HIPAA Compliance News

DoD IG Discovers Serious Flaws in Navy and Air Force EHR and Security Systems and Potential HIPAA Violations

Posted by HIPAA Journal

A Department of Defense Inspector General (DoDIG) audit of the electronic health record (EHR) and security systems at the Defense Health Agency (DHA), Navy, and Air Force has uncovered serious security vulnerabilities that could potentially be exploited to gain access to systems and protected health information (PHI).

This is the second DoDIG report from recent audits of military training facilities (MTFs). The first report revealed the DHA and Army had failed to consistently implement security protocols to safeguard EHRs and systems that stored, processed, or transmitted PHI. The latest report, which covers the DHA, Navy, and Air Force, has revealed serious vulnerabilities in 11 different areas.

Inconsistency of implementing security protocols to protect EHRs and PHI, and the ineffective administrative, technical, and physical safeguards deployed constitute violations of Health Insurance Portability and Accountability Act (HIPAA) Rules. Those violations could attract financial penalties of up to $1.5 million per violation category.

The DoDIG visited three Navy and two Air Force facilities and assessed 17 information systems across the five locations.

  • Naval Hospital Camp Pendleton, Camp Pendleton, CA
  • San Diego Naval Medical Center, San Diego, CA
  • S. Naval Ship Mercy, San Diego, CA
  • 436th Medical Group, Dover, DW
  • Wright-Patterson Medical Center, Dayton, OH

3 DoD EHR systems, 3 modified DoD EHR systems, 9 service-specific systems, and 2 DHA-owned systems were assessed.

There were instances where vulnerabilities had gone undetected and many cases of detected vulnerabilities failing to be addressed in a reasonable time frame. In its report, DoDIG said the audit at the 436th Medical Group revealed 342 of the 1,430 vulnerabilities identified in May had not been addressed and appeared in the vulnerability scan conducted in June.

The reason for the failure to consistently implement security protocols and address vulnerabilities differed at each audited site, but were largely due to a lack of resources, a lack of guidance, system incompatibility, and vendor limitations.

Security issues were identified in the following areas:

  • Failure to consistently implement multi-factor authentication
  • Failure to configure passwords to meet DoD length/complexity requirements
  • Failure to address known network vulnerabilities
  • Failures to set privileges based on users’ assigned duties
  • Failure to configure controls to lock EHRs after 15 minutes of inactivity
  • Failure to review system activity reports to identify suspicious activities and access attempts
  • Failure to develop standard operating procedures and manage system access
  • Failure to implement appropriate and adequate security protocols to protect ePHI and PHI from unauthorized access
  • Failure to maintain an inventory of all service-specific systems that stored, processed, or transmitted PHI
  • Failure to develop and maintain privacy impact assessments

“Without well-defined, effectively implemented system security protocols, the DHA, Navy, and Air Force compromised the integrity, confidentiality, and availability of PHI”, wrote DoDIG in its report. “Security protocols, when not applied or ineffective, increase the risk of successful cyberattacks; system and data breaches; data loss and manipulation; and unauthorized disclosures of PHI.”

DoDIG made several recommendations to improve security which included configuring systems used to store, process, or transmit ePHI to lock automatically after 15 minutes of inactivity; the development of an oversight plan to ensure recommendations are applied across all locations; actions to be taken to address vulnerabilities in a timely manner; implement procedures to only grant access to systems used to store, process, and transmit Phi based on users’ responsibilities.

DoDIG also recommended the Surgeons General for the Departments of the Navy and Air Force coordinate with the Navy Bureau of Medicine and Surgery and the Air Force Medical Service to assess whether the issues discovered exist at other service-specific military training facilities.

On the whole, the recommendations were accepted, although at certain locations some recommendations remain unresolved and require additional comments.

The DHA Director agreed that the DHA could potentially configure systems to lock after 15 minutes of inactivity, but did not provide assurances that its systems would be changed to incorporate that control.

The Executive Director for the Naval Medical Center, San Diego disagreed with one recommendation. The Military Sealift Command Chief of Staff partly agreed with two recommendations and disagreed with one, but suggested additional controls and alternate actions that could be taken to address all recommendations for the USNS Mercy.

The post DoD IG Discovers Serious Flaws in Navy and Air Force EHR and Security Systems and Potential HIPAA Violations appeared first on HIPAA Journal.

Class Action Lawsuit Claims UnityPoint Health Mislead Patients over Severity of Phishing Attack

Posted by HIPAA Journal

A class action lawsuit has been filed in response to a data breach at UnityPoint Health that saw the protected health information (PHI) of 16,429 patients exposed and potentially obtained by unauthorized individuals.

As with many other healthcare data breaches, PHI was exposed as a result of employees falling for phishing emails. UnityPoint Health discovered the security breach on February 15, 2018 and sent breach notification letters to affected patients two months later, on or around April 16, 2018.

HIPAA-covered entities have up to 60 days following the discovery of a data breach to issue notifications to patients. Many healthcare organizations wait before issuing breach notifications and submitting reports of the incident to the Department of Health and Human Services’ Office for Civil Rights.

Waiting for two months to issue notifications to breach victims could be viewed as a violation of HIPAA Rules. While the maximum time limit for reporting was not exceeded, the HIPAA Breach Notification Rule requires notifications to be sent ‘without unnecessary delay.’ The HHS’ Office for Civil Rights has taken action over delayed breach notifications in the past, although no penalties have been issued when notification letters have been sent within 60 days of the discovery of a breach.

The notification letters explained to patients that some of their health information had been exposed. The substitute breach notice posted on the UnityPoint Health website in April said the types of information potentially accessed by the attackers included “patient names and one or more of the following: dates of birth, medical record numbers, treatment information, surgical information, diagnoses, lab results, medications, providers, dates of service and/or insurance information. For a limited number of impacted individuals, information that may have been viewed included Social Security Numbers or other financial information.”

UnityPoint Health told patients no reports had been received to suggest that their PHI had been accessed, stolen, or misused.

Patients were encouraged to “remain vigilant in reviewing your account statements for fraudulent or irregular activity”, although the burden of protecting against identity theft and fraud was passed on to patients. Affected individuals were not offered credit monitoring and identity theft protection services nor were they protected by an insurance policy covering misuse of their data.

