industry organizations to raise awareness of the importance of cybersecurity.

While all organizations need to implement policies, procedures, and technical solutions to make it harder for hackers to gain access to their systems and data, this is especially important in the healthcare industry. Hackers are actively targeting healthcare organizations as they store large quantities of highly sensitive and valuable data.

Healthcare organization need to ensure that their systems are well protected against cyberattacks, which means investing in technologies to secure the network perimeter, detect intrusions, and block malware and phishing threats. Large healthcare organizations have the resources to invest heavily in cybersecurity solutions, although many smaller HIPAA-covered entities and business associates may struggle to find the necessary funds to devote to cybersecurity.

OCR has reminded HIPAA-covered entities that there are several basic cybersecurity safeguards that can be implemented to improve cyber resilience which only require a relatively small financial investment, yet they can have a major impact on an organization’s cybersecurity posture.

Recommended Cybersecurity Best Practices for Healthcare Organizations

OCR has drawn attention to four cybersecurity safeguards that can significantly reduce the impact of attempted cyberattacks and are also important for HIPAA Security Rule compliance.

Data Encryption

Encryption may only be an addressable implementation specification of the HIPAA Security Rule, but it is one of the most effective cybersecurity safeguards to ensure the confidentiality, integrity, and availability of ePHI. Encryption is the conversion of data to a secure, encrypted form. If correctly applied, data are unintelligible and can only be transformed back to a readable form with a decryption key. Any healthcare organization that has experienced a ransomware attack will be aware of how effective encryption is at preventing data access.

HIPAA-covered entities should assess whether encryption is an appropriate safeguard to implement for data at rest and in motion based on the results of a risk analysis.

Social Engineering Awareness

As the OCR Breach portal shows, email hacking incidents are a common cause of healthcare data breaches. Hackers often use phishing to trick healthcare employees into revealing their email credentials. Phishing is one of the most common and most effective social engineering tactics used by hackers to gain access to ePHI.

Spam filters and other email gateway cybersecurity solutions can reduce the volume of phishing emails that are delivered to mailboxes, but no solution will be able to prevent all phishing emails from being delivered. It is therefore essential for all healthcare employees to be trained how to identify social engineering attacks. Security awareness training can greatly reduce susceptibility to phishing attacks. Regular security awareness training sessions are also a required element of HIPAA Security Rule compliance.

Audit Logs

HIPAA-covered entities are required to create and monitor audit logs. Audit logs contain a record of events related to specific systems, devices, and software. By reviewing audit logs regularly, security teams can identify attempts by unauthorized individuals to gain access to ePHI before they result in a data breach. Audit logs can also be used to reconstruct past events and identify historic data breaches that would otherwise go undetected.

Correct Configuration of Software and Network Devices

Network devices, software, and cloud-based solutions may incorporate all the necessary security controls to prevent unauthorized access, but if the security controls are not correctly configured hackers have an easy entry point into a healthcare network.

Misconfigured S3 buckets, deactivated firewalls, out of date software, and missed patches often lead to healthcare data breaches, and misconfigured audit logs may not record information to allow suspicious activity to be detected. Steps should be taken to ensure that all systems, software, and devices are correctly configured, and regular security audits should be conducted to identify potential vulnerabilities.

The post Important Cybersecurity Best Practices for Healthcare Organizations appeared first on HIPAA Journal.

OCR Launches Campaign to Raise Awareness of Civil Rights Protections for Patients Being Treated for Opioid Use Disorder

Posted by HIPAA Journal

On October 26, 2017, President Donald Trump declared the opioid crisis a national public health emergency. The one-year anniversary of that declaration has seen a new opioid bill signed into law. On October 24, 2018, President Donald Trump added his signature to the Substance Use–Disorder Prevention that Promotes Opioid Recovery and Treatment for Patients and Communities Act – or “SUPPORT for Patients and Communities Act” for short.

The Act will help strengthen the government’s response to the opioid crisis, improve access to addiction treatment services, and expand data sharing in cases of opioid abuse.

There have been calls for changes to be made to 42 CFR Part 2 to align the legislation with the HIPAA Privacy Rule and allow the sharing of information about a patient’s substance abuse treatment, without consent, for the purposes of treatment, payment or healthcare operations.

The SUPPORT for Patients and Communities Act does go that far, although the new law does allow information relating to opioid abuse treatment – and details of treatment for abuse of other substances – to be displayed on a patient’s medical record, if consent is obtained from a patient.

