HIPAA Compliance News

Aetna Files Further Lawsuit in an Attempt to Recover Costs from 2017 HIV Status Privacy Breach

Posted by HIPAA Journal

There have been further developments in the ongoing legal battles over a 2017 privacy breach experienced by Aetna involving the exposure of patients’ sensitive health information. A further lawsuit has been filed by the insurer in an attempt to recover the costs incurred as a result of the breach.

Ongoing Legal Battles Over the Exposure of Patients’ HIV Statuses

In 2017, the health insurer Aetna experienced a data breach that saw highly sensitive patient information impermissibly disclosed to other individuals. A mailing vendor sent letters to patients using envelopes with clear plastic windows and information about HIV medications were allegedly visible. The mailings related to HIV medications used to treat patients who had already contracted HIV and individuals who were taking drugs as pre-exposure prophylaxis. Approximately 12,000 patients received the mailing.

Lawsuits were filed on behalf of patients whose HIV positive status was impermissibly disclosed, which were settled in January for $17.2 million. A settlement was agreed with the New York state attorney general for a further $1.15 million to resolve the privacy violations.

Following on from those settlements, Aetna attempted to recover the cost of the settlements from Kurtzman Carson Consultants, the administrator who allegedly directed the mailing vendor to send the letters to patients that exposed their PHI. Aetna maintains that Kurtzman Carson Consultants did not communicate to Aetna that the mailing was being sent using windowed envelopes. The lawsuit is ongoing.

Further Lawsuit Filed Against Two Firms Representing Breach Victims

Now a lawsuit has been filed by Aetna against the law firm Whatley Kallas and the Californian advocacy group Consumer Watchdog in an attempt to recover at least part of the $20 million in settlements already paid. Consumer Watchdog and Whatley Kallas represented patients in a previous case that led to the sending of the notification letters that exposed patients’ sensitive information.

The privacy breach that led to the $20 million settlement occurred in response to a previous privacy incident that Aetna was sued over. That initial privacy breach related to a requirement for patients who had been prescribed HIV medication to receive the drugs by mail rather than collecting them in person. Since the drugs need to be kept refrigerated, and are dispatched in refrigerated containers, it was alleged that this would violate patients’ privacy as it would be clear to neighbors and co-workers that HIV drugs were being delivered.

The latest lawsuit alleges the plaintiffs were responsible for requiring Aetna to send sensitive information to the Kurtzman Carson Consultants, which Aetna was against and that after that information was passed to Kurtzman Carson Consultants, the plaintiffs failed to ensure the confidential information was protected.

Whatley Kallas had recommended using Kurtzman Carson Consultants and Consumer Watchdog were involved to make sure Aetna made good on its promise to change the requirements for patients to have the drugs sent by mail.

Harvey Rosenfield and Jerry Flanagan of Consumer Watchdog explained to Reuters, that they “edited the text of the letter to make sure we held Aetna’s feet to the fire,” but did not receive any protected health information and were not aware that windowed envelopes were being used and maintain Aetna is making “frivolous claims.”

“If Aetna believes that an attack on lawyers for Consumer Watchdog and Whatley Kallas LLP will be a cost-free exercise in retaliation, it is deeply mistaken,” wrote Rosenfield and Flanagan in a letter to the insurer, concluding “Aetna would be well advised to focus on remediation of its privacy practices on a nationwide basis as we are seeking in this action, instead of pursuing abusive and retaliatory tactics that seek to evade liability for its own failings and suggest that Aetna still does not take responsibility for ensuring that its customers’ private medical information is protected.”

While this may appear to be a case of passing the buck at face value, the case is not as frivolous as it may sound. According to Aetna, the law firm representing the plaintiffs in the original case were allegedly party to a proposal that stated windowed envelopes were going to be used, but the law firm failed to raise a red flag.

The post Aetna Files Further Lawsuit in an Attempt to Recover Costs from 2017 HIV Status Privacy Breach appeared first on HIPAA Journal.