The lawsuit was filed on May 4 by attorney Robert Teel against Iowa Health Systems Inc., the company that runs UnityPoint Health. Yvonne Mart Fox, of Middleton, WI, lead plaintiff in the class action lawsuit, has accused UnityPoint Health of delaying reporting the breach to regulators and patients. She also alleges UnityPoint Health “misrepresented the nature, breadth, scope, harm, and cost of the privacy breach.”

Fox claims she has suffered sleep deprivation as a direct result of the breach and experiences daily anger. She also claims to have had an increase in the number of automated calls to her cellphone and landline in 2018 and an increase in marketing and other spam emails, which have been attributed to the theft of her contact information.

Fox and other class members are seeking compensatory, punitive, and other damages.

The post Class Action Lawsuit Claims UnityPoint Health Mislead Patients over Severity of Phishing Attack appeared first on HIPAA Journal.

Massachusetts Physician Convicted for Criminal HIPAA Violation

Posted by HIPAA Journal

Criminal penalties for HIPAA violations are relatively rare, although the Department of Justice does pursue criminal charges for HIPAA violations when there has been a serious violation of patient privacy, such as an impermissible disclosure of protected health information for financial gain or malicious purposes.

One such case has resulted in two criminal convictions – a violation of the Health Insurance Portability and Accountability Act and obstructing a criminal healthcare investigation.

The case relates to the DOJ investigation of the pharmaceutical firm Warner Chilcott over healthcare fraud. In 2015, Warner Chilcott plead guilty to paying kickbacks to physicians for prescribing its drugs and for manipulating prior authorizations to induce health insurance firms to pay for prescriptions. The case was settled with the DOJ for $125 million.

Last week, a Massachusetts gynecologist, Rita Luthra, M.D., 67, of Longmeadow, was convicted for violating HIPAA by providing a Warner Chilcott sales representative with access to the protected health information of patients for a period of 10 months between January 2011 and November 2011.

The access to PHI allowed patients with certain health conditions to be targeted by the firm and facilitated the receipt of prior authorizations for Warner Chilcott pharmaceutical products. When interviewed by federal agents about her relationship with Warner Chilcott, Luthra provided false information and obstructed the investigation.

Luthra had been previously charged for receiving kickbacks from Warner Chilcott in the form of fees for speaker training and speaking at educational events that did not take place. Luthra had accepted payments of approximately $23,500. The DOJ eventually dropped the charges, although the case against the physician continued to be pursued, resulting in the two convictions.

Luthra faces jail time and a substantial fine. The maximum penalty for the HIPAA violation is a custodial sentence of no more than 1 year, one year of supervised release, and a maximum fine of $50,000. The maximum penalty for obstructing a criminal health investigation is no more than 5 years in jail, three years of supervised release, and a fine of up to $250,000.

The post Massachusetts Physician Convicted for Criminal HIPAA Violation appeared first on HIPAA Journal.

OCR Encourages Healthcare Organizations to Conduct a Gap Analysis

Posted by HIPAA Journal

In its April 2018 cybersecurity newsletter, OCR draws attention to the benefits of performing a gap analysis in addition to a risk analysis. The latter is required to identify risks and vulnerabilities that could potentially be exploited to gain access to ePHI, while a gap analysis helps healthcare organizations and their business associates determine the extent to which an entity is compliant with specific elements of the HIPAA Security Rule.

The Risk Analysis

HIPAA requires covered entities and their business associates to perform a comprehensive, organization-wide risk analysis to identify all potential risks to the confidentiality, integrity, and availability of ePHI – 45 CFR § 164.308(a)(1)(ii)(A).

If a risk analysis is not performed, healthcare organizations cannot be certain that all potential vulnerabilities have been identified. Vulnerabilities would likely remain that could be exploited by threat actors to gain access to ePHI.

While HIPAA does not specify the methodology that should be used when conducting risk analyses, OCR explained in its newsletter that risk analyses must contain certain elements:

  • A comprehensive assessment of all risks to all ePHI, regardless of where the data is created, received, maintained, or transmitted, or the source or location of ePHI.
  • All locations and information systems where ePHI is created, received, maintained, or transmitted must be included in the risk analysis, so an inventory should be created that includes all applications, mobile devices, communications equipment, electronic media, networks, and physical locations in addition to workstations, servers, and EHRs.
  • The risk analysis should cover technical and non-technical vulnerabilities, the latter includes policies and procedures, with the former concerned with software flaws, weaknesses in IT systems, and misconfigured information systems and security solutions.
  • The effectiveness of current controls must be assessed and documented, including all security solutions such as AV software, endpoint protection systems, encryption software, and the implementation of patch management processes.
  • The likelihood that a specific threat will exploit a vulnerability and the impact should a vulnerability be exploited must be assessed and documented.
  • The level of risk should be determined for any specific threat or vulnerability. With a risk level assigned, it will be easier to determine the main priorities when mitigating risks through the risk management process.
  • The risk analysis must be documented in sufficient detail to demonstrate that a comprehensive, organization-wide risk analysis has been conducted, and that the risk analysis was accurate and covered all locations, devices, applications, policies, and procedures involving ePHI. OCR will request this documentation in the event of an investigation or compliance audit.
  • A risk analysis is not a one-time event to ensure compliance with the HIPAA Security Rule – It must part of an ongoing process for continued compliance. The process must be regularly reviewed and updated, and risk analyses should be performed regularly. HIPAA does not stipulate how frequently a full or partial risk analysis should be performed. OCR suggests risk analyses are most effective when integrated into business processes.

Once a risk analysis has been performed, all risks and vulnerabilities identified must be addressed through a HIPAA-compliant security risk management process – 45 CFR § 164.308(a)(1)(ii)(B) – to reduce those risks to a reasonable and appropriate level.

Guidance on conducting an organization-wide risk analysis can be found on this link (HHS)

The Gap Analysis

A gap analysis is not a requirement of HIPAA Rules, although it can help healthcare organizations confirm that the requirements of the HIPAA Security Rule have been satisfied.