The SUPPORT for Patients and Communities Act calls for the HHS to consult with stakeholders and develop best practices that cover how that information can be prominently displayed in a patient’s medical record, how consent should be obtained from patients, and the process and methods that should be used.

The stakeholders must include a patient with a history of opioid use disorder, an expert in the confidentiality patient health information, an electronic health records expert, and a healthcare provider. The best practices should be issued within a year of the passing of the SUPPORT for Patients and Communities Act.

Following the signing of the SUPPORT for Patients and Communities Act, the HHS’ Office for Civil Rights launched a public education campaign which highlights the efforts being made by the HHS to combat the opioid epidemic.

The campaign has two main goals. First, OCR is attempting to improve access to evidence-based opioid use disorder treatment and recovery services, including medication assisted treatment, for all people, regardless of physical disability or their proficiency in English. The second goal is to raise awareness of civil rights protections that may apply to a patient who is being treated for opioid use disorder.

“Persons getting help for an opioid use disorder are protected by our civil rights laws throughout their treatment and recovery,” said OCR Director, Roger Severino. “Discrimination, bias, and stereotypical beliefs about persons recovering from an opioid addiction can lead to unnecessary and unlawful barriers to health and social services that are key to addressing the opioid crisis.”

Details of the campaign can be found on the HHS website – on this link. The web page includes fact sheets on Nondiscrimination and Opioid Use Disorder and drug addiction and federal disability rights laws.

OCR has also released guidance for healthcare providers that clarifies how HIPAA permits the sharing of information on opioid patients without consent to help patients suffering from an opioid crisis. The document explains when consent is not needed and when consent must be obtained from patients prior to sharing information related to opioid abuse and treatment for opioid use disorder. The guidance – How HIPAA Allows Doctors to Respond to the Opioid Crisis – can be downloaded from OCR on this link (PDF).

The post OCR Launches Campaign to Raise Awareness of Civil Rights Protections for Patients Being Treated for Opioid Use Disorder appeared first on HIPAA Journal.

The HIPAA Risk Analysis: Guidance and Tools for HIPAA Covered Entities and Business Associates

Posted by HIPAA Journal

The HIPAA Risk analysis is a foundational element of HIPAA compliance, yet it is something that many healthcare organizations and business associates get wrong. That places them at risk of experiencing a costly data breach and a receiving a substantial financial penalty for noncompliance.

The HIPAA Risk Analysis

The administrative safeguards of the HIPAA Security Rule require all HIPAA-covered entities to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.” See 45 C.F.R. § 164.308(u)(1)(ii)(A).

The risk analysis is a foundational element of HIPAA compliance and is the first step that must be taken when implementing safeguards that comply with and meet the standards and implementation specifications of the HIPAA Security Rule.

If a risk analysis is not conducted or is only partially completed, risks are likely to remain and will therefore not be addresses through an organization’s risk management process – See § 164.308(u)(1)(ii)(B) – and will not be reduced to a reasonable and appropriate level to comply with the § 164.306 (a) Security standards: General Rules.

A HIPAA risk analysis is also necessary to determine whether it is reasonable and appropriate to use encryption or whether alternative safeguards will suffice – See 45 C.F.R. §§ 164.312(a)(2)(iv) and (e)(2)(ii).

A risk analysis should also be used to guide organizations on authentication requirements – See 45 C.F.R. § 164.312(c)(2) – and the methods that should be used to protect ePHI in transit – See 45 C.F.R. § 164.312(c)(2).

If risks are allowed to persist, they can potentially be exploited by hackers and other malicious actors resulting in impermissible disclosures of ePHI.

During investigations of data breaches, the Department of Health and Human Services’ Office for Civil Rights looks for HIPAA compliance failures that contributed to the cause of the breach. One of the most common violations discovered is a failure to conduct a comprehensive, organization-wide risk analysis. A high percentage of OCR resolution agreements cite a risk analysis failure as one of the primary reasons for a financial penalty.

Requirements of a HIPAA Risk Analysis

The HIPAA Security Rule states that a risk analysis is a required element of HIPAA compliance, but does not explain what the risk analysis should entail nor the method that should be used to conduct a risk analysis. That is because there is no single method of conducting a risk analysis that will be suitable for all organizations, nor are there any specific best practices that will ensure compliance with this element of the HIPAA Security Rule.

