HIPAA Compliance News

Overdose Prevention and Patient Safety Act Passed by House

Posted by HIPAA Journal

The Overdose Prevention and Patient Safety Act – H.R. 6082 – aims to ease restrictions on the sharing of health records of patients with addictions, aligning 42 CFR Part 2 – Confidentiality of Substance Use Disorder Patient Records – with HIPAA.

Currently, 42 CFR Part 2 only permits the disclosure of health records of patients with substance abuse disorder without written consent to medical staff in emergency situations, to specified individuals for research and program evaluations, or if required to do so by means of a court order.

Under current regulations, a special release form must be signed by a patient authorizing the inclusion of substance abuse disorder information in their medical record.

Preventing doctors from having access to a patient’s entire medical history means decisions could be taken without full understanding of their potential consequences. If details of substance abuse disorder can be accessed, doctors will be able to make more informed decisions which will help them to safely and effectively treat patients.

The Overdose Prevention and Patient Safety Act allows the health records of substance abuse disorder patients to be disclosed without written consent from patients for the purposes of treatment, payment, and healthcare operations, aligning with the HIPAA Privacy Rule.

Additionally, the criminal penalties for violations involving substance abuse disorder records would align with the penalty structure of HIPAA and would not be treated separately.

Privacy protections are also enhanced for patients, which will prohibit the use of SUD information in criminal and civil prosecution cases, will protect against discrimination by prohibiting the sharing of substance abuse discover information with employers and landlords, and would require notifications to be issued in the event of the breach of that information in line with the requirements of the HITECT Act.

The House passed the Overdose Prevention and Patient Safety Act with a vote of 357-57. The Act will now go to the senate chamber for consideration.

The post Overdose Prevention and Patient Safety Act Passed by House appeared first on HIPAA Journal.

Is Rackspace HIPAA Compliant?

Posted by HIPAA Journal

The Windcrest, TX-based managed cloud computing company Rackspace offers public cloud and email hosting services, but can they be used by HIPAA-covered entities without violating HIPAA Rules? Is Rackspace HIPAA compliant?

Will Rackspace Sign a Business Associate Agreement with HIPAA Covered Entities?

Rackspace is aware that by allowing healthcare organizations to use its services, the company is classed as a HIPAA business associate and must agree to comply with the HIPAA Privacy and Security Rules.

Rackspace has obtained HITRUST and HITRUST CSF certifications which demonstrate the company meets the data and privacy security standards demanded by HIPAA for managed public, private, and hybrid cloud environments. The company uses extended SSL encryption and meets PCR DSS data security requirements.

The company provides assistance to healthcare companies to help them use its services and comply with HIPAA Rules and develop an approach that satisfies HIPAA Rules and meets their business needs.

Rackspace will also sign a business associate agreement for its dedicated hosting services, which is included by default for customers in the healthcare industry.

Is Rackspace HIPAA Compliant?

Rackspace is prepared to sign a business associate agreement with healthcare organizations and has implemented all the necessary safeguards to ensure that its hosting services can be used by healthcare organizations without violating HIPAA Rules.

Rackspace can therefore be considered to be a HIPAA complaint hosting company, provided customers use its dedicated hosting services and obtain a business associate agreement prior to using its hosting services in connection with any PHI.

However, it is the responsibility of all users to ensure that the hosting services are configured correctly. Rackspace cannot determine whether its customers are using its services in a manner that complies with HIPAA Rules.

Covered entities must take full responsibility for ensuring the requirements of HIPAA are satisfied and appropriate safeguards are maintained.

The post Is Rackspace HIPAA Compliant? appeared first on HIPAA Journal.

Washington Health System Suspends Several Employees for Inappropriate PHI Access

Posted by HIPAA Journal

Following the alleged inappropriate accessing of patient health records by employees, Washington Health System has taken the decision to suspend several employees while the privacy breach is investigated.

While it has not been confirmed how many employees have been suspended, Washington Health System VP of strategy and clinical services, Larry Pantuso, issued a statement to the Observer Reporter indicating around a dozen employees have been suspended, although at this stage, no employees have been fired for inappropriate medical record access.