A gap analysis can be used as a partial assessment of an organizations compliance efforts or could cover all provisions of the HIPAA Security Rule.  Several gap analyses could be performed, each assessing a different set of standards and implementation specifications of the HIPAA Security Rule.

The gap analysis can give HIPAA-covered entities and their business associates an overall view of their compliance efforts, can help them discover areas where they are yet compliant with HIPAA Rules, and identify any gaps in the controls that have already been implemented.

Note that a gap analysis is not equivalent to a risk analysis, as it does not cover all possible risk to the confidentiality, integrity, and availability of ePHI as required by 45 C.F.R. §164.308(a)(1)(ii)(A).

OCR offers the following example of a simple gap analysis:

Source: OCR

The post OCR Encourages Healthcare Organizations to Conduct a Gap Analysis appeared first on HIPAA Journal.

How to Defend Against Insider Threats in Healthcare

Posted by HIPAA Journal

One of the biggest data security challenges is how to defend against insider threats in healthcare. Insiders are responsible for more healthcare data breaches than hackers, making the industry unique.

Verizon’s Protected Health Information Data Breach Report highlights the extent of the problem. The report shows 58% of all healthcare data breaches and security incidents are the result of insiders.

Healthcare organizations also struggle to detect insider breaches, with many breaches going undetected for months or even years. One healthcare employee at a Massachusetts hospital was discovered to have been accessing healthcare records without authorization for 14 years before the privacy violations were detected, during which time the records of more than 1,000 patients had been viewed.

Healthcare organizations must not only take steps to reduce the potential for insider breaches, they should also implement technological solutions, policies, and procedures that allow breaches to be detected rapidly when they do occur.

What are Insider Threats?

Before explaining how healthcare organizations can protected against insider threats, it is worthwhile covering the main insider threats in healthcare.

An insider threat is one that comes from within an organization. That means an individual who has authorization to access healthcare resources, which includes EMRs, healthcare networks, email accounts, or documents containing PHI. Resources can be accessed with malicious intent, but oftentimes mistakes are made that can equally result in harm being caused to the organization, its employees, or its patients.

Insider threats are not limited to employees. Any individual who is given access to networks, email accounts, or sensitive information in order to complete certain tasks could deliberately or accidentally take actions that could negatively affect an organization. That includes business associates, subcontractors of business associates, researchers, volunteers, and former employees.

The consequences of insider breaches can be severe. Healthcare organizations can receive heavy fines for breaches of HIPAA Rules and violations of patient privacy, insider breaches can damage an organization’s reputation, cause a loss of patient confidence, and leave organizations open to lawsuits.

According to the CERT Insider Threat Center, insider breaches are twice as costly and damaging as external threats. To make matters worse, 75% of insider threats go unnoticed.

Insider threats in healthcare can be split into two main categories based on the intentions of the insider: Malicious and non-malicious.

Malicious Insider Threats in Healthcare

Malicious insider threats in healthcare are those which involve deliberate attempts to cause harm, either to the organization, employees, patients, or other individuals. These include the theft of protected health information such as social security numbers/personal information for identity theft and fraud, the theft of data to take to new employers, theft of intellectual property, and sabotage.

Research by Verizon indicates 48% of insider breaches are conducted for financial gain, and with healthcare data fetching a high price on the black market, employees can easily be tempted to steal data.

A 2018 Accenture survey conducted on healthcare employees revealed one in five would be prepared to access and sell confidential data if the price was right. 18% of the 912 employees surveyed said they would steal data for between $500 and $1,000.

Alarmingly, the survey revealed that almost a quarter (24%) of surveyed healthcare employees knew of someone who had stolen data or sold their login credentials to an unauthorized outsider.

Disgruntled employees may attempt to sabotage IT systems or steal and hold data in case they are terminated. However, not all acts of sabotage are directed against employers. One notable example comes from Texas, where a healthcare worker used hospital devices to create a botnet that was used to attack a hacking group.

Non-Malicious Insider Threats in Healthcare

The Breach Barometer reports from Protenus/databreaches.net break down monthly data breaches by breach cause, including the number of breaches caused by insiders. All too often, insiders are responsible for more breaches than outsiders.

Snooping on medical records is all too common. When a celebrity is admitted to hospital, employees may be tempted to sneak a look at their medical records, or those of friends, family members, and ex-partners. The motivations of the employees are diverse. The Verizon report suggests 31% of insider breaches were employees accessing records out of curiosity, and a further 10% were because employees simply had access to patient records.

Other non-malicious threats include the accidental loss/disclosure of sensitive information, such as disclosing sensitive patient information to others, sharing login credentials, writing down login credentials, or responding to phishing messages.

The largest healthcare data breach in history – the theft of 78 million healthcare records from Anthem Inc.- is believed to have been made possible because of stolen credentials.

The failure to ensure PHI is emailed to the correct recipient, the misdirection of fax messages, or leaving portable electronic devices containing ePHI unattended causes many breaches each year. The Department of Health and Human Services’ Office for Civil Rights’ breach portal or ‘Wall of Shame’ is littered with incidents involving laptops, portable hard drives, smartphones, and zip drives that have stolen after being left unattended.

How to Defend Against Insider Threats in Healthcare

The standard approach to mitigating insider threats can be broken down into four stages: Educate, Deter, Detect, and Investigate.

Educate: The workforce must be educated on allowable uses and disclosures of PHI, the risk associated with certain behaviors, patient privacy, and data security.

Deter: Policies must be developed to reduce risk and those policies enforced. The repercussions of HIPAA violations and privacy breaches should be clearly explained to employees.

Detect: Healthcare organizations should implement technological solutions that allow them to detect breaches rapidly and access logs should be regularly checked.

Investigate: When potential privacy and security breaches are detected they must be investigated promptly to limit the harm caused. When the cause of the breach is determined, steps should be taken to prevent a recurrence.

Some of the specific steps that can be taken to defend against insider threats in healthcare are detailed below:

Perform Background Checks

It should be standard practice to conduct a background check before any individual is employed. Checks should include contacting previous employers, Google searches, and a check of a potential employee’s social media accounts.