OCR has explained the requirements of a HIPAA risk analysis on the HHS website. HHS guidance on risk analysis requirements of the HIPAA Security Rule is also available as a downloadable PDF (36.1 KB), with further information available in the NIST Risk Management Guide for Information Technology Systems – Special Publication 800-30 (PDF – 480 KB).

A Security Risk Assessment Tool to Guide HIPAA-Covered Entities Through a HIPAA Risk Analysis

The risk analysis process can be a challenge. To make the process easier, the HHS’ Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the Office for Civil Rights, has developed a downloadable security risk assessment tool that guides HIPAA-covered entities through the process of conducting a security risk assessment.

After downloading and installing the tool, healthcare organizations can enter information and a report will be generated that helps them determine risks in policies, processes and systems and details some of the methods that can be used to mitigate weaknesses when the user is performing a risk assessment.

On October 15, 2018, ONC updated the tool (version 3.0). The aim of the update was “to make it easier to use and apply more broadly to the risks of the confidentiality, integrity, and availability of health information. The tool diagrams HIPAA Security Rule safeguards and provides enhanced functionality to document how your organization implements safeguards to mitigate, or plans to mitigate, identified risks,” wrote ONC.

The new features include an updated and enhanced user interface, a modular workflow, custom assessment logic, a progress tracker, threat and vulnerability ratings, more detailed reports, assess tracking, business associate track, and several enhancements to improve the user experience.

Use of the tool will not guarantee compliance with HIPAA or other federal, state, or local laws, but it is incredibly useful tool for guiding HIPAA-covered entities and business associates through the process of conducting a HIPAA-compliant risk analysis.

The updated Security Risk Assessment Tool can be downloaded from the HealthIT.gov website on this link.

The post The HIPAA Risk Analysis: Guidance and Tools for HIPAA Covered Entities and Business Associates appeared first on HIPAA Journal.

$16 Million Anthem HIPAA Breach Settlement Takes OCR HIPAA Penalties Past $100 Million Mark

Posted by HIPAA Journal

OCR has announced that an Anthem HIPAA breach settlement has been reached to resolve potential HIPAA violations discovered during the investigation of its colossal 2015 data breach that saw the records of 78.8 million of its members stolen by cybercriminals.

Anthem has agreed to pay OCR $16 million and will undertake a robust corrective action plan to address the compliance issues discovered by OCR during the investigation.

The previous largest ever HIPAA breach settlement was $5.55 million, which was agreed with Advocate Health Care in 2016. “The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” said OCR Director Roger Severino.

Anthem Inc., an independent licensee of the Blue Cross and Blue Shield Association, is America’s second largest health insurer. In January 2015, Anthem discovered cybercriminals had breached its defenses and had gained access to its systems and members’ sensitive data. With assistance from cybersecurity firm Mandiant, Anthem determined this was an advanced persistent threat attack – a continuous and targeted cyberattack conducted with the sole purpose of silently stealing sensitive data.

The attackers first gained access to its IT systems on December 2, 2014, with access continuing until January 27, 2015. During that time the attackers stole the data of 78.8 million plan members, including names, addresses, dates of birth, medical identification numbers, employment information, email addresses, and Social Security numbers.

The attackers gained a foothold in its network through spear phishing emails sent to one of its subsidiaries. They were then able to move laterally through its network to gain access to plan members’ data.

Anthem reported the data breach to OCR on March 13, 2015; however, by that time OCR was already a month into a compliance review of Anthem Inc. OCR took prompt action after Anthem uploaded a breach notice to its website and media reports started to appear indicating the colossal scale of the breach.

The OCR investigation uncovered multiple potential violations of HIPAA Rules. Anthem chose to settle the HIPAA violation case with no admission of liability.

OCR’s alleged HIPAA violations were:

  • 45 C.F.R. § 164.308(u)(1)(ii)(A) – A failure to conduct a comprehensive, organization-wide risk analysis to identify potential risks to the confidentiality, integrity, and availability of ePHI.
  • 45 C.F.R. § 164.308(a)(1)(ii)(D) – The failure to implement regularly review records of information system activity.
  • 45 C.F.R. § 164.308 (a)(6)(ii) – Failures relating to the requirement to identify and respond to detections of a security incident leading to a breach.
  • 45 C.F.R. § 164.312(a) – The failure to implement sufficient technical policies and procedures for electronic information systems that maintain ePHI and to only allow authorized persons/software programs to access that ePHI.
  • 45 C.F.R. § 164.502(a) – The failure to prevent the unauthorized accessing of the ePHI of 78.8 million individuals that was maintained in its data warehouse.

“Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information,” said Roger Severino. “We know that large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR.”

In addition to the OCR HIPAA settlement, Anthem has also paid damages to victims of the breach. Anthem chose to settle a class action lawsuit filed on behalf of 19.1 million customers whose sensitive information was stolen. Anthem agreed to settle the lawsuit of $115 million.

2018 OCR HIPAA Settlements and Civil Monetary Penalties

Given the size of the Anthem HIPAA settlement it is no surprise that 2018 has seen OCR smash its previous record for financial penalties for HIPAA violations. The latest settlement takes OCR HIPAA penalties past the $100 million mark.

There have not been as many HIPAA penalties in 2018 than 2016(13), although this year has seen $1.4 million more raised in penalties than the previous record year and there are still 10 weeks left of 2018. The total is likely to rise further still.

OCR Financial Penalties for HIPAA Violations (2008-2018)

Year Settlements and CMPs Total Fines
2018 1 $24,947,000
2017 1 $19,393,000
2016 2 $23,505,300
2015 3 $6,193,400
2014 5 $7,940,220
2013 5 $3,740,780
2012 6 $4,850,000
2011 6 $6,165,500
2010 13 $1,035,000
2009 10 $2,250,000
2008 7 $100,000
Total 59 $100,120,200

 

HIPAA Fines and CMPs

Largest Ever Penalties for HIPAA Violations

Year Covered Entity Amount Settlement/CMP
2018 Anthem Inc $16,000,000 Settlement
2016 Advocate Health Care Network $5,550,000 Settlement
2017 Memorial Healthcare System $5,500,000 Settlement
2014 New York and Presbyterian Hospital and Columbia University $4,800,000 Settlement
2018 University of Texas MD Anderson Cancer Center $4,34,8000 Civil Monetary Penalty
2011 Cignet Health of Prince George’s County $4,300,000 Civil Monetary Penalty
2016 Feinstein Institute for Medical Research $3,900,000 Settlement
2018 Fresenius Medical Care North America $3,500,000 Settlement
2015 Triple S Management Corporation $3,500,000 Settlement
2017 Children’s Medical Center of Dallas $3,200,000 Civil Monetary Penalty

The post $16 Million Anthem HIPAA Breach Settlement Takes OCR HIPAA Penalties Past $100 Million Mark appeared first on HIPAA Journal.

Aetna Settles HIPAA Violation Case with State AGs

Posted by HIPAA Journal

In 2017, errors occurred with two Aetna mailings that resulted in the impermissible disclosure of the protected health information of plan members, including HIV statuses and AFib diagnoses.

A class action lawsuit was filed on behalf of the victims of the HIV status breach which was settled for $17 million in January. Now Aetna has reached settlements with the attorneys general for New Jersey, Connecticut, and the District of Columbia to resolve the alleged HIPAA violations discovered during an investigation into the privacy breaches.

The first mailing was sent on July 28, 2017 by an Aetna business associate. Over-sized windowed envelopes were used for the mailing, through which it was possible to see the names and addresses of plan members along with the words “HIV Medications.” Approximately 12,000 individuals received the mailing.

In September, a second mailing was sent on behalf of Aetna to 1,600 individuals. This similarly resulted in an impermissible disclosure of PHI. In addition to names and addresses, the logo of an IMPACT AFib study was visible, which suggested the individual had been diagnosed with atrial fibrillation.

A multi-state investigation was launched to investigate potential violations of the Health Insurance Portability and Accountability Act (HIPAA) and state laws pertaining to the protected health information of state residents, including the Consumer Protection Procedures Act in DC and the New Jersey AIDS Assistance Act.

The investigation confirmed that in both cases there had been an impermissible disclosure of protected health information, that Aetna failed to protect consumers’ confidential health information, and that Aetna had deceived consumers about its ability to safeguard their health information.

Aetna has agreed to settlements with the State of Connecticut ($99,959), the District of Columbia ($175,000) and a civil monetary penalty of $365,211.59 will be paid to the State of New Jersey. Washington also participated in the investigation but has yet to decide on an appropriate settlement amount.

