HIPAA Compliance News

Former Berkeley Medical Center Worker Gets 5 Years’ Probation for Identity Theft

Posted by HIPAA Journal

In federal court on Monday, Chief U.S. District Judge Gina M. Groh sentenced a former Berkeley Medical Center worker to 5 years’ probation for her role in an identity theft scam. In addition to probation, Angela Dawn Roberts, 42, of Stephenson, VA, must pay $22,000 in restitution.

Angela Dawn Roberts, also known as Angela Dawn Lee, had been working for WVU University Healthcare since 2014.

Roberts was employed to schedule appointments for patients at two medical centers – Berkeley Medical Center and Jefferson Medical Center – which provided her with access to patients’ protected health information.

Roberts copied sensitive information onto paper, including names, birth dates, and Social Security numbers, and in some cases printed copies of identity documents.

On January 19, 2017, Roberts was suspended following an internal investigation into data theft which was alleged to have occurred on June 27, 2016.

She was fired on January 27, 2017 and was prosecuted for stealing patient health information. Approximately 7,000 patients whose information was accessed by Roberts were notified of the risk of identity theft and fraud as a precaution.

Angela Dawn Roberts admitted stealing the protected health information of 10 patients and pleaded guilty to one count of identity theft. The plea agreement was filed in July.

The stolen information was passed to her co-defendant, Ajarhi Savimbi Roberts. Ajarhi Savimbi Roberts was charged with bank fraud in a 36-count indictment. He pleaded guilty and is scheduled to be sentenced on May 21.

The post Former Berkeley Medical Center Worker Gets 5 Years’ Probation for Identity Theft appeared first on HIPAA Journal.

Analysis of March 2018 Healthcare Data Breaches

Posted by HIPAA Journal

There has been a month-over-month increase in healthcare data breaches. In March 2018, 29 security incidents were reported by HIPAA covered entities compared to 25 incidents in February.

March 2018 Healthcare Data Breaches

Even though more data breaches were reported in March, there was a fall in the number of individuals impacted by breaches. March 2018 healthcare data breaches saw 268,210 healthcare records exposed – a 13.13% decrease from the 308,780 records exposed in incidents in February.

Records exposed by Healthcare Data Breaches (March 2018)

Causes of March 2018 Healthcare Data Breaches

March saw the publication of the Verizon Data Breach Investigations Report which confirmed the healthcare industry is the only vertical where more data breaches are caused by insiders than hackers. That trend continued in March. Unauthorized access/disclosures, loss of devices/records, and improper disposal incidents were behind 19 of the 29 incidents reported – 65.5% of all incidents reported in March.

The main cause of healthcare data breaches in March 2018 was unauthorized access/disclosure incidents. 14 incidents were reported, with theft/loss incidents the second main cause with 9 incidents, followed by hacking/IT incidents with 5 breaches reported.

Severity of Breaches by Breach Cause

Breach Cause Total Records Exposed in March Median Records Exposed Mean Records Exposed
Unauthorized Access/Disclosure 166,859 3,551 11,919
Hacking/IT Incident 54,814 5,207 10,963
Theft 40,018 1,424 8,004
Loss 5,107 1,096 1,277
Improper Disposal 1,412 1,412 1,412

Largest Healthcare Data Breaches Reported in March 2018

There were ten healthcare data breaches reported in March that impacted more than 10,000 individuals. The largest data breach resulted in the exposure of 63,551 individuals’ PHI. That incident occurred and was discovered in December 2016, although the incident has only just been reported to the HHS’ Office for Civil Rights.