HIPAA training

All healthcare employees should be made aware of their responsibilities under HIPAA. Training should be provided as soon as possible, and ideally before network or PHI access is provided. Employees should be trained on HIPAA Privacy and Security Rules and informed of the consequences of violations, including loss of employment, possible fines, and potential criminal penalties for HIPAA violations.

Implement anti-phishing defenses

Phishing is the number one cause of data breaches. Healthcare employees are targeted as it is far easier to gain access to healthcare data if an employee provides login credentials than attempting to find software vulnerabilities to exploit. Strong anti-phishing defenses will prevent the majority of phishing emails from reaching inboxes. Advanced spam filtering software is now essential.

Security awareness training

Since no technological solution will prevent all phishing emails from reaching inboxes, it is essential – from a security and compliance perspective – to teach employees the necessary skills that will allow them to identify phishing attempts and other email/web-based threats.

Employees cannot be expected to know what actions place data and networks at risk. These must be explained if organizations want to eradicate risky behavior. Security awareness training should also be assessed. Phishing simulation exercises can help to reinforce training and identify areas of weakness that can be tackled with further training.

Encourage employees to report suspicious activity

Employees are often best placed to identify potential threats, such as changes in the behavior of co-workers. Employees should be encouraged to report potentially suspicious behavior and violations of HIPAA Rules.

While Edward Snowden did not work in healthcare, his actions illustrate this well. The NSA breach could have been avoided if his requests for co-workers’ credentials were reported.

Controlling access to sensitive information

The fewer privileges employees have, the easier it is to prevent insider breaches in healthcare. Limiting data access to the minimum necessary amount will limit the harm caused in the event of a breach. You should be implementing the principle of least privilege. Give employees access to the least amount of data as possible. This will limit the data that can be viewed or stolen by employees or hackers that manage to obtain login credentials.

Encrypt PHI on all portable devices

Portable electronic devices can easily be stolen, but the theft of a device need not result in the exposure of PHI. If full disk encryption is used, the theft of the device would not be a reportable incident and patients’ privacy would be protected.

Enforce the use of strong passwords

Employees can be told to use strong passwords or long passphrases, but unless password policies are enforced, there will always be one employee that chooses to ignore those policies and set a weak password. You should ensure that commonly used passwords and weak passwords cannot be set.

Use two-factor authentication

Two-factor authentication requires the use of a password for account access along with a security token. These controls prevent unauthorized access by outsiders, as well as limiting the potential for an employee to use another employee’s credentials.

Terminate access when no longer required

You should have a policy in place that requires logins to be deleted when an employee is terminated, a contract is completed, or employees leave to work for another organization. There have been many data breaches caused by delays in deleting data access rights. Data access should not be possible from the second an employee walks out the door for the last time.

Monitor Employee Activity

If employees require access to sensitive data for work purposes it can be difficult to differentiate between legitimate data access and harmful actions. HIPAA requires PHI access logs to be maintained and regularly checked. Since this is a labor-intensive task, it is often conducted far too infrequently. The easiest way to ensure inappropriate accessing of medical records is detected quickly is to implement action monitoring software and other software tools that can detect anomalies in user activity and suspicious changes in data access patterns.

The post How to Defend Against Insider Threats in Healthcare appeared first on HIPAA Journal.

Healthcare Compliance Programs Not In Line With Expectations of Regulators

Posted by HIPAA Journal

Healthcare compliance officers are prioritizing compliance with HIPAA Privacy and Security Rules, even though the majority of Department of Justice and the HHS Office of Inspector General enforcement actions are not for violations of HIPAA or security breaches, but corrupt arrangements with referral sources and false claims. There are more penalties issued by regulators for these two compliance failures than penalties for HIPAA violations.

HIPAA enforcement by the HHS’ Office for Civil Rights has increased, yet the liabilities to healthcare organizations from corrupt arrangements with referral sources and false claims are far higher. Even so, these aspects of compliance are relatively low down the list of priorities, according to a recent survey of 388 healthcare professionals conducted by SAI Global and Strategic Management Services.

The survey was conducted on compliance officers from healthcare organizations of all sizes, from small physician practices to large integrated hospital systems. The aim of the study was to identify the key issues faced by compliance officers and determine how compliance departments are responding and prioritizing their resources.

When asked to rank their main priorities, dealing with HIPAA data breaches was overwhelmingly the top priority and the biggest concerns were HIPAA privacy and security.

The list of HIPAA enforcement actions has grown considerably over the past two years but there are still fewer penalties than for false claims and arrangements with referral sources. Even so, ensuring claims accuracy was only ranked third in compliance officers’ priority list and arrangement with referral sources was ranked fifth. The survey shows there is a gap between what OIG and DOJ consider to be the highest risk areas and where compliance officers see the greatest risks.

“The question has to be asked as to why, in the face the enforcement agencies’ priorities, compliance officers are placing these high risk-areas in a lower priority,” said former HHS Inspector General and CEO of Strategic Management Services Richard Kusserow. “The takeaway from the survey is that compliance officers should be prepared to better align their priorities and programs with those set out by the regulatory and enforcement agencies.”

Part of the reason for the focus on HIPAA compliance is the increase in enforcement activity by OCR in the past two years, the media activity surrounding healthcare data breaches, and the relatively high fines for covered entities discovered not to have fully complied with HIPAA Rules. With OCR investigating all breaches of more than 500 records, and data breaches now occurring with increasing frequency, it is easy to see why HIPAA compliance is being prioritized.

Even though HIPAA is the main priority for compliance officers and where most resources are focused, only one in five compliance officers feels their organization is well prepared for a HIPAA compliance audit. Last year when the survey was conducted, 30% of compliance officers said they were highly confident that they were well prepared for a HIPAA audit. The percentage of compliance officers who said they are moderately prepared for a HIPAA compliance audit has increased from 50% to 61%, showing the focus on HIPAA compliance is having a positive effect.

The study suggests the workload for compliance officers is increasing, but budgets are stagnant. Compliance officers are increasingly responsible for conducting internal audits and providing legal counsel in addition to overseeing compliance with HIPAA Privacy and Security Rules. The high workload and limited resources mean other aspects of compliance are being neglected. According to the report, “Compliance offices are being stretched thin to meet their obligations.”