OCR Reminds Covered Entities Not to Overlook Physical Security Controls

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has reminded covered entities that HIPAA not only requires technical controls to be implemented to ensure the confidentiality, integrity, and availability of protected health information, but also appropriate physical security controls.

Physical controls are often the simplest and cheapest forms of protection to keep PHI private and confidential, yet these security controls are often overlooked. Some physical security controls cost nothing – such as ensuring portable electronic devices (laptop computers, portable storage devices, and pen drives) are locked away when they are not in use.

While this is a very basic form of security, it is one of the most effective ways of preventing theft and one that can prove incredibly costly if overlooked. OCR draws attention to a 2015 HIPAA breach settlement with Lahey Hospital and Medical Center. An unencrypted laptop computer was stolen from the Tufts Medical School affiliated teaching hospital resulting in the exposure 599 patients’ ePHI.

The laptop computer was used in connection with a computerized tomography (CT) scanner. The laptop was in an unlocked treatment room off an inner corridor of the radiology department. Lahey Hospital settled the case for $850,000. A high price to pay for failing to implement a free physical security control.

In 2014, QCA Health Plan agreed to settle potential HIPAA violations with OCR for $250,000. QCA Health plan failed to implement physical safeguards for all workstations to restrict access to ePHI to authorized users only. In that case, the workstation was an unencrypted laptop computer that was stolen from the vehicle of an employee.

In 2012, Massachusetts Eye and Ear Infirmary (MEEI) settled a HIPAA violation case with OCR for $1.5 million. This was another case of an unencrypted laptop computer being stolen that resulted in the impermissible disclosure of ePHI.

In 2016, OCR settled potential HIPAA violations with Feinstein Institute for Medical Research for $3.9 million. Feinstein Institute had failed to physically secure a laptop computer containing the ePHI of 13,000 patients. The device was also stolen from the vehicle of an employee.

In July 2016, University of Mississippi Medical Center settled a case with OCR for $2,750,000. An unencrypted laptop computer containing the ePHI of an estimated 10,000 patients was stolen from its Medical Intensive Care unit.

HIPAA requires covered entities and their business associates to implement “physical safeguards for all workstations that access ePHI to restrict access to authorized users.” Workstations include desktop computers, laptops, and other computing devices including portable storage devices, smartphones, and tablets.

It is up to HIPAA-covered entities and their business associates to decide on the most appropriate physical security controls to implement, which should be based on their risk analyses and risk management process.

Common physical security controls used to secure electronic devices and ePHI include:

  • Positioning desks to ensure screens cannot be easily viewed by anyone other than the user of a workstation
  • Privacy screens to prevent shoulder surfing
  • Cable locks to prevent electronic devices containing ePHI from being stolen
  • The use of security cameras to deter theft of electronic devices and physical PHI
  • Use of signage to remind employees about the need to use physical security controls
  • Use of port and device locks to prevent CD/DVD drives and USB connections from being used on workstations to copy ePHI and install unauthorized software.

The importance of preventing the use of USB drives by staff was highlighted in a recent study by Dtex Systems into insider threats. While the study was not conducted specifically on healthcare organizations, it did reveal that 90% of the risk assessments conducted on its customers and prospective customers revealed employees were transferring data to unencrypted USB devices.

As OCR explained in its May 2018 cybersecurity newsletter, “While the latest security solutions to combat new threats and vulnerabilities get much deserved attention, appropriate physical security controls are often overlooked.  Yet physical security controls remain essential and often cost-effective components of an organization’s overall information security program.”

The post OCR Reminds Covered Entities Not to Overlook Physical Security Controls appeared first on HIPAA Journal.

CMS Urged to Aggressively Enforce Compliance with HIPAA Administrative Simplifications

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights is the primary enforcer of HIPAA Rules and has issued numerous financial penalties for HIPAA violations in response to complaints and data breaches. State attorneys general are also permitted to fine HIPAA-covered entities when violations of HIPAA Rules are discovered, and several state attorneys general have exercised that right. While the HHS’ Centers for Medicare & Medicaid Services is mandated to assist OCR with the enforcement of HIPAA Rules related to compliance with the HIPAA Administrative Simplifications, to date the CMS has not issued any fines.