The privacy breaches are believed to relate to the death of an employee of the WHS Neighbor Health Center. Kimberly Dollard, 57, was killed when an out of control car driven by Chad Spence, 43, rammed into the building where she worked. Spence and one other individual were admitted to the hospital after sustaining injuries in the accident.

Pantuso did not confirm that this was the incident that prompted the employees to access patients’ medical records, although he did confirm that the alleged inappropriate access related to a “high profile case.”

The accessing of medical records without any legitimate work reason for doing so is a violation of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA only permits the accessing of PHI by employees for treatment, payment, or healthcare operations.

Any healthcare employee discovered to have violated HIPAA Rules faces disciplinary action which can involve suspension, termination, loss of license and, potentially, criminal charges.

There have been several recent cases where employees have been fired snooping on the medical records of high profile patients.

In February 2018, 13 employees of the Medical University of South Carolina were fired for HIPAA violations after they accessed the medical records of patients without authorization, many of whom accessed the medical records of high profile patients.

One of the most recent actions taken against a healthcare employee for a HIPAA violation was taken by the New York nursing board’s Office for Professional Discipline. Martha Smith-Lightfoot was provided with a list of patients prior to leaving her employment at University of Rochester Medical Center (URMC) to take up a new position at Greater Rochester Neurology. Smith-Lightfoot provided that list to her new employer and patients were contacted in an attempt to solicit business.

Smith-Lightfoot signed a consent order with the nursing board admitting the violation and had her license to practice suspended for one year, received a stayed suspension for another year, and three years of probation when she returns to practice.

Snooping on medical records is likely to be discovered as logs are created when health records are accessed. Those logs are periodically checked and if inappropriate PHI access is discovered it is likely to result in termination and will make it hard to obtain future employment in healthcare.

The post Washington Health System Suspends Several Employees for Inappropriate PHI Access appeared first on HIPAA Journal.

May 2018 Healthcare Data Breach Report

Posted by HIPAA Journal

April was a particularly bad month for healthcare data breaches with 41 reported incidents. While it is certainly good news that there has been a month-over-month reduction in healthcare data breaches, the severity of some of the breaches reported last month puts May on a par with April.

Healthcare Data Breaches (May 2018)

There were 29 healthcare data breaches reported by healthcare providers, health plans, and business associates of covered entities in May – a 29.27% month-over month reduction in reported breaches. However, 838,587 healthcare records were exposed or stolen in those incidents – only 56,287 records fewer than the 41 incidents in April.

Healthcare Data Breaches - Records (May 2018)

In May, the mean breach size was 28,917 records and the median was 2,793 records. In April the mean breach size was 21,826 records and the median was 2,553 records.

Causes of May 2018 Healthcare Data Breaches

Unauthorized access/disclosure incidents were the most numerous type of breach in May 2018 with 15 reported incidents (51.72%). There were 12 hacking/IT incidents reported (41.38%) and two theft incidents (6.9%). There were no lost unencrypted electronic devices reported in May and no improper disposal incidents.

The 12 hacking/IT incidents reported in May resulted in the exposure/theft of 738,883 healthcare records – 88.11% of the total for May. Unauthorized access/disclosure incidents affected 97,439 patients and health plan members – 11.62% of the total. Theft incidents resulted in unauthorized individuals obtaining the PHI of 2,265 individuals – 0.27% of the monthly total.

Causes of Healthcare Data Breaches (May 2018)

Largest Healthcare Data Breaches Reported in May 2018

The largest healthcare data breach reported in May 2018 – by some distance – was the 538,127-record breach at the Baltimore, MD-based healthcare provider LifeBridge Health Inc. The breach was reported in May, although it occurred more than a year and a half earlier in September 2016, when malware was installed on its server that hosts electronic health records.

In addition to names and contact information, clinical and treatment information, insurance information, and, in some instances, Social Security numbers, were compromised. The scale of the breach and the types of information exposed makes it one of the most serious healthcare data breaches discovered in 2018.

As the table below shows, hacks and IT incidents were behind the most serious breaches in May.