While external compliance assessments are highly beneficial, only a quarter of respondents said they use independent third parties to complete those assessments, with three quarters performing self-assessments, internal surveys, and using compliance checklists to evaluate their compliance programs.

“The 2018 Healthcare Compliance Benchmark Survey gives us a better understanding of compliance program development in the healthcare sector and suggests that effectiveness is being measured in terms of output, rather than outcome,” said SAI Global CEO Peter Grana. “It is abundantly clear that there is a need for healthcare organizations to remove barriers and increased responsibilities being laid on their compliance offices that distract from the development of effective risk controls.”

The post Healthcare Compliance Programs Not In Line With Expectations of Regulators appeared first on HIPAA Journal.

Former Berkeley Medical Center Worker Gets 5 Years’ Probation for Identity Theft

Posted by HIPAA Journal

In federal court on Monday, Chief U.S. District Judge Gina M. Groh sentenced a former Berkeley Medical Center worker to 5 years’ probation for her role in an identity theft scam. In addition to probation, Angela Dawn Roberts, 42, of Stephenson, VA, must pay $22,000 in restitution.

Angela Dawn Roberts, also known as Angela Dawn Lee, had been working for WVU University Healthcare since 2014.

Roberts was employed to schedule appointments for patients at two medical centers – Berkeley Medical Center and Jefferson Medical Center – which provided her with access to patients’ protected health information.

Roberts copied sensitive information onto paper, including names, birth dates, and Social Security numbers, and in some cases printed copies of identity documents.

On January 19, 2017, Roberts was suspended following an internal investigation into data theft which was alleged to have occurred on June 27, 2016.

She was fired on January 27, 2017 and was prosecuted for stealing patient health information. Approximately 7,000 patients whose information was accessed by Roberts were notified of the risk of identity theft and fraud as a precaution.

Angela Dawn Roberts admitted stealing the protected health information of 10 patients and pleaded guilty to one count of identity theft. The plea agreement was filed in July.

The stolen information was passed to her co-defendant, Ajarhi Savimbi Roberts. Ajarhi Savimbi Roberts was charged with bank fraud in a 36-count indictment. He pleaded guilty and is scheduled to be sentenced on May 21.

The post Former Berkeley Medical Center Worker Gets 5 Years’ Probation for Identity Theft appeared first on HIPAA Journal.

Analysis of March 2018 Healthcare Data Breaches

Posted by HIPAA Journal

There has been a month-over-month increase in healthcare data breaches. In March 2018, 29 security incidents were reported by HIPAA covered entities compared to 25 incidents in February.

March 2018 Healthcare Data Breaches

Even though more data breaches were reported in March, there was a fall in the number of individuals impacted by breaches. March 2018 healthcare data breaches saw 268,210 healthcare records exposed – a 13.13% decrease from the 308,780 records exposed in incidents in February.

Records exposed by Healthcare Data Breaches (March 2018)

Causes of March 2018 Healthcare Data Breaches

March saw the publication of the Verizon Data Breach Investigations Report which confirmed the healthcare industry is the only vertical where more data breaches are caused by insiders than hackers. That trend continued in March. Unauthorized access/disclosures, loss of devices/records, and improper disposal incidents were behind 19 of the 29 incidents reported – 65.5% of all incidents reported in March.

The main cause of healthcare data breaches in March 2018 was unauthorized access/disclosure incidents. 14 incidents were reported, with theft/loss incidents the second main cause with 9 incidents, followed by hacking/IT incidents with 5 breaches reported.

Severity of Breaches by Breach Cause

Breach Cause Total Records Exposed in March Median Records Exposed Mean Records Exposed
Unauthorized Access/Disclosure 166,859 3,551 11,919
Hacking/IT Incident 54,814 5,207 10,963
Theft 40,018 1,424 8,004
Loss 5,107 1,096 1,277
Improper Disposal 1,412 1,412 1,412

Largest Healthcare Data Breaches Reported in March 2018

There were ten healthcare data breaches reported in March that impacted more than 10,000 individuals. The largest data breach resulted in the exposure of 63,551 individuals’ PHI. That incident occurred and was discovered in December 2016, although the incident has only just been reported to the HHS’ Office for Civil Rights.

While hacking incidents usually result in the highest number of exposed/compromised records, in March it was unauthorized access/disclosure incidents that dominated the breach reports.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
Middletown Medical P.C. Healthcare Provider 63,551 Unauthorized Access/Disclosure
ATI Holdings, LLC and its subsidiaries Healthcare Provider 35,136 Hacking/IT Incident
City of Houston Medical Plan Health Plan 34,637 Theft
Mississippi State Department of Health Healthcare Provider 30,799 Unauthorized Access/Disclosure
Barnes-Jewish Hospital Healthcare Provider 18,436 Unauthorized Access/Disclosure
Barnes-Jewish St. Peters Hospital Healthcare Provider 15,046 Unauthorized Access/Disclosure
Special Agents Mutual Benefit Association Health Plan 13,942 Unauthorized Access/Disclosure
Guardian Pharmacy of Jacksonville Healthcare Provider 11,521 Hacking/IT Incident
Primary Health Care, Inc. Healthcare Provider 10,313 Unauthorized Access/Disclosure

March 2018 Healthcare Data Breaches by Covered Entity Type

No data breaches were reported by business associates of HIPAA-covered entities in March. The breach summaries published by the HHS’ Office for Civil Rights suggest there was no business associate involvement in any of the 29 incidents reported.

However, the largest reported incident – the breach at Middletown Medical – is marked as having no business associate involvement, when the breach notice uploaded to the provider’s website indicates the incident was caused by a subcontractor of a business associate. It is possible there were more security breaches in March that had some business associate involvement.

March 2018 Healthcare Data Breaches by Covered Entity Type

Records Exposed by Covered Entity Type

Unsurprisingly, given the number of incidents reported by healthcare providers, these incidents resulted in the highest number of exposed records – 154,325 records – followed by breaches at business associates/subcontractors – 63,551 records – and health plans – 50,334 records.