The Medical Group Management Association (MGMA) believes that should change and the CMS should start enforcing compliance with HIPAA Rules that aim to reduce the administrative burden on healthcare providers.

In a recent letter to CMS, the MGMA explained it has received many complaints from members related to the failure of health plans to comply with HIPAA and ACA administrative simplification requirements. The lack of enforcement activity by the CMS in this area means there is no incentive for health plans to comply with the requirements relating to mandated transactions, national identifiers, code sets, and operating rules.

The letter, written by Anders Gilberg, MGA, Senior Vice President, Government Affairs, was submitted in response to a call for comments on the CMS complaint form. While comments specific to the complaint form were included in the letter, the MGMA also took it as an opportunity to criticize the CMS HIPAA administrative simplification enforcement process.

The CMS compliant form allows physician practices to formally file complaints against healthcare clearinghouses and health plans and notify CMS about HIPAA violations, although little action appears to be taken in response to those complaints.

MGMA explained in the letter that many health plans are not supporting national standards. Use of X12 270/271 (Eligibility & Benefit Verification) remains below 80%, X12 835 (Remittance Advice) is around 56%, use of the Electronic Funds Transfer transaction for payments has fallen from 62% to 60%, and use of the X12 278 (Prior Authorization) transaction has fallen from 18% to 8%.

MGMA notes that health plans are also trying to move providers away from using HIPAA standards to online portals. While there are benefits to the use of online portals, MGMA notes that “proprietary portals create a manual workflow process for providers and decreased revenue cycle automation.”

MGMA suggests CMS should step up its enforcement efforts to encourage health plans to comply with the HIPAA and ACA administrative simplification regulations. OCR has conducted HIPAA compliance audits, investigates complaints, and has issued multiple fines. Those fines are clearly communicated to the industry through news posts and press releases, making it clear that non-compliance will not be tolerated. OCR’s enforcement activities motivate HIPAA-covered entities to step up their efforts to comply with HIPAA Rules and also encourage individuals to report violations knowing that action will be taken.

“Health plans and clearinghouses unable or unwilling to support the administrative simplification standards and operating rules force providers to employ manual methods such as phone calls, facsimiles, and web portals, thus diverting scarce provider resources away from patient care,” wrote MGMA. Potentially millions of dollars in saving opportunities are going unrealized.

MGMA suggests CMS should implement random audits of health plans and healthcare clearinghouses to assess compliance with the administrative Simplifications, publish the names of covered entities that fail CMS audits, and list fines and corrective action plans that have been issued. MGMA also suggests the CMS should halt the voluntary Optimization Pilot for Administrative Simplification Transactions as it is likely to delay the commencement of an effective compliance-based audit program.

The post CMS Urged to Aggressively Enforce Compliance with HIPAA Administrative Simplifications appeared first on HIPAA Journal.

OCR Plans to Share HIPAA Violation Settlements with Breach Victims

Posted by HIPAA Journal

The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted in 2009 and includes a provision that calls for the Department of Health and Human Services to share a percentage of HIPAA settlements with victims of HIPAA violations and data breaches.

This month has seen some progress in that area. The Department of Health and Human Services’ Office for Civil Rights has announced it is planning on issuing an advance notice of proposed rulemaking in November about sharing a percentage of the fines it collects through its HIPAA enforcement activities with the victims of data breaches.

OCR officials have previously made it clear that steps will be taken to meet the requirements of this HITECH provision, but little progress has been made. This is not the first time that OCR has announced it plans to issue an advance notice of proposed rulemaking on the matter only for the advance notice of proposed rulemaking to be delayed.

If OCR follows through on its plans this fall, feedback will be sought from the public and industry stakeholders on how it can achieve that aim and the methodology that should be employed.