Breached Entity Entity Type Records Breached Breach Type
LifeBridge Health, Inc Healthcare Provider 538127 Hacking/IT Incident
The Oregon Clinic, P.C. Healthcare Provider 64487 Hacking/IT Incident
Dignity Health Healthcare Provider 55947 Unauthorized Access/Disclosure
Aultman Hospital Healthcare Provider 42625 Hacking/IT Incident
Holland Eye Surgery and Laser Center Healthcare Provider 42200 Hacking/IT Incident
USACS Management Group, Ltd. Business Associate 15552 Hacking/IT Incident
Florida Hospital Healthcare Provider 12724 Hacking/IT Incident
Aflac Health Plan 10396 Hacking/IT Incident
Cerebral Palsy Research Foundation of Kansas, Inc. Healthcare Provider 8300 Unauthorized Access/Disclosure
Associates in Psychiatry and Psychology Healthcare Provider 6546 Hacking/IT Incident

 

Records Exposed in Healthcare Data Breaches (May 2018)

Location of Breached Protected Health Information

In May, the most common location of breached protected health information was email. 11 of the 29 reported breaches involved hacks of email accounts and misdirected emails. It was a similar story in April, when email was also the main location of breached PHI.

In May there were 7 incidents affecting network servers – hacks, malware infections, and ransomware incidents – and 7 incidents involving paper records.

Healthcare Data Breaches (May 2018) - Location of Breached PHI

Data Breaches by Covered Entity Type

Healthcare providers experienced the lion’s share of the healthcare data breaches in May 2018, with 22 incidents reported. Only two health plans suffered a data breach in May.

Five business associates of HIPAA-covered entities reported a breach, although a further four breaches had some business associate involvement.

Healthcare Data Breaches (May 2018) - Breaches by Covered Entity Type

Healthcare Data Breaches by State

California and Ohio were the worst affected by healthcare data breaches in May 2018, with each state having four breaches. Oregon and Texas each experienced two data breaches in May. Nevada saw four breaches reported, but three of those were the same incident, only reported separately by each of the three Dignity Health hospitals affected.

One healthcare data breach was reported by a HIPAA-covered entity or business associate based in Arkansas, Arizona, Colorado, Florida, Georgia, Indiana, Kansas, Massachusetts, Maryland, Michigan, Minnesota, Nebraska, and New York.

Financial Penalties for HIPAA Violations

While OCR and state attorneys general continue to enforce HIPAA Rules and take action against covered entities and business associates for noncompliance, there were no financial settlements announced by either in May 2018.

Data Source: The Department of Health and Human Services’ Office for Civil Rights.

The post May 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

OCR Announces $4.3 Million Civil Monetary Penalty for University of Texas MD Anderson Cancer Center

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has announced its fourth largest HIPAA violation penalty has been issued to The University of Texas MD Anderson Cancer Center (MD Anderson). MD Anderson has been ordered to pay $4,348,000 in civil monetary penalties to resolve the HIPAA violations related to three data breaches experienced in 2012 and 2013.

MD Anderson is an academic institution and a cancer treatment and research center based at the Texas Medical Center in Houston, TX. Following the submission of three breach reports in 2012 and 2013, OCR launched an investigation to determine whether the breaches were caused as a result of MD Anderson having failed to comply with HIPAA Rules.

The breaches in question were the theft of an unencrypted laptop computer from the home of an MD Anderson employee and the loss of two unencrypted USB thumb drives, each of which contained the electronic protected health information (ePHI) of its patients. In total, the PHI of 34,883 patients was exposed and could potentially have been viewed by unauthorized individuals.

The investigation revealed that MD Anderson had conducted a risk analysis, as is required by HIPAA. That risk analysis revealed the use of unencrypted devices posed a serious threat to the confidentiality, integrity, and availability of ePHI. To address the risk, in 2006 MD Anderson developed policies that required all portable storage devices to be encrypted.

However, even though policies called for the use of encryption, encryption was not implemented until March 24, 2011. When encryption was implemented, it was not implemented on all portable devices in its inventory. MD Anderson reported to OCR that by January 25, 2013, it had only encrypted 98% of its computers. If MD Anderson had implemented encryption on all portable electronic devices containing ePHI, the three breaches would have been prevented.