Breaches at business associates/subcontractors saw the highest number of records exposed per incident (Median & Mean = 63,551 records), followed by health plans (Median=13,943 records / Mean = 16,778 records), and healthcare providers (Median = 1,843 records / Mean = 6,173 records).

Location of Breached Protected Health Information

The main location of breached protected health information in March was portable electronic devices (laptops /other portable devices) with 9 incidents reported. Had encryption been used to protect ePHI on these devices, a breach of PHI could have easily been avoided.

The second biggest problem area was email with 8 reported incidents. These breaches include misdirected emails and phishing incidents.

Securing physical records continues to be a problem. There were five incidents reported in March that involved physical records such as paper and films.

Location of Breached Protected Health Information

March 2018 Healthcare Data Breaches by State

In March 2018, six states experienced multiple healthcare data breaches. While California usually tops the list for the most number of breaches, this month it was Massachusetts-based healthcare organizations that were the hardest hit, with 5 incidents reported.

California was in second place with four security incidents, followed by Missouri and New York with three, and Maryland and Texas with two. The 10 other states where breaches occurred were Arkansas, Colorado, District of Columbia, Florida, Georgia, Iowa, Illinois, Minnesota, Mississippi, and West Virginia.

Financial Penalties for Breaches and HIPAA Violations

There were no civil monetary penalties issued by the Department of Health and Human Services’ Office for Civil Rights in March, and no settlements with HIPAA-covered entities or business associates to resolve HIPAA violations.

The New York attorney general’s office has continued to take a hard line on companies discovered to have violated HIPAA Rules and suffered data breaches as a result with one further settlement reached in March.

Virtua Medical Group agreed to settle violations of HIPAA and state laws for $417,816. That penalty relates to the failure to secure an FTP server, although it was not the healthcare provider that was directly responsible. The error was made by a business associate of Virtua Medical Group.

The post Analysis of March 2018 Healthcare Data Breaches appeared first on HIPAA Journal.

What to Do if You Discover a HIPAA Violation in the Workplace

Posted by HIPAA Journal

If you discover a HIPAA violation in the workplace, what you should do depends on the nature of the violation, whether or not unsecured PHI has been impermissibly disclosed, and what the potential consequences are.

You suspect there has been a HIPAA violation in the workplace, should you report the violation? If so, how should you report the potential violation and who needs to be told?

Is it Necessary to Report a HIPAA Violation in the Workplace?

If you think you have accidentally violated HIPAA Rules or you believe a work colleague or your employer is failing to comply with the HIPAA Rules, the potential violation(s) should be reported.

Since the publication of the HIPAA Enforcement Rule, HIPAA-covered entities can be financially penalized for HIPAA violations. If an uncorrected HIPAA violation is discovered during an investigation of a complaint, a data breach, or HIPAA audit, HHS’ Office for Civil Rights (OCR) may choose to pursue a financial settlement to resolve the violation. Such actions are far less likely when a violation has been discovered internally and corrected to prevent a recurrence.

If a patient’s privacy has been violated, by reporting the violation internally you will allow your employer to take steps to reduce the potential for further harm and will be helping to ensure that similar incidents do not occur in the future.

Who Should be Notified About a Potential HIPAA Violation?

Healthcare employees who discover a HIPAA violation in the workplace should report the incident to their supervisor or their HIPAA Privacy Officer in the first instance. The HIPAA Privacy Officer will need to be notified of any HIPAA compliance failure as an investigation will need to be conducted, which should include a risk assessment.

The risk assessment will help the Privacy Officer determine whether the violation is a reportable incident. Not all internal violations of HIPAA Rules need to be reported, but the failure to notify the patient and OCR of a reportable breach of unsecured PHI could result in a financial penalty.

Action should also be taken to ensure that the cause of the breach is corrected. That may require updates to policies and procedures and/or further staff training.

There have been cases of employees reporting HIPAA violations internally only for no actions to appear to be taken to address the issue. In such cases, the matter can be escalated and a complaint filed with the HHS’ Office for Civil Rights – the main enforcer of the HIPAA Rules.

How long do you have to report a HIPAA violation?

HIPAA violations should be reported internally immediately. Employees and patients have the option to bypass notifying the Covered Entity and directly file a HIPAA complaint with the Office for Civil Rights (OCR) under the Department of Health and Human Services (HHS) if they believe that a Covered Entity has violated the HIPAA Privacy, Security, or Breach Notification Rules. This is especially applicable in cases of serious violations, potential criminal violations, willful/widespread neglect of HIPAA Rules, or multiple suspected violations. The OCR provides various channels for submitting HIPAA complaints, including their Complaint Page, fax, mail, or email. When filing a complaint, it is important to provide details such as the reason for the complaint, the potential violation, information about the Covered Entity or Business Associate involved, the suspected date and location of the violation, and the date when the complainant became aware of the possible violation. Complaints should generally be submitted within 180 days of discovering the violation, although extensions may be granted with good cause. While anonymous complaints are accepted, it is important to note that OCR requires name and contact information for investigation purposes. All complaints will be reviewed, and investigations will be initiated if there are suspected violations of HIPAA Rules and the complaint is filed within the designated timeframe.

Do HIPAA violations have to be reported?

While HIPAA does not explicitly require individuals or organizations to report every single HIPAA violation they encounter, there are certain circumstances where reporting is mandatory or strongly encouraged. Covered entities, such as healthcare providers, health plans, and healthcare clearinghouses, are required to report breaches of unsecured protected health information (PHI) to the affected individuals, the Department of Health and Human Services (HHS), and in some cases, the media. Additionally, business associates, who are third-party entities that handle PHI on behalf of covered entities, are required to report breaches of PHI to the covered entity. Apart from breach reporting, it is generally recommended that individuals and organizations report HIPAA violations to the appropriate authorities. This helps to ensure compliance with HIPAA regulations, protect patient privacy and security, and prevent further violations. Reporting can be done to the covered entity’s privacy officer or the Office for Civil Rights (OCR) within HHS, which is responsible for enforcing HIPAA. Certain states may have additional reporting requirements or regulations that apply in conjunction with HIPAA. Therefore, it is advisable to consult state-specific laws and regulations to determine the reporting obligations in a particular jurisdiction.