One thing is clear, such a step would certainly be a challenge. How would OCR decide on the percentage of any HIPAA settlement or fine that should be paid to the victims of HIPAA violations and data breaches and how would it be possible to share the money fairly between affected patients?

Should every individual affected by a violation/breach receive an equal share of any settlement or should the amount received be determined by the type of PHI that has been exposed or the level of harm caused? In the case of the latter, how would it be possible to quantify harm and ensure appropriate payments are made?

Settlements to resolve HIPAA violations are not only determined by the number of individuals affected and the severity of the violation. OCR also takes the ability of a covered entity to pay a penalty into account. The amount paid to breach victims of virtually carbon-copy HIPAA violations at different covered entities would likely be vastly different.

The more people impacted by a data breach, the less the share would likely be for affected individuals. For example, New York Presbyterian Hospital settled HIPAA violations with OCR for $2,200,000 in 2016 and MAPFRE Life Insurance Company of Puerto Rico settled its case with OCR for the same amount. The NYPH settlement resolved violations that affected a handful of patients, whereas the MAPFRE breach impacted 2,200 individuals. The relative payments if the percentage was fixed would differ considerably.

Potentially, HIPAA financial penalties could significantly increase if a percentage of funds are given to breach victims to ensure patients get a reasonable payment, especially for HIPAA violations and data breaches where considerable harm has been caused – The unauthorized disclosure of the HIV positive status of a patient for example or breaches where patients’ PHI has clearly been obtained by identity thieves and used for malicious purposes.

The methodology used would have to be very carefully considered to ensure funds are shared fairly. Even if the advance notice of proposed rulemaking is issued in November, it is likely to be some time before a fair methodology is decided and any payments are made.

OCR has also proposed other rules that could see HIPAA Rules modified in the near future. OCR has proposed a change to the HIPAA Privacy Rule provision requiring healthcare providers to obtain acknowledgment from patients of receipt of the notice of privacy practices. Currently healthcare providers are required to make a good faith effort to obtain written acknowledgements from patients, or must explain why acknowledgements have not been obtained. That requirement could well be removed.

Feedback will also be sought from the public on modifications to the HIPAA Privacy Rule to incorporate the accounting of protected health information disclosures of the HITECH Act, which has not yet been implemented due to the perceived cost to healthcare organizations.

OCR also proposes a change to the HIPAA Privacy Rule – Presumption of Good Faith of HealthCare Providers – that would “clarify that healthcare providers are presumed to be acting in the individual’s best interests when they share information with an incapacitated patient’s family members unless there is evidence that a provider has acted in bad faith.”

The post OCR Plans to Share HIPAA Violation Settlements with Breach Victims appeared first on HIPAA Journal.

Jury Must Decide Whether Psychiatrist was Sacked for a HIPAA Violation

Posted by HIPAA Journal

Boston-based Steward Healthcare System terminated a psychiatrist for violating HIPAA Rules but must now prove to a jury that was the case. The psychiatrist claims he was fired in retaliation over taking extended disability leave, not for a HIPAA violation.

Dr. Alexander Lipin contracted pneumonia and requested extended disability leave under the Family Medical Leave Act (FMLA). Extended leave was granted by Steward Healthcare System and Lipin was due to return to work on March 2, 2016. However, Lipin was fired on February 23 while still on disability leave over a HIPAA violation, which his attorney, Kavita M. Goyal, claims was used as an excuse for the termination.

Steward Healthcare System alleged Lipin had violated HIPAA Rules by providing patients’ protected health information to law enforcement. According to Steward Medical Group President, George Clairmont, the decision had been taken to fire Lipin over the HIPAA violation before he took leave. Clairmont also stated Lipin was fired after it was discovered he was working for Anna Jaques Hospital while on leave.

Lipin sued Steward Medical Group inc., Steward Healthcare System, and Holy Family Hospital over his dismissal. The case was removed to federal court in November 2016, and Steward Healthcare filed a motion for a summary judgement on the case.