Preventable Data Breaches Experienced by MD Anderson

The laptop was stolen from the home of Dr. Randall Millikan on April 30, 2012. Dr. Millikan confirmed that the ePHI on the device were not encrypted, the laptop was not password protected, and the ePHI could potentially have been viewed by family members at his home as a result, as well as by the individual who stole the laptop.

The USB devices were lost on or around July 12, 2012 and December 2, 2013. The first contained an Excel file containing the ePHI of 2,264 individuals. The device was lost by a summer intern on her way home from work. The second USB drive was lost by a visiting researcher from Brazil at some point over the Thanksgiving weekend. The device was usually left in the tray on her desk. Neither device was encrypted or password protected.

Between 2010 and 2011, MD Anderson’s Information Security Program and Annual Reports stated clearly that the storage of ePHI on mobile media was a key risk area that had not yet been mitigated, which was also detailed in its risk analysis for fiscal year 2011. That risk analysis determined that employees were downloading ePHI onto portable storage devices for use outside the institution. The failure to address the risk was a violation of 45 C.F.R. § 164.312(a)(2)(iv) and its own policies.

Penalties for HIPAA Violations

When financial penalties are deemed appropriate, OCR usually negotiates with the covered entity and a settlement is agreed; however, MD Anderson disagreed with OCR’s decision and maintained the financial penalty was unreasonable. Specifically, MD Anderson claimed that it was not obligated to use encryption as the data on the devices were used for research purposes, and that the research was not subject to HIPAA’s nondisclosure requirements. A covered entity has the right to contest penalties for HIPAA violations. Consequently, the matter was referred to an Administrative Law Judge.

OCR proposed penalties for HIPAA violations under the tier of ‘reasonable cause’. OCR wrote in its Notice of Proposed Determination, “Reasonable cause is “an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.”

The penalty amounts in such cases are a minimum of $1,000 for each violation up to a maximum of $1.5 million per calendar year.

 

Penalty Structure for HIPAA Violations

OCR determined penalties were appropriate for calendar year 2011 (283 days from March 24 to December 31), calendar year 2012 (366 days from January 1 to December 31) and calendar year 2013 (25 days from January 1 to January 25), and applied the maximum penalty of $1.5 million for each of those calendar years.

Administrative Law Judge Steven T. Kessell granted summary judgement in favor of OCR to remedy MD Anderson’s noncompliance with 45 C.F.R. § 164.312(a) – Technical Safeguards; encryption – and 45 C.F.R. § 164.502(a) – Uses and Disclosure of PHI; impermissible disclosure of ePHI.

“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” said OCR Director Roger Severino. “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.”

The post OCR Announces $4.3 Million Civil Monetary Penalty for University of Texas MD Anderson Cancer Center appeared first on HIPAA Journal.

3-Year Jail Term for VA Employee Who Stole Patient Data

Posted by HIPAA Journal

A former employee of the Veteran Affairs Medical Center in Long Beach, CA who stole the protected health information (PHI) of more than 1,000 patients has been sentenced to three years in jail.

Albert Torres, 51, was employed as a clerk in the Long Beach Health System-run medical center – a position he held for less than a year. Torres was pulled over by police officers on April 12 after a check of his license plates revealed an anomaly – plates had been used on a private vehicle, which were typically reserved for commercial vehicles.

The police officers found prescription medications which Torres’ did not have a prescription for and the Social Security numbers and other PHI of 14 patients in his vehicle. A subsequent search of Torres’ apartment revealed he had hard drives and zip drives containing the PHI of 1,030 patients and more than $1,000 in cleaning supplies that had been stolen from the hospital.

After pleading guilty to several crimes, including identity theft and grand theft, Torres was sentenced to three years in state penitentiary on June 4.

Sutter Health Fires Employees for Attempted PHI Access

An undisclosed number of employees of Sutter Health have been fired for accessing the medical records of patients without authorization.

CBS 13 Sacramento reported that an anonymous source had confirmed that Sutter Health had fired two employees for searching for the medical records of the suspected Golden State Killer, Joseph DeAngelo.