Examples of HIPAA Violations by Employers

HIPAA Violation Description
Improper Access to Employee Health Information Employers accessing and reviewing the medical records or health information of their employees without a legitimate need or proper authorization.
Inadequate Safeguards for Employee Health Information Employers failing to implement appropriate security measures to protect the confidentiality and integrity of employee health information, such as storing health records in an insecure location or failing to secure electronic health systems.
Unauthorized Disclosure of Employee Health Information Employers sharing an employee’s medical condition, treatment details, or other sensitive health information with individuals who are not involved in the employee’s healthcare or have a legitimate reason to access that information.
Retaliation against Employees Employers retaliating against employees for exercising their rights under HIPAA, such as filing a complaint or reporting a violation.
Insufficient Employee Training Employers neglecting to provide adequate training and education to employees on HIPAA regulations and the proper handling of employee health information, leading to unintentional violations.
Improper Use of Employee Health Information Employers using employee health information for purposes unrelated to healthcare, such as making employment decisions based on an employee’s health condition or sharing health information for non-work-related reasons.
Lack of Written Policies and Procedures Employers failing to establish and maintain written policies and procedures outlining how employee health information should be handled, safeguarded, and disclosed, as required by HIPAA.

Filing a Complaint with the HHS’ Office for Civil Rights

OCR investigates complaints about potential HIPAA violations, but only if the complainant provides their name and contact details. Complaints can be submitted anonymously, although it is unlikely any further action will be taken. While many employees may be reluctant to provide such information, healthcare organizations are not permitted to take retaliatory action against individuals who report a HIPAA violation in the workplace.

Financial penalties for HIPAA violations are typically only issued when there has been a willful violation of the HIPAA Rules, although penalties are possible for violations that have occurred through negligence or ongoing compliance failures. However, in many cases, HIPAA violations are resolved through voluntary compliance or by OCR providing technical assistance.

FAQs about Reporting a HIPAA Violation in the Workplace

What happens if I am not an employee, but I see a HIPAA violation in the workplace?

If you are not an employee, but you see a HIPAA violation in the workplace, what happens depends on whether you are a member of a covered entity´s or business associate´s workforce (see definition of workforce in §160.103), or if you are a member of the public (i.e., patient, visitor, etc.).

If you are a member of a covered entity´s or business associate´s workforce, you should report the violation to your immediate manager or supervisor. If you feel your report is not acted on, you can escalate it to the organization´s HIPAA Privacy Officer or HHS´ Office for Civil Rights.

If you are a member of the public, you can raise the issue with the organization´s HIPAA Privacy Officer or HHS´ Office for Civil Rights. The contact details of the organization’s Privacy Officer is on the organization´s Notice of Privacy Practices and website, or you can contact HHS´ Office for Civil Rights via any of the methods explained on this link.

When I raised a violation concern with my supervisor, I was told HIPAA did not apply. Can this be true?

If you have raised a violation concern with your supervisor and been told HIPAA does not apply, there could be several reasons for this. HIPAA may not apply due to the nature of the organization’s operations. For example, not all healthcare providers qualify as HIPAA covered entities; and, even when they do, other federal and state laws may preempt HIPAA (i.e., FERPA, Texas HB300, etc.).

HIPAA may not apply because the nature of information disclosed is not covered by HIPAA (not all patient information is “protected”) or because the disclosure is permitted by the HIPAA Rule even though it appears it shouldn’t be – for example, to an employer who needs information about a patient’s illness or injury to comply with OSHA reporting requirements.

Your best course of action is to ask your supervisor why HIPAA doesn´t apply to the suspected violation and use a third party source to confirm the supervisor´s response. It may be the case your supervisor is misinformed about when HIPAA applies, and your violation concern may have to be escalated to the HIPAA Privacy Officer.

Should reporting violations be included in HIPAA training?

The process for reporting violations should be included in HIPAA training when the organization you work for is subject to any of the HIPAA Privacy, Security, or Breach Notification Rules. This not only means covered entities (who are required to provide training on “policies and procedures with respect of PHI”) but also business associates (to whom the Security Rule applies) and vendors of personal health apps who are required to comply with the Breach Notification Rule.

Why doesn´t HHS´ Office for Civil Rights investigate anonymous reports?

HHS´ Office for Civil Rights does not investigate anonymous reports because it could lead to an increase in false reports and unjustified or malicious complaints – stretching the agency’s resources and potentially reducing the amount of technical assistance available for organizations that need it.

Additionally, the Privacy Rule protects genuine complainants from retaliation. Under §160.316, a covered entity or business associate “may not threaten, intimidate, coerce, harass, discriminate against, or take any other retaliatory action against any individual or other person” who:

  • Files a complaint or reports a HIPAA violation,
  • Assists in an investigation into the complaint/report, or
  • Refuses to take an action that would violate HIPAA.

How do I go about reporting a whole team that is not compliant with HIPAA?

Reporting a whole team that is not compliant with HIPAA can be complicated because sometimes teams take short cuts with HIPAA compliance “to get the job done” and when the short cuts are allowed to continue, a “culture of non-compliance” can develop. In such circumstances, it is a good idea to initially report your concerns to a supervisor or escalate them to the Privacy Officer if you have concerns reporting them to a supervisor may affect your standing among your colleagues.

What is a HIPAA violation in the workplace?

A HIPAA violation in the workplace is any failure to comply with the standards and implementation specifications of the HIPAA Administrative Simplification Rules (i.e., the Privacy, Security, and Breach Notification Rules) when the workplace is controlled by an entity subject to the Health Insurance Portability and Accountability Act of 1996.

Entities subject to HIPAA include – but are not limited to – health plans, health care clearinghouses, and most healthcare providers (collectively known as “Covered Entities”), third-party businesses that provide a service for or on behalf of a Covered Entity (collectively known as “Business Associates”), subcontractors of Business Associates, and vendors of some personal health devices.

Is HIPAA violation reporting mandatory in all workplaces?