Massachusetts federal judge, Leo. T. Sorokin, ruled that the case should proceed to trial to establish the facts surrounding the dismissal. Steward Healthcare will now be required to convince a jury that the decision to fire the psychiatrist was based on the HIPAA violation and not the discovery that Lipin was working for another hospital while on disability leave.

Clairmont maintains the decision to fire Lipin was made before he went on leave on January 26. The HIPAA violation was discovered on January 16 and the decision was taken to fire Lipin. Lipin was not fired immediately as advice was sought from the company’s legal department over the nature of the termination – whether it should be for cause, effective immediately, or without cause, in which case 90 days’ notice or pay in lieu of notice would be required.

Lipin took leave and notified Steward Healthcare on February 5 that he would remain on leave until February 17, and on February 12 told Steward Healthcare that he would need to remain on leave until February 23. On February 20, leave was extended until March 2.

On February 13, Steward Healthcare learned that Lipin was continuing to work for Anna Jaques Hospital in the mornings while on leave, and Lipin was terminated ten days later on February 23.

While Judge Sorokin explained that no evidence exists in the record that directly contradicts Clairmont’s account, “A factfinder could reasonably choose to disregard Clairmont’s testimony in light of the lack of any action taken by Steward to arrange coverage for Lipin’s patients or to terminate Lipin’s employment before February 13, especially when this inaction is contrasted with Steward’s concerted steps to fire Lipin after February 13,” wrote Judge Sorokin, “These circumstances could support a reasonable inference that Steward decided to fire Lipin only after Clairmont learned of Lipin’s work at Anna Jaques.”

An initial pre-trail conference has been scheduled for May 30, 2018.

The post Jury Must Decide Whether Psychiatrist was Sacked for a HIPAA Violation appeared first on HIPAA Journal.

GAO: Medical Records Can be Difficult and Expensive to Obtain

Posted by HIPAA Journal

A recent audit conducted by the Government Accountability Office (GAO) has shown patients still face many challenges obtaining copies of their health information and healthcare providers and insurers are struggling to meet HIPAA requirements – and in some cases – are breaching HIPAA Rules.

A 21st Century Cures Act provision required GAO to conduct a study on patient access to medical records. The audit involved interviews with stakeholders, vendors, provider organizations, patient advocates, and state and HHS officials. The audit was conducted in four states – Ohio, Kentucky, Rhode Island and Wisconsin – which were chosen, in part, due to the range of fees charged for providing patients with copies of their medical records.

Under HIPAA, patients are permitted to request copies of their health records from their providers. Patients can request their health records in paper or digital form and the requests must be processed within 30 days. HIPAA-covered entities are allowed to charge a reasonable, cost-based fee for providing patients with copies of their health data.

Patients obtain copies of their health information for several reason: To take a more active role in their own healthcare, to take their medical records to new providers, to resolve disputes with their insurers, to provide to lawyers, or for disability claims.

Patients also make requests for their records to be forward on to another person or entity by their provider, such as when they want a second opinion from another physician. Third parties may also be instructed by patients to obtain copies of their health records – a lawyer for example.

The GAO audit determined that the fees charged by providers varied considerably from state to state and for different types of request.

Some states have established fee schedules, formulas and limits for allowable fees. Three of the states – Ohio, Rhode Island, and Wisconsin – have established per-page fee amounts and different rates for obtaining medical images such as copies of X-rays. Ohio has established a per-page fee amount for third party requests, Rhode Island has a maximum fee for providers that use an EHR for patient and patient-directed requests, while Kentucky allows patients to obtain one free copy of their medical records and sets a maximum charge of $1 per page for any additional copies.

While HIPAA stipulates that providers can only charge a reasonable, cost-based fee for patient requests and patient-directed requests, those limits do not apply to third party requests for copies of data, and the charges are often considerably higher.