While hacking incidents usually result in the highest number of exposed/compromised records, in March it was unauthorized access/disclosure incidents that dominated the breach reports.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
Middletown Medical P.C. Healthcare Provider 63,551 Unauthorized Access/Disclosure
ATI Holdings, LLC and its subsidiaries Healthcare Provider 35,136 Hacking/IT Incident
City of Houston Medical Plan Health Plan 34,637 Theft
Mississippi State Department of Health Healthcare Provider 30,799 Unauthorized Access/Disclosure
Barnes-Jewish Hospital Healthcare Provider 18,436 Unauthorized Access/Disclosure
Barnes-Jewish St. Peters Hospital Healthcare Provider 15,046 Unauthorized Access/Disclosure
Special Agents Mutual Benefit Association Health Plan 13,942 Unauthorized Access/Disclosure
Guardian Pharmacy of Jacksonville Healthcare Provider 11,521 Hacking/IT Incident
Primary Health Care, Inc. Healthcare Provider 10,313 Unauthorized Access/Disclosure

March 2018 Healthcare Data Breaches by Covered Entity Type

No data breaches were reported by business associates of HIPAA-covered entities in March. The breach summaries published by the HHS’ Office for Civil Rights suggest there was no business associate involvement in any of the 29 incidents reported.

However, the largest reported incident – the breach at Middletown Medical – is marked as having no business associate involvement, when the breach notice uploaded to the provider’s website indicates the incident was caused by a subcontractor of a business associate. It is possible there were more security breaches in March that had some business associate involvement.

March 2018 Healthcare Data Breaches by Covered Entity Type

Records Exposed by Covered Entity Type

Unsurprisingly, given the number of incidents reported by healthcare providers, these incidents resulted in the highest number of exposed records – 154,325 records – followed by breaches at business associates/subcontractors – 63,551 records – and health plans – 50,334 records.

Breaches at business associates/subcontractors saw the highest number of records exposed per incident (Median & Mean = 63,551 records), followed by health plans (Median=13,943 records / Mean = 16,778 records), and healthcare providers (Median = 1,843 records / Mean = 6,173 records).

Location of Breached Protected Health Information

The main location of breached protected health information in March was portable electronic devices (laptops /other portable devices) with 9 incidents reported. Had encryption been used to protect ePHI on these devices, a breach of PHI could have easily been avoided.

The second biggest problem area was email with 8 reported incidents. These breaches include misdirected emails and phishing incidents.

Securing physical records continues to be a problem. There were five incidents reported in March that involved physical records such as paper and films.

Location of Breached Protected Health Information

March 2018 Healthcare Data Breaches by State

In March 2018, six states experienced multiple healthcare data breaches. While California usually tops the list for the most number of breaches, this month it was Massachusetts-based healthcare organizations that were the hardest hit, with 5 incidents reported.

California was in second place with four security incidents, followed by Missouri and New York with three, and Maryland and Texas with two. The 10 other states where breaches occurred were Arkansas, Colorado, District of Columbia, Florida, Georgia, Iowa, Illinois, Minnesota, Mississippi, and West Virginia.

Financial Penalties for Breaches and HIPAA Violations

There were no civil monetary penalties issued by the Department of Health and Human Services’ Office for Civil Rights in March, and no settlements with HIPAA-covered entities or business associates to resolve HIPAA violations.

The New York attorney general’s office has continued to take a hard line on companies discovered to have violated HIPAA Rules and suffered data breaches as a result with one further settlement reached in March.

Virtua Medical Group agreed to settle violations of HIPAA and state laws for $417,816. That penalty relates to the failure to secure an FTP server, although it was not the healthcare provider that was directly responsible. The error was made by a business associate of Virtua Medical Group.

The post Analysis of March 2018 Healthcare Data Breaches appeared first on HIPAA Journal.

What to Do if You Discover a HIPAA Violation in the Workplace

Posted by HIPAA Journal

If you discover a HIPAA violation in the workplace, what you should do depends on the nature of the violation, whether or not unsecured PHI has been impermissibly disclosed, and what the potential consequences are.

You suspect there has been a HIPAA violation in the workplace, should you report the violation? If so, how should you report the potential violation and who needs to be told?

Is it Necessary to Report a HIPAA Violation in the Workplace?

If you think you have accidentally violated HIPAA Rules or you believe a work colleague or your employer is failing to comply with the HIPAA Rules, the potential violation(s) should be reported.

Since the publication of the HIPAA Enforcement Rule, HIPAA-covered entities can be financially penalized for HIPAA violations. If an uncorrected HIPAA violation is discovered during an investigation of a complaint, a data breach, or HIPAA audit, HHS’ Office for Civil Rights (OCR) may choose to pursue a financial settlement to resolve the violation. Such actions are far less likely when a violation has been discovered internally and corrected to prevent a recurrence.