“Companies entrusted with individuals’ protected health information have a duty to avoid improper disclosures,” said New Jersey attorney general Gurbir Grewal. “Aetna fell short here, potentially subjecting thousands of individuals to the stigma and discrimination that, unfortunately, still may accompany disclosure of their HIV/AIDS status. I am pleased that our investigation has led Aetna to adopt measures to prevent this from happening again.”

“Every patient should feel confident that their insurance company or health provider will safeguard their confidential medical information. Today’s action will prevent further disclosures and warns other insurance companies that they are responsible for protecting consumers’ private information,” said, District of Columbia attorney general Karl A. Racine.

The post Aetna Settles HIPAA Violation Case with State AGs appeared first on HIPAA Journal.

HSS Secretary Issues Limited Waiver of HIPAA Penalties Following Declaration of Public Health Emergency in Florida and Georgia

Posted by HIPAA Journal

Following the presidential declaration of public health emergencies in the states of Florida and Georgia in the wake of hurricane Michael, secretary of the Department of Health and Human Services (HHS) Alex Azar has followed suit in both states and has exercised his authority to waive HIPAA sanctions and penalties for certain provisions of the HIPAA Privacy Rule in the disaster areas.

The HHS announced the public health emergency in Florida on October 9, and Georgia on October 11.

The HIPAA Privacy Rule does permit healthcare providers to share protected health information during disasters to assist patients and ensure they receive the care they need, including sharing information with friends, family members and other individuals directly involved in a patient’s care. The HIPAA Privacy Rule allows the sharing of PHI for public health activities and to prevent or reduce a serious and imminent threat to health or safety. HIPAA-covered entities are also permitted to share information with disaster relief organizations that have been authorized by law to assist with disaster relief efforts without first obtaining permission from patients.

During natural disasters the HIPAA Privacy and Security Rules remain in effect, although following the secretarial declaration, sanctions and penalties against HIPAA covered entities have been waived for the following provisions of the HIPAA Privacy Rule:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b).

The waiver only applies to qualifying hospitals in the emergency area for the period identified in the public health emergency declaration. Qualifying hospitals are permitted to take advantage of the waiver for up to 72 hours, provided their disaster protocol has been implemented.

The waiver is only in place for the 72-hour period or the duration of the public health emergency declaration, whichever terminates sooner. Once the 72-hour time period is over or the presidential or secretarial declaration terminates, the waiver ends, even for patients still under a hospital’s care.

“We are working closely with state health authorities and private sector partners from hospitals and other healthcare facilities to save lives and protect public health after Hurricane Michael,” said secretary Azar. The declarations will help to ensure that residents in both states have continuous access to the care they need.”

The HHS has said more than 400 medical and public health personnel have been moved into the disaster areas along with caches of medical equipment and a further 300 personnel from the National Disaster Medical Systems and the U.S. Public Health Service Commissioned Corps have been placed on alert. HHS teams will be providing medical services in shelters, assisting with disease surveillance, offering behavioral support to residents and responders, and will be helping to assess whether further federal medical and health support is required in the disaster areas.

HHS guidance on hurricane preparedness, response and recovery can be found here.

The post HSS Secretary Issues Limited Waiver of HIPAA Penalties Following Declaration of Public Health Emergency in Florida and Georgia appeared first on HIPAA Journal.

Hospitals Failing to Fully Comply with HIPAA Requirement for Providing Patients with Copies of Medical Records

Posted by HIPAA Journal

The HIPAA Privacy Rule gave patients the right to obtain a copy of their medical records from their healthcare providers. Under HIPAA, copies of medical records should be provided to patients as soon as possible, but no later than 30 days from when the request is made.

Even though compliance with the HIPAA Privacy Rule has been mandatory since April 14, 2003, there have been several cases of hospitals failing to provide patients with copies of their medical records. In 2011, the Department of Health and Human Services’ Office for Civil Rights (OCR) sent a message to healthcare providers about this aspect of HIPAA compliance when it issued a $4,300,000 civil monetary penalty to Cignet Health of Prince George’s County.

Even though it has now been 15 years since compliance with the HIPAA Privacy Rule became mandatory, there is still widespread noncompliance when it comes to providing patients with copies of their medical records.

According to a new study published in JAMA Network Open, healthcare providers are not providing patients with copies of their full medical records, many are charging excessive amounts, and some hospitals are making it hard for patients to find out about and exercise their right to have a copy of their health data.

The study was conducted by Yale University School of Medicine researchers who evaluated processes for releasing medical records to patients at 83 of the leading hospitals in the United States. According to the study, only 53% of hospitals provided patients with the option of obtaining their entire medical record.