Excessive Fees Charged for Providing Copies of Health Information

In 2016, the Department of Health and Human Services’ Office for Civil Rights issued guidance for HIPAA-covered entities on the fees that could be charged for providing patients with copies of their health information.  Even so, some providers are not following HIPAA Rules.

In the GAO report, examples are provided of the excessive fees that have been charged. One patient was charged a fee of $148 for a single PDF of their medical records, and two patients were each charged more than $500 for a single request to obtain a copy of their medical records. One patient was charged a retrieval fee by a release-of-information (ROI) vendor for a copy of her health records, even though such fees are not permitted under HIPAA. There have also been cases of providers charging annual subscription fees for providing access to medical records.

One problem faced by patients whose medical conditions have required many visits to physicians is the amount of data stored by their providers. Their health records span many pages and fees are charged per page. That can make obtaining copies of health records prohibitively expensive.

The GAO report indicates many patients have made attempts to obtain copies of their medical records from their providers but cancelled the requests when they discovered to cost of doing so. There have been cases where providers have refused patients who have requested copies of their health records and patients have failed to challenge their providers.

The report made it clear that even though efforts have been made to improve understanding of HIPAA Rules, many patients are still unsure of their rights under HIPAA.

Healthcare Organizations Face Major Challenges Providing Access to Health Records

It is not only a challenge for patients to obtain their health records. Many providers also face challenges finding and retrieving information and processing the requests. Often, patients’ data are stored in digital format and on paper/film. Paper records may be stored in different locations and digital records stored in multiple EHRs.

Many providers find it difficult to allocate the necessary resources to the task of providing copies of medical records to patients and staff struggle to find the time to process requests due to extremely busy workloads.

Thorough checks must be made of the records to make sure patients are only provided with data from their own records. Sometimes, the process of transferring data from physical records to digital versions result in different patient records being merged.

There are also security challenges. While HIPAA allows patients to receive digital copies of their data, on a memory stick for example, plugging in such a device could introduce a malware infection.

Some healthcare providers have eased the strain by making patient health information available through patient portals. This has helped reduce the number of requests for providing copies of health data. Unfortunately, patient portals do not contain entire health records and patients may not be able to get the information they need.

Interviews with OCR officials revealed hundreds of complaints have been submitted by patients who have experienced difficulties accessing their medical records. The most common complaints are the failure of a provider to process requests for copies of health information within 30 days, excessive fees for the information, the failure to respond to requests to send health records to caregivers and family members, and denying requests from parents to obtain copies of their children’s medical records.

OCR is currently considering whether any further guidance is required to clarify allowable fees under HIPAA Rules, further to the guidance it issued on the matter in 2016.

The post GAO: Medical Records Can be Difficult and Expensive to Obtain appeared first on HIPAA Journal.

DoD IG Discovers Serious Flaws in Navy and Air Force EHR and Security Systems and Potential HIPAA Violations

Posted by HIPAA Journal

A Department of Defense Inspector General (DoDIG) audit of the electronic health record (EHR) and security systems at the Defense Health Agency (DHA), Navy, and Air Force has uncovered serious security vulnerabilities that could potentially be exploited to gain access to systems and protected health information (PHI).

This is the second DoDIG report from recent audits of military training facilities (MTFs). The first report revealed the DHA and Army had failed to consistently implement security protocols to safeguard EHRs and systems that stored, processed, or transmitted PHI. The latest report, which covers the DHA, Navy, and Air Force, has revealed serious vulnerabilities in 11 different areas.

Inconsistency of implementing security protocols to protect EHRs and PHI, and the ineffective administrative, technical, and physical safeguards deployed constitute violations of Health Insurance Portability and Accountability Act (HIPAA) Rules. Those violations could attract financial penalties of up to $1.5 million per violation category.

The DoDIG visited three Navy and two Air Force facilities and assessed 17 information systems across the five locations.