If a patient’s privacy has been violated, by reporting the violation internally you will allow your employer to take steps to reduce the potential for further harm and will be helping to ensure that similar incidents do not occur in the future.

Who Should be Notified About a Potential HIPAA Violation?

Healthcare employees who discover a HIPAA violation in the workplace should report the incident to their supervisor or their HIPAA Privacy Officer in the first instance. The HIPAA Privacy Officer will need to be notified of any HIPAA compliance failure as an investigation will need to be conducted, which should include a risk assessment.

The risk assessment will help the Privacy Officer determine whether the violation is a reportable incident. Not all internal violations of HIPAA Rules need to be reported, but the failure to notify the patient and OCR of a reportable breach of unsecured PHI could result in a financial penalty.

Action should also be taken to ensure that the cause of the breach is corrected. That may require updates to policies and procedures and/or further staff training.

There have been cases of employees reporting HIPAA violations internally only for no actions to appear to be taken to address the issue. In such cases, the matter can be escalated and a complaint filed with the HHS’ Office for Civil Rights – the main enforcer of the HIPAA Rules.

How long do you have to report a HIPAA violation?

HIPAA violations should be reported internally immediately. Employees and patients have the option to bypass notifying the Covered Entity and directly file a HIPAA complaint with the Office for Civil Rights (OCR) under the Department of Health and Human Services (HHS) if they believe that a Covered Entity has violated the HIPAA Privacy, Security, or Breach Notification Rules. This is especially applicable in cases of serious violations, potential criminal violations, willful/widespread neglect of HIPAA Rules, or multiple suspected violations. The OCR provides various channels for submitting HIPAA complaints, including their Complaint Page, fax, mail, or email. When filing a complaint, it is important to provide details such as the reason for the complaint, the potential violation, information about the Covered Entity or Business Associate involved, the suspected date and location of the violation, and the date when the complainant became aware of the possible violation. Complaints should generally be submitted within 180 days of discovering the violation, although extensions may be granted with good cause. While anonymous complaints are accepted, it is important to note that OCR requires name and contact information for investigation purposes. All complaints will be reviewed, and investigations will be initiated if there are suspected violations of HIPAA Rules and the complaint is filed within the designated timeframe.

Do HIPAA violations have to be reported?

While HIPAA does not explicitly require individuals or organizations to report every single HIPAA violation they encounter, there are certain circumstances where reporting is mandatory or strongly encouraged. Covered entities, such as healthcare providers, health plans, and healthcare clearinghouses, are required to report breaches of unsecured protected health information (PHI) to the affected individuals, the Department of Health and Human Services (HHS), and in some cases, the media. Additionally, business associates, who are third-party entities that handle PHI on behalf of covered entities, are required to report breaches of PHI to the covered entity. Apart from breach reporting, it is generally recommended that individuals and organizations report HIPAA violations to the appropriate authorities. This helps to ensure compliance with HIPAA regulations, protect patient privacy and security, and prevent further violations. Reporting can be done to the covered entity’s privacy officer or the Office for Civil Rights (OCR) within HHS, which is responsible for enforcing HIPAA. Certain states may have additional reporting requirements or regulations that apply in conjunction with HIPAA. Therefore, it is advisable to consult state-specific laws and regulations to determine the reporting obligations in a particular jurisdiction.

Examples of HIPAA Violations by Employers

HIPAA Violation Description
Improper Access to Employee Health Information Employers accessing and reviewing the medical records or health information of their employees without a legitimate need or proper authorization.
Inadequate Safeguards for Employee Health Information Employers failing to implement appropriate security measures to protect the confidentiality and integrity of employee health information, such as storing health records in an insecure location or failing to secure electronic health systems.
Unauthorized Disclosure of Employee Health Information Employers sharing an employee’s medical condition, treatment details, or other sensitive health information with individuals who are not involved in the employee’s healthcare or have a legitimate reason to access that information.
Retaliation against Employees Employers retaliating against employees for exercising their rights under HIPAA, such as filing a complaint or reporting a violation.
Insufficient Employee Training Employers neglecting to provide adequate training and education to employees on HIPAA regulations and the proper handling of employee health information, leading to unintentional violations.
Improper Use of Employee Health Information Employers using employee health information for purposes unrelated to healthcare, such as making employment decisions based on an employee’s health condition or sharing health information for non-work-related reasons.
Lack of Written Policies and Procedures Employers failing to establish and maintain written policies and procedures outlining how employee health information should be handled, safeguarded, and disclosed, as required by HIPAA.

Filing a Complaint with the HHS’ Office for Civil Rights

OCR investigates complaints about potential HIPAA violations, but only if the complainant provides their name and contact details. Complaints can be submitted anonymously, although it is unlikely any further action will be taken. While many employees may be reluctant to provide such information, healthcare organizations are not permitted to take retaliatory action against individuals who report a HIPAA violation in the workplace.

Financial penalties for HIPAA violations are typically only issued when there has been a willful violation of the HIPAA Rules, although penalties are possible for violations that have occurred through negligence or ongoing compliance failures. However, in many cases, HIPAA violations are resolved through voluntary compliance or by OCR providing technical assistance.

FAQs about Reporting a HIPAA Violation in the Workplace

What happens if I am not an employee, but I see a HIPAA violation in the workplace?

If you are not an employee, but you see a HIPAA violation in the workplace, what happens depends on whether you are a member of a covered entity´s or business associate´s workforce (see definition of workforce in §160.103), or if you are a member of the public (i.e., patient, visitor, etc.).

If you are a member of a covered entity´s or business associate´s workforce, you should report the violation to your immediate manager or supervisor. If you feel your report is not acted on, you can escalate it to the organization´s HIPAA Privacy Officer or HHS´ Office for Civil Rights.

If you are a member of the public, you can raise the issue with the organization´s HIPAA Privacy Officer or HHS´ Office for Civil Rights. The contact details of the organization’s Privacy Officer is on the organization´s Notice of Privacy Practices and website, or you can contact HHS´ Office for Civil Rights via any of the methods explained on this link.

When I raised a violation concern with my supervisor, I was told HIPAA did not apply. Can this be true?

If you have raised a violation concern with your supervisor and been told HIPAA does not apply, there could be several reasons for this. HIPAA may not apply due to the nature of the organization’s operations. For example, not all healthcare providers qualify as HIPAA covered entities; and, even when they do, other federal and state laws may preempt HIPAA (i.e., FERPA, Texas HB300, etc.).

HIPAA may not apply because the nature of information disclosed is not covered by HIPAA (not all patient information is “protected”) or because the disclosure is permitted by the HIPAA Rule even though it appears it shouldn’t be – for example, to an employer who needs information about a patient’s illness or injury to comply with OSHA reporting requirements.

Your best course of action is to ask your supervisor why HIPAA doesn´t apply to the suspected violation and use a third party source to confirm the supervisor´s response. It may be the case your supervisor is misinformed about when HIPAA applies, and your violation concern may have to be escalated to the HIPAA Privacy Officer.

Should reporting violations be included in HIPAA training?

The process for reporting violations should be included in HIPAA training when the organization you work for is subject to any of the HIPAA Privacy, Security, or Breach Notification Rules. This not only means covered entities (who are required to provide training on “policies and procedures with respect of PHI”) but also business associates (to whom the Security Rule applies) and vendors of personal health apps who are required to comply with the Breach Notification Rule.

Why doesn´t HHS´ Office for Civil Rights investigate anonymous reports?

HHS´ Office for Civil Rights does not investigate anonymous reports because it could lead to an increase in false reports and unjustified or malicious complaints – stretching the agency’s resources and potentially reducing the amount of technical assistance available for organizations that need it.

Additionally, the Privacy Rule protects genuine complainants from retaliation. Under §160.316, a covered entity or business associate “may not threaten, intimidate, coerce, harass, discriminate against, or take any other retaliatory action against any individual or other person” who:

  • Files a complaint or reports a HIPAA violation,
  • Assists in an investigation into the complaint/report, or
  • Refuses to take an action that would violate HIPAA.

How do I go about reporting a whole team that is not compliant with HIPAA?

Reporting a whole team that is not compliant with HIPAA can be complicated because sometimes teams take short cuts with HIPAA compliance “to get the job done” and when the short cuts are allowed to continue, a “culture of non-compliance” can develop. In such circumstances, it is a good idea to initially report your concerns to a supervisor or escalate them to the Privacy Officer if you have concerns reporting them to a supervisor may affect your standing among your colleagues.

What is a HIPAA violation in the workplace?

A HIPAA violation in the workplace is any failure to comply with the standards and implementation specifications of the HIPAA Administrative Simplification Rules (i.e., the Privacy, Security, and Breach Notification Rules) when the workplace is controlled by an entity subject to the Health Insurance Portability and Accountability Act of 1996.

Entities subject to HIPAA include – but are not limited to – health plans, health care clearinghouses, and most healthcare providers (collectively known as “Covered Entities”), third-party businesses that provide a service for or on behalf of a Covered Entity (collectively known as “Business Associates”), subcontractors of Business Associates, and vendors of some personal health devices.

Is HIPAA violation reporting mandatory in all workplaces?

Whether HIPAA violation reporting is mandatory in all workplaces depends on the policies developed and implemented by the Covered Entity or Business Associate in control of the workplace. Generally, HIPAA violation reporting to an organization’s Privacy Officer is mandatory for certain types of violation, while minor violations that do not result in an impermissible disclosure of PHI or breach of unsecured PHI might be dealt with by a manager or supervisor.

When a HIPAA violation does result in an impermissible disclosure of PHI or a breach of unsecured PHI, Covered Entities and Business Associates are required to report the breach to affected individuals and to HHS´ Office for Civil Rights. Some states also have mandatory HIPAA violation reporting requirements; and, in these states, reports have to be made to the state Attorney General. Additionally. HIPAA requires Business Associates to report all “security events” to the Covered Entity whether they result in an impermissible disclosure/breach of PHI or not.

Are there any examples of HIPAA violations by employers?

There are many examples of HIPAA violations by employers when the word “employer” relates to a Covered Entity or Business Associate and the “employer” has failed to train staff on HIPAA-compliant privacy policies or implement appropriate safeguards to protect the confidentiality, integrity, and availability of electronic PHI. You will find a wide selection on HHS´ Breach Report.

However, when the word “employer” relates to a business in its role as an employer, it is important to be aware that HIPAA does not apply (other than when an employer administers a self-sponsored health plan). Therefore, when an employer maintains health information about employees (for example, in an HR role), Privacy Rule protections do not apply; and, if the health information is disclosed without an employee’s authorization, it is not a violation of HIPAA.

If you believe a privacy violation has taken place, who should you report it to?

If you believe a privacy violation has taken place, you should report it to your organization’s Compliance Officer. If the privacy violation involves an impermissible disclosure of health information, and the organization you work for is covered by the HIPAA Privacy Rule, it is important to make the Compliance Officer aware of this because it is a notifiable breach of PHI.

How long do you have to report a HIPAA violation?

How long you have to report a HIPAA violation depends on the nature of the violation, organizational policies, whether or not the violation involves the impermissible disclosure of PHI or a breach of unsecured PHI, and – if so – the state the violation occurred in.

All Covered Entities (and some Business Associates) are required to develop and implement policies and procedures to comply with the Privacy Rule. The policies and procedures will determine whether a HIPAA violation is reportable and how long a member of the workforce has to report it.

Some organizations may choose to limit which violations are reported to reduce the workload on Privacy Officers. Therefore, an innocuous violation (i.e., the failure to document a patient’s consent to notify family members of their hospitalization) might be dealt with at supervisor level.

If the HIPAA violation involves an impermissible disclosure of PHI or a breach of unsecured PHI, the violation should be reported to the Privacy and/or Security Officer as quickly as possible to mitigate the impact of the violation (regardless of any time limits stipulated in an organizational policy).

Thereafter, the Privacy Officer has 60 days to notify the affected individual(s) and – if a breach affects more than 500 individuals – HHS´ Office for Civil Rights. However, some states have much shorter notification periods; and although many states exempt HIPAA Covered Entities from their Breach Notification laws, they do not always exempt breaches attributable to a Business Associate.