Following the news report from CBS 13, Sutter Health spokesperson Gary Zavoral issued a statement confirming action had been taken in response to the improper accessing of PHI, according to the Sacramento Business Journal.

While Zavoral did not confirm the number of employees that had been terminated, nor the patient or patients whose medical records were accessed, he did confirm that the employees concerned had been terminated.

Sutter Health has a system in place that generates alerts when employees access medical records without authorization. When improper access is detected, it usually results in termination.

In addition to firing the employees concerned, Sutter Health has reminded all staff that the accessing of medical records is only permitted when there is a legitimate work reason for doing so. The person or persons whose medical records were accessed are being notified of the privacy breach.

The post 3-Year Jail Term for VA Employee Who Stole Patient Data appeared first on HIPAA Journal.

OCR Issues Guidance on Individual Authorization of Uses and Disclosures of PHI for Research

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has issued new guidance for HIPAA-covered entities to streamline HIPAA authorizations for uses of protected health information for research purposes, as required by the 21st Century Cures Act of 2016.

Uses and Disclosure of PHI for Research

The HIPAA Privacy Rule does permit covered entities to use patients’ PHI for research without obtaining individual authorizations under certain circumstances, such as if documented Institutional Review Board (IRB) or Privacy Board Approval has been obtained – see 45 CFR § 164.512(i)(1)(i) and (ii). However, in most cases, prior to using patients’ PHI for research, individual authorizations must be obtained from patients in writing. Without a valid authorization from a patient, their PHI can only be used or disclosed for purposes permitted by the Privacy Rule.

The new guidance explains the content that must be included in individual authorizations to meet HIPAA requirements.

OCR explains that individual authorizations must:

  • Be written in plain language to ensure they can be easily understood;
  • Include, in a specific and meaningful fashion, a description of the information that will be used and disclosed;
  • Include the names of the persons authorized to disclose and receive the information;
  • A description of the purpose of the requested use or disclosure, and;
  • An expiration date or expiration event after which the authorization will be invalid.

In addition, the individual authorization must make clear the following rights of the individual:

  • The right to revoke authorization in writing and any exceptions to that right;
  • Details of how that right can be exercised;
  • The ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the authorization, and;
  • The potential for information disclosed in accordance with the authorization to be redisclosed by the recipient and no longer be protected by the HIPAA Privacy Rule.

There has been some confusion about the content of individual authorizations with respect to future research, which may not have been determined at the time that the authorization is obtained. In such situations, the requirement to describe ‘each purpose’ that PHI will be used or disclosed may not be possible.

OCR has clarified that in such situations, specific future uses do not need to be described. Instead, to comply with 45 CFR § 164.508(c)(1)(iv) “the authorization must adequately describe such purposes such that it would be reasonable for the individual to expect that his or her protected health information could be used or disclosed for such future research.”

OCR also clarifies the requirement to include “an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure,” and explains it is sufficient “to state ‘end of the research study,’ ‘none,’ or similar language,” such as when the PHI will be included in the creation and maintenance of a research database or study repository. It is also permitted to state, “the authorization will remain valid unless and until it is revoked by the individual.”

While patients are given the right to revoke an authorization in writing at any time, there will be situations when exercising that right will not stop the individual’s PHI from being used in a particular research study. Patients should be made aware of this when giving their authorization.

“A covered entity may continue to use and disclose PHI that was obtained before the individual revoked authorization to the extent that the entity has taken action in reliance on the authorization,” explains OCR. “In cases where the research is conducted by the covered entity, the exception to revocation would permit the covered entity to continue using or disclosing the PHI to the extent necessary to maintain the integrity of the research —for example, to account for a subject’s withdrawal from the research study, to conduct investigations of scientific misconduct, or to report adverse events.”

OCR explains that it is not necessary for periodic reminders about the right to revoke authorization to be sent to patients as patients must be provided with a copy of the signed authorization in which their rights will be explained. However, covered entities are encouraged to implement procedures for revocation of authorizations such as creating a standard revocation form or adding current authorizations to a patient portal and allowing revocations to be submitted through that portal.