  • Naval Hospital Camp Pendleton, Camp Pendleton, CA
  • San Diego Naval Medical Center, San Diego, CA
  • S. Naval Ship Mercy, San Diego, CA
  • 436th Medical Group, Dover, DW
  • Wright-Patterson Medical Center, Dayton, OH

3 DoD EHR systems, 3 modified DoD EHR systems, 9 service-specific systems, and 2 DHA-owned systems were assessed.

There were instances where vulnerabilities had gone undetected and many cases of detected vulnerabilities failing to be addressed in a reasonable time frame. In its report, DoDIG said the audit at the 436th Medical Group revealed 342 of the 1,430 vulnerabilities identified in May had not been addressed and appeared in the vulnerability scan conducted in June.

The reason for the failure to consistently implement security protocols and address vulnerabilities differed at each audited site, but were largely due to a lack of resources, a lack of guidance, system incompatibility, and vendor limitations.

Security issues were identified in the following areas:

  • Failure to consistently implement multi-factor authentication
  • Failure to configure passwords to meet DoD length/complexity requirements
  • Failure to address known network vulnerabilities
  • Failures to set privileges based on users’ assigned duties
  • Failure to configure controls to lock EHRs after 15 minutes of inactivity
  • Failure to review system activity reports to identify suspicious activities and access attempts
  • Failure to develop standard operating procedures and manage system access
  • Failure to implement appropriate and adequate security protocols to protect ePHI and PHI from unauthorized access
  • Failure to maintain an inventory of all service-specific systems that stored, processed, or transmitted PHI
  • Failure to develop and maintain privacy impact assessments

“Without well-defined, effectively implemented system security protocols, the DHA, Navy, and Air Force compromised the integrity, confidentiality, and availability of PHI”, wrote DoDIG in its report. “Security protocols, when not applied or ineffective, increase the risk of successful cyberattacks; system and data breaches; data loss and manipulation; and unauthorized disclosures of PHI.”

DoDIG made several recommendations to improve security which included configuring systems used to store, process, or transmit ePHI to lock automatically after 15 minutes of inactivity; the development of an oversight plan to ensure recommendations are applied across all locations; actions to be taken to address vulnerabilities in a timely manner; implement procedures to only grant access to systems used to store, process, and transmit Phi based on users’ responsibilities.

DoDIG also recommended the Surgeons General for the Departments of the Navy and Air Force coordinate with the Navy Bureau of Medicine and Surgery and the Air Force Medical Service to assess whether the issues discovered exist at other service-specific military training facilities.

On the whole, the recommendations were accepted, although at certain locations some recommendations remain unresolved and require additional comments.

The DHA Director agreed that the DHA could potentially configure systems to lock after 15 minutes of inactivity, but did not provide assurances that its systems would be changed to incorporate that control.

The Executive Director for the Naval Medical Center, San Diego disagreed with one recommendation. The Military Sealift Command Chief of Staff partly agreed with two recommendations and disagreed with one, but suggested additional controls and alternate actions that could be taken to address all recommendations for the USNS Mercy.

The post DoD IG Discovers Serious Flaws in Navy and Air Force EHR and Security Systems and Potential HIPAA Violations appeared first on HIPAA Journal.

Class Action Lawsuit Claims UnityPoint Health Mislead Patients over Severity of Phishing Attack

Posted by HIPAA Journal

A class action lawsuit has been filed in response to a data breach at UnityPoint Health that saw the protected health information (PHI) of 16,429 patients exposed and potentially obtained by unauthorized individuals.

As with many other healthcare data breaches, PHI was exposed as a result of employees falling for phishing emails. UnityPoint Health discovered the security breach on February 15, 2018 and sent breach notification letters to affected patients two months later, on or around April 16, 2018.

HIPAA-covered entities have up to 60 days following the discovery of a data breach to issue notifications to patients. Many healthcare organizations wait before issuing breach notifications and submitting reports of the incident to the Department of Health and Human Services’ Office for Civil Rights.