If you witness a HIPAA violation at work, what should you do?

If you witness a HIPAA violation at work, you should report it to your supervisor or manager; or, if this is impractical, to your organization’s Privacy Officer. Many workplaces have implemented anonymous channels of communication for reporting HIPAA violations, and this may save you the embarrassment of being confronted by a work colleague who has been sanctioned for the violation.

How do you report HIPAA violations?

How you report HIPAA violations can depend on whether you are a member of a Covered Entity´s workforce, or a patient or plan member. This is because some Covered Entity´s implement policies stipulating that HIPAA violations in the workplace must be reported by staff members to a specific individual – often the organization’s Privacy Officer.

If such policies apply, you should only contact HHS´ Office for Civil Rights if the Privacy Officer fails to act on the report or you are retaliated against for making a report. HIPAA´s General Administrative Requirements prohibit Covered Entities from intimidation, discrimination, and retaliation if a member of the workforce files a complaint or supports a compliance investigation.

Patients and plan members also have this option, but can – if they wish – report HIPAA violations to their state Attorney General or HHS´ Office for Civil Rights without first reporting a HIPAA violating to the Privacy Officer. Again, the Covered Entity is prohibited from intimidation, discrimination, and retaliation for filing a complaint with HHS´ Office for Civil Rights.

Is there a HIPAA violation reporting reward?

There is no HIPAA violation reporting reward available from HHS´ Office for Civil Rights. However, nothing in the text of HIPAA prevents Covered Entities and Business Associates from implementing a reward system. Indeed, a HIPAA violation reporting reward system could encourage members of the workforce to report HIPAA violations and help support a compliant workforce.

What should you do if you think your policies conflict with HIPAA?

What you should do if you think your policies conflict with HIPAA depends on whether you represent a Covered Entity (i.e., a Privacy Officer) or are a member of a Covered Entity´s workforce. If you represent a Covered Entity, you should seek professional compliance advice and amend your policies to align with HIPAA or any state laws that preempt HIPAA.

If you are a member of a Covered Entity’s workforce, you should raise your concerns with your organization’s Privacy Officer. In such cases, you are not required to comply with organizational policies that conflict with HIPAA (although it may be in your professional best interest to do so), and your employer is not allowed to sanction you for non-compliance with conflicting policies.

Section 45 CFR §160.316 of the General Administrative Requirements states:

“A covered entity may not threaten, intimidate, coerce, harass, discriminate against, or take any other retaliatory action against any individual or other person for […] opposing any act or practice made unlawful by this subchapter, provided the individual has a good faith belief that the practice opposed is unlawful, and the manner of opposition is reasonable and does not involve a disclosure of protected health information in violation of subpart E of part 164 [the Privacy Rule].”

What is a medical assistant’s responsibility if they witness a violation of HIPAA?

A medical assistant’s responsibility if they witness a violation of HIPAA depends on the content of the HIPAA violation reporting policy implemented by their employer. Depending on the nature of the violation, the medical assistant may be required to report the violation of HIPAA to a supervisor or manager, or to their organization´s HIPAA Privacy Officer.

The post What to Do if You Discover a HIPAA Violation in the Workplace appeared first on HIPAA Journal.

2 to 6 Year Jail Term for Receptionist Who Stole PHI from Dentist Office

Posted by HIPAA Journal

A former receptionist at a New York dental practice has been sentenced to serve 2 to 6 years in state penitentiary for stealing the protected health information of hundreds of patients.

Annie Vuong, 31, was given access to the computer system and dental records of patients in order to complete her work duties. Vuong abused the access rights and stole the PHI of more than 650 patients. That information was passed to her co-defendants who used the data to steal identities and make fraudulent purchases of high value items.

Vuong was arrested on February 2, 2015, following a two-and-a-half-year investigation into identity theft by the New York District Attorney’s Office.

The theft of data occurred between May and November 2012, when the PHI of 653 patients was taken from the dental office. The types of information stolen included names, birth dates, and Social Security numbers. That information was shared with co-defendant Devin Bazile in an email.

Bazile used the information to obtain credit lines from Barclaycard in the victims’ names. Credit ranged from $2,000 to $7,000 per individual. Bazile along with co-defendants Joshua Hamilton and Ahmeen Evans used the credit to purchase Apple gift cards that were used by buy tablets and laptop computers totaling more than $700,000.

Bazile and Haughton had already been convicted and sentenced to lengthy jail terms for their role in the identity theft scheme. Bazile and Haughton were convicted of Grand Larceny in the Second Degree in 2015 and were sentenced to serve 3 to 9 years and 1 and 1/3 to 4 years in jail respectively. Evans was also convicted of Grand Larceny in the Second Degree and was sentenced to 5 years’ probation.

Vuong was found guilty of 189 counts against her including one count of Grand Larceny in the Second Degree, 49 counts of Grand Larceny in the Third Degree, 63 counts of Identity Theft in the First Degree, 45 counts of Grand Larceny in the Fourth Degree, 30 counts of Identity Theft in the Second Degree, and one count of Unlawful Possession of Personal Identification Information in the Second Degree.

The post 2 to 6 Year Jail Term for Receptionist Who Stole PHI from Dentist Office appeared first on HIPAA Journal.

HHS Files Motion to Dismiss Ciox Health Lawsuit

Posted by HIPAA Journal

The Department of Health and Human Services has filed a motion to dismiss a lawsuit filed by the healthcare information management company Ciox Health claiming the lawsuit lacks standing.

Early this year, Ciox Health filed a lawsuit challenging changes to HIPAA in 2013 and subsequent enforcement guidance issued by the HHS in 2016. The changes to the HIPAA Privacy Rule in 2013 in question placed a limit on the amount that could be charged by covered entities for providing patients with copies of their health records. The charges must be limited to a reasonable cost-based fee. In 2016, the HHS issued guidance for the public explaining the rulemaking and providing answers to commonly asked questions about medical record access.

Ciox Health claims the changes threaten to upend the medical records industry and that the updates and guidance are ultra vires, arbitrary and capricious. Ciox Health is also seeking injunctive relief to stop the HHS from unlawfully enforcing the regulations.

In its motion to dismiss the lawsuit, filed in the U.S. District Court in Washington, D.C., HHS explains that the claims made by Ciox Health lack standing as the rulemaking it is challenging only applies to HIPAA-covered entities. Ciox Health a business associate, not a covered entity. HHS points out Ciox Health is challenging a rule that the company is not subject to. Further, the guidance which has been challenged has no force or effect of law and as such, there is nothing for Ciox Health to challenge.

The fees that Ciox Health can charge for providing copies of medical records are not limited by HIPAA. The HIPAA Rule that the firm is challenging is concerned with the fees that covered entities can charge patients. The fees that Ciox Health charges covered entities is a matter for Ciox Health to resolve with the covered entities that it serves.

HHS explained the claims of Ciox Health lack standing and a challenge has been made against “a rule that is anchored in a complex statutory scheme without basing the challenge on any concrete enforcement action,” also  CIOX Health failed to establish that it has suffered an injury as a result of the 2013 rulemaking and 2016 guidance and there are no constitutional grounds to make the claims.

“Because HHS has not and cannot take enforcement action against Ciox regarding the fees it charges for individual requests of PHI, Ciox cannot raise either an enforcement or preenforcement challenge to the Privacy Rule provision and guidance at issue.”

The post HHS Files Motion to Dismiss Ciox Health Lawsuit appeared first on HIPAA Journal.

Lack of Security Awareness Training Leaves Healthcare Organizations Exposed to Cyberattacks

Posted by HIPAA Journal

A recent study conducted by the Ponemon Institute on behalf of Merlin International has revealed healthcare organizations are failing to provide sufficient security awareness training to their employees, which is hampering efforts to improve security posture.

Phishing is a major security threat and the healthcare industry is being heavily targeted. Phishing offers threat actors an easy way to bypass healthcare organizations’ security defenses. Threat actors are now using sophisticated tactics to evade detection by security solutions and get their emails delivered. Social engineering techniques are used to fool employees into responding to phishing emails and disclose their login credentials or install malware.

Phishing is used in a high percentage of cyberattacks on healthcare organizations. Research conducted by Cofense (formerly PhishMe) suggests as many as 91% of cyberattacks start with a phishing email. While security solutions can be implemented to block the majority of phishing emails from being delivered to end users’ inboxes, it is not possible to block 100% of malicious emails. Security awareness training is therefore essential.

Healthcare employees should be trained how to recognize phishing emails and how to respond when potentially malicious messages are received. Training should be provided to help eliminate risky behaviors and teach cybersecurity best practices. The failure to provide sufficient training leaves healthcare organizations at risk of attack.

The Ponemon/Merlin International study on 627 healthcare executives in the United States suggests healthcare organizations are not doing enough to improve security awareness and develop a security culture.  More than half of respondents (52%) said the lack of security awareness was affecting their organization’s security posture.

The Merlin International report, 2018 Impact of Cyber Insecurity on Healthcare Organizations, revealed 62% of respondents have experienced a cyberattack in the past 12 months, with half of those incidents resulting in the loss of healthcare data. Poor security awareness is contributing to a high percentage of those breaches.

When asked about the biggest concerns, there was an equal split between external attacks by hackers and internal breaches due to errors and employee negligence – 63% and 64% respectively.

The main threats to the confidentiality, integrity, and availability of healthcare data were perceived to be unsecured medical devices (78%), BYOD (76%) and insecure mobile devices (72%).

57% of respondents felt use of the cloud, mobile, and IoT technologies has increased the number of vulnerabilities that could be exploited to gain access to healthcare data. 55% of respondents said medical devices were not included in their cybersecurity strategy and the continued use of legacy systems was seen to be a security issue by 58% of respondents.

Even though 62% of organizations have experienced a data breach in the last year and it is a requirement for HIPAA compliance, 51% of organizations have not developed an incident response program that allows them to rapidly respond and remediate breaches.

Staffing was seen to be the biggest roadblock preventing organizations from improving their security posture. 74% believed a lack of suitable staff was a major issue hampering efforts to improve cybersecurity. 60% of respondents do not believe they have the right cybersecurity qualifications in house and only 51% of surveyed organizations have appointed a CISO.

“Healthcare organizations must get even more serious about cybersecurity to protect themselves and their patients from losing access to or control of the proprietary and personal information and systems the industry depends on to provide essential care,” said Brian Wells, Director of Healthcare Strategy at Merlin International.

The post Lack of Security Awareness Training Leaves Healthcare Organizations Exposed to Cyberattacks appeared first on HIPAA Journal.

HIPAA Compliance for Pharmacies

Posted by HIPAA Journal

HIPAA is a federal law that establishes the acceptable uses and disclosures of protected health information (PHI), sets standards for the secure storage and transmission of PHI, and gives patients the right to obtain copies of their PHI. HIPAA compliance for pharmacies is not an option. The penalties for failing to comply with HIPAA can be severe.

Key Elements of HIPAA Compliance for Pharmacies

The combined text of HIPAA Rules published by the Department of Health and Human Services’ Office for Civil Rights is 115 pages, so covering all elements of HIPAA compliance for pharmacies is beyond the scope of this post; however, some of the key elements of HIPAA compliance for pharmacies have been outlined below.

Conduct risk analyses – A comprehensive, organization wide risk analysis must be conducted to identify all risks to the confidentiality, integrity, and availability of ePHI. Any risks identified must be subjected to a HIPAA-compliant risk management process. A risk analysis is not a onetime checkbox item. Risk analyses must be conducted regularly, such as when there is a change to business practices or new technology is introduced.

Safeguard PHI at all times – One of the most important aspects of HIPAA compliance for pharmacies is ensuring safeguards are implemented to ensure the confidentiality, integrity, and availability of physical and electronic PHI. Pharmacies can decide on the best safeguards to implement with decisions guided by the findings of the risk analysis.

Appoint a privacy officer – A privacy officer must be appointed. Any member of staff can be your designated privacy officer. That person’s responsibility is to ensure policies and procedures are followed, documentation and filing is performed correctly, and patient requests for PHI are responded to in a timely manner. The privacy officer must also monitor for changes to HIPAA