HIPAA requires patients to be provided with copies of their medical records in the format of their choice, yet many hospitals were failing to comply with this requirement and there were discrepancies between information provided over the phone and what was detailed on release forms.

For example, over the telephone, 83% of hospitals said copies of medical records could be picked up in person, yet only 48% stated this on the release forms. 66% said electronic medical records could be provided on a CD over the telephone, but this was only an option on 25% of forms.

In 2016, OCR clarified patients’ right to access their medical records and the amounts that healthcare providers can charge for providing patients with copies of their health information. A flat fee of no more than $6.50 was recommended to release electronically maintained medical records to a patient. However, the study revealed that 48 of the 83 hospitals charged patients more than this amount. One hospital charged $541.50 for a 200-page medical record.

43% of hospitals did not state on the request forms how much patients would be charged for exercising their right to obtain a copy of their medical records and only 35% of hospitals disclosed exact costs on the release form or the web page where the form could be downloaded.

At least 7 hospitals (8%) were non-compliant with the maximum processing time of 30 days, with each of those hospitals providing a time range with the upper limit outside the 30-day maximum.

Information on forms was found to be incomplete or incorrect and patients were required to call the medical records department to find out the full parameters for releasing medical records. Some hospitals were unwilling to provide paper and electronic copies of medical records and there was no consistency in processes for releasing medical records to patients across the 83 hospitals that were studied.

“The lack of a uniform procedure for requesting medical records across US hospitals highlights a systemic problem in complying with the right of access under HIPAA,” wrote the researchers. “Because every institution creates its own process and implements its own regulations, variability in what and how records can be received occurs.”

Co-author of the report, Harlan Krumholz, MD, said, “If we really want to move to a healthcare system where patients are at the center, then we need to find ways to ensure that they have agency over their own data. We’re far from that right now.”

The post Hospitals Failing to Fully Comply with HIPAA Requirement for Providing Patients with Copies of Medical Records appeared first on HIPAA Journal.

California HIV Patient PHI Breach Lawsuit Allowed to Move Forward

Posted by HIPAA Journal

A lawsuit filed by Lambda Legal on behalf of a victim of a data breach that saw the highly sensitive protected health information of 93 lower-income HIV positive individuals stolen by unauthorized individuals has survived a motion to dismiss.

The former administrator of the California AIDS Drug Assistance Program (ADAP), A.J. Boggs & Company, submitted a motion to dismiss but it was recently rejected by the Superior Court of California in San Francisco.

In the lawsuit, Lambda Legal alleges A.J. Boggs & Company violated the California AIDS Public Health Records Confidentiality Act, the California Confidentiality of Medical Information Act, and other state medical privacy laws by failing to ensure an online system was secure prior to implementing that system and allowing patients to enter sensitive information.

A.J. Boggs & Company made its new online enrollment system live on July 1, 2016, even though it had previously received several warnings from nonprofits and the LA County Department of Health that the system had not been tested for vulnerabilities.

It was alleged that the failure to ensure its system was secure meant that any information entered in the portal by patients was at risk of exposure and could potentially be obtained by unauthorized individuals. In November 2016, four months after the system went live, A.J. Boggs & Company took the system offline to correct the flaws.

However, in February 2017, the California Department of Health discovered that the flaws in its portal had been exploited and unauthorized individuals had gained access to the system and had downloaded the private and highly sensitive information of 93 patients with HIV or AIDS. Following the discovery, the contract with the firm was cancelled and a new state-run system was adopted.

The ADAP program provides states with federal funding to provide financial assistance to low-income individuals with HIV or AIDS to make HIV medications more affordable, extending access to Medicaid when patients earned too much. Any medical data breach is serious, although the disclosure of an individual’s HIV status is especially so.

“HIV is still a highly stigmatized medical condition,” said Scott Schoettes, HIV Project Director at Lambda Legal. “When members of already vulnerable communities — transgender people, women, people of color, undocumented people, individuals with low incomes — already face challenges in accessing health care, undermining the trust they have in the ADAP is not just a breach of security; it creates a barrier to care.”

Lambda Legal is seeking statutory and compensatory damages for the patient and is seeking class action status to allow the other 92 breach victims to be included in the lawsuit.

The post California HIV Patient PHI Breach Lawsuit Allowed to Move Forward appeared first on HIPAA Journal.