Waiting for two months to issue notifications to breach victims could be viewed as a violation of HIPAA Rules. While the maximum time limit for reporting was not exceeded, the HIPAA Breach Notification Rule requires notifications to be sent ‘without unnecessary delay.’ The HHS’ Office for Civil Rights has taken action over delayed breach notifications in the past, although no penalties have been issued when notification letters have been sent within 60 days of the discovery of a breach.

The notification letters explained to patients that some of their health information had been exposed. The substitute breach notice posted on the UnityPoint Health website in April said the types of information potentially accessed by the attackers included “patient names and one or more of the following: dates of birth, medical record numbers, treatment information, surgical information, diagnoses, lab results, medications, providers, dates of service and/or insurance information. For a limited number of impacted individuals, information that may have been viewed included Social Security Numbers or other financial information.”

UnityPoint Health told patients no reports had been received to suggest that their PHI had been accessed, stolen, or misused.

Patients were encouraged to “remain vigilant in reviewing your account statements for fraudulent or irregular activity”, although the burden of protecting against identity theft and fraud was passed on to patients. Affected individuals were not offered credit monitoring and identity theft protection services nor were they protected by an insurance policy covering misuse of their data.

The lawsuit was filed on May 4 by attorney Robert Teel against Iowa Health Systems Inc., the company that runs UnityPoint Health. Yvonne Mart Fox, of Middleton, WI, lead plaintiff in the class action lawsuit, has accused UnityPoint Health of delaying reporting the breach to regulators and patients. She also alleges UnityPoint Health “misrepresented the nature, breadth, scope, harm, and cost of the privacy breach.”

Fox claims she has suffered sleep deprivation as a direct result of the breach and experiences daily anger. She also claims to have had an increase in the number of automated calls to her cellphone and landline in 2018 and an increase in marketing and other spam emails, which have been attributed to the theft of her contact information.

Fox and other class members are seeking compensatory, punitive, and other damages.

The post Class Action Lawsuit Claims UnityPoint Health Mislead Patients over Severity of Phishing Attack appeared first on HIPAA Journal.

Massachusetts Physician Convicted for Criminal HIPAA Violation

Posted by HIPAA Journal

Criminal penalties for HIPAA violations are relatively rare, although the Department of Justice does pursue criminal charges for HIPAA violations when there has been a serious violation of patient privacy, such as an impermissible disclosure of protected health information for financial gain or malicious purposes.

One such case has resulted in two criminal convictions – a violation of the Health Insurance Portability and Accountability Act and obstructing a criminal healthcare investigation.

The case relates to the DOJ investigation of the pharmaceutical firm Warner Chilcott over healthcare fraud. In 2015, Warner Chilcott plead guilty to paying kickbacks to physicians for prescribing its drugs and for manipulating prior authorizations to induce health insurance firms to pay for prescriptions. The case was settled with the DOJ for $125 million.

Last week, a Massachusetts gynecologist, Rita Luthra, M.D., 67, of Longmeadow, was convicted for violating HIPAA by providing a Warner Chilcott sales representative with access to the protected health information of patients for a period of 10 months between January 2011 and November 2011.

The access to PHI allowed patients with certain health conditions to be targeted by the firm and facilitated the receipt of prior authorizations for Warner Chilcott pharmaceutical products. When interviewed by federal agents about her relationship with Warner Chilcott, Luthra provided false information and obstructed the investigation.

Luthra had been previously charged for receiving kickbacks from Warner Chilcott in the form of fees for speaker training and speaking at educational events that did not take place. Luthra had accepted payments of approximately $23,500. The DOJ eventually dropped the charges, although the case against the physician continued to be pursued, resulting in the two convictions.

Luthra faces jail time and a substantial fine. The maximum penalty for the HIPAA violation is a custodial sentence of no more than 1 year, one year of supervised release, and a maximum fine of $50,000. The maximum penalty for obstructing a criminal health investigation is no more than 5 years in jail, three years of supervised release, and a fine of up to $250,000.

The post Massachusetts Physician Convicted for Criminal HIPAA Violation appeared first on HIPAA Journal.