OCR’s Guidance on Individual Authorization of Uses and Disclosures of PHI for Research can be downloaded on this link (PDF).

The post OCR Issues Guidance on Individual Authorization of Uses and Disclosures of PHI for Research appeared first on HIPAA Journal.

Is SendGrid HIPAA Compliant?

Posted by HIPAA Journal

SendGrid is an email marketing platform that allows companies to quickly and easily communicate their marketing messages to customers, but can the platform be used by healthcare organizations? Is SendGrid HIPAA compliant?

HIPAA Compliant Email Services

Providers of cloud-based email services are not exempt from compliance with HIPAA under the conduit exception rule.

If a HIPAA-covered entity wants to use an email service to communicate with patients, no protected health information (PHI) can be included in the messages unless the requirements of HIPAA are satisfied. If PHI needs to be included in emails, the email service provider would be classed as a business associate and a business associate agreement (BAA) would need to be entered into by both parties.

The business associate agreement (BAA) outlines the responsibilities of the business associate with respect to HIPAA and provides the covered entity with ‘reasonable assurances’ that HIPAA Rules will be followed by staff and the platform includes appropriate security controls to ensure the confidentiality, integrity, and availability of ePHI.

In addition to security controls to prevent messages from being intercepted by unauthorized individuals, access controls are required, and an audit trail must be maintained.

Will SendGrid Sign a Business Associate Agreement?

At the time of writing, SendGrid does not sign business associate agreements with HIPAA-covered entities, as the company’s platform does not natively support HIPAA-compliant data transmission. While the email service does include security measures through SMTP, messages are not encrypted in transit and the platform is not intended for use with PHI.

Is SendGrid HIPAA Compliant?

SendGrid can be used for marketing purposes, although PHI must not be included in any emails. The company clearly states on its website, “SendGrid does not intend uses of the service to create obligations under The Health Insurance Portability and Accountability Act of 1996” and that its service should not be used “for any purpose or in any manner involving Protected Health Information (as defined in HIPAA).”

The post Is SendGrid HIPAA Compliant? appeared first on HIPAA Journal.

12-Month Suspension for Nurse Who Provided Patient Information to New Employer

Posted by HIPAA Journal

The New York State Education Department has suspended the license of a nurse practitioner for violating the privacy of patients by providing their contact information to her new employer.

In April 2015, Martha C. Smith-Lightfoot took a spreadsheet containing the personally identifiable information of approximately 3,000 patients of University of Rochester Medical Center (URMC) and gave that information to her new employer, Greater Rochester Neurology.

The privacy violation was uncovered when several patients complained to URMC about being contacted by Greater Rochester Neurology about switching providers.

Prior to leaving URMC, Smith-Lightfoot requested information on patients she has treated in order to ensure continuity of care.  URMC provider her with a spreadsheet that contained names, addresses, dates of birth, and diagnoses. URMC did not authorize Smith-Lightfoot to take the spreadsheet with her when she left employment.

The provision of the patient list to Greater Rochester Neurology was an impermissible disclosure of PHI and a violation of the HIPAA Privacy Rule. When it became apparent what had happened, URMC contacted Greater Rochester Neurology and the list was returned.

The privacy breach was reported to the Department of Health and Human Services’ Office for Civil Rights, as required by HIPAA, and the New York attorney general. OCR investigated but closed the case without issuing any financial penalties, although then attorney general Eric Schneiderman fined URMC $15,000 for the HIPAA violation.

Criminal penalties were not pursued against Smith-Lightfoot, although the matter was investigated by the New York State Education Department which issues licenses for the professions.

Smith-Lightfoot admitted disclosing personally identifiable patient information to her new employer and, in November 2017, signed a consent-order with the state nursing board Office for Professional Discipline. That consent order was accepted by the Board of Regents in February.

In addition to the 12-month suspension of her license, Smith-Lightfoot received a 12-month stayed suspension and faces 2 years of probation when she returns to practice.

The post 12-Month Suspension for Nurse Who Provided Patient Information to New Employer appeared first on HIPAA Journal.