Whether HIPAA violation reporting is mandatory in all workplaces depends on the policies developed and implemented by the Covered Entity or Business Associate in control of the workplace. Generally, HIPAA violation reporting to an organization’s Privacy Officer is mandatory for certain types of violation, while minor violations that do not result in an impermissible disclosure of PHI or breach of unsecured PHI might be dealt with by a manager or supervisor.

When a HIPAA violation does result in an impermissible disclosure of PHI or a breach of unsecured PHI, Covered Entities and Business Associates are required to report the breach to affected individuals and to HHS´ Office for Civil Rights. Some states also have mandatory HIPAA violation reporting requirements; and, in these states, reports have to be made to the state Attorney General. Additionally. HIPAA requires Business Associates to report all “security events” to the Covered Entity whether they result in an impermissible disclosure/breach of PHI or not.

Are there any examples of HIPAA violations by employers?

There are many examples of HIPAA violations by employers when the word “employer” relates to a Covered Entity or Business Associate and the “employer” has failed to train staff on HIPAA-compliant privacy policies or implement appropriate safeguards to protect the confidentiality, integrity, and availability of electronic PHI. You will find a wide selection on HHS´ Breach Report.

However, when the word “employer” relates to a business in its role as an employer, it is important to be aware that HIPAA does not apply (other than when an employer administers a self-sponsored health plan). Therefore, when an employer maintains health information about employees (for example, in an HR role), Privacy Rule protections do not apply; and, if the health information is disclosed without an employee’s authorization, it is not a violation of HIPAA.

If you believe a privacy violation has taken place, who should you report it to?

If you believe a privacy violation has taken place, you should report it to your organization’s Compliance Officer. If the privacy violation involves an impermissible disclosure of health information, and the organization you work for is covered by the HIPAA Privacy Rule, it is important to make the Compliance Officer aware of this because it is a notifiable breach of PHI.

How long do you have to report a HIPAA violation?

How long you have to report a HIPAA violation depends on the nature of the violation, organizational policies, whether or not the violation involves the impermissible disclosure of PHI or a breach of unsecured PHI, and – if so – the state the violation occurred in.

All Covered Entities (and some Business Associates) are required to develop and implement policies and procedures to comply with the Privacy Rule. The policies and procedures will determine whether a HIPAA violation is reportable and how long a member of the workforce has to report it.

Some organizations may choose to limit which violations are reported to reduce the workload on Privacy Officers. Therefore, an innocuous violation (i.e., the failure to document a patient’s consent to notify family members of their hospitalization) might be dealt with at supervisor level.

If the HIPAA violation involves an impermissible disclosure of PHI or a breach of unsecured PHI, the violation should be reported to the Privacy and/or Security Officer as quickly as possible to mitigate the impact of the violation (regardless of any time limits stipulated in an organizational policy).

Thereafter, the Privacy Officer has 60 days to notify the affected individual(s) and – if a breach affects more than 500 individuals – HHS´ Office for Civil Rights. However, some states have much shorter notification periods; and although many states exempt HIPAA Covered Entities from their Breach Notification laws, they do not always exempt breaches attributable to a Business Associate.

If you witness a HIPAA violation at work, what should you do?

If you witness a HIPAA violation at work, you should report it to your supervisor or manager; or, if this is impractical, to your organization’s Privacy Officer. Many workplaces have implemented anonymous channels of communication for reporting HIPAA violations, and this may save you the embarrassment of being confronted by a work colleague who has been sanctioned for the violation.

How do you report HIPAA violations?

How you report HIPAA violations can depend on whether you are a member of a Covered Entity´s workforce, or a patient or plan member. This is because some Covered Entity´s implement policies stipulating that HIPAA violations in the workplace must be reported by staff members to a specific individual – often the organization’s Privacy Officer.

If such policies apply, you should only contact HHS´ Office for Civil Rights if the Privacy Officer fails to act on the report or you are retaliated against for making a report. HIPAA´s General Administrative Requirements prohibit Covered Entities from intimidation, discrimination, and retaliation if a member of the workforce files a complaint or supports a compliance investigation.

Patients and plan members also have this option, but can – if they wish – report HIPAA violations to their state Attorney General or HHS´ Office for Civil Rights without first reporting a HIPAA violating to the Privacy Officer. Again, the Covered Entity is prohibited from intimidation, discrimination, and retaliation for filing a complaint with HHS´ Office for Civil Rights.

Is there a HIPAA violation reporting reward?

There is no HIPAA violation reporting reward available from HHS´ Office for Civil Rights. However, nothing in the text of HIPAA prevents Covered Entities and Business Associates from implementing a reward system. Indeed, a HIPAA violation reporting reward system could encourage members of the workforce to report HIPAA violations and help support a compliant workforce.

What should you do if you think your policies conflict with HIPAA?

What you should do if you think your policies conflict with HIPAA depends on whether you represent a Covered Entity (i.e., a Privacy Officer) or are a member of a Covered Entity´s workforce. If you represent a Covered Entity, you should seek professional compliance advice and amend your policies to align with HIPAA or any state laws that preempt HIPAA.

If you are a member of a Covered Entity’s workforce, you should raise your concerns with your organization’s Privacy Officer. In such cases, you are not required to comply with organizational policies that conflict with HIPAA (although it may be in your professional best interest to do so), and your employer is not allowed to sanction you for non-compliance with conflicting policies.

Section 45 CFR §160.316 of the General Administrative Requirements states:

“A covered entity may not threaten, intimidate, coerce, harass, discriminate against, or take any other retaliatory action against any individual or other person for […] opposing any act or practice made unlawful by this subchapter, provided the individual has a good faith belief that the practice opposed is unlawful, and the manner of opposition is reasonable and does not involve a disclosure of protected health information in violation of subpart E of part 164 [the Privacy Rule].”

What is a medical assistant’s responsibility if they witness a violation of HIPAA?

A medical assistant’s responsibility if they witness a violation of HIPAA depends on the content of the HIPAA violation reporting policy implemented by their employer. Depending on the nature of the violation, the medical assistant may be required to report the violation of HIPAA to a supervisor or manager, or to their organization´s HIPAA Privacy Officer.

The post What to Do if You Discover a HIPAA Violation in the Workplace appeared first on HIPAA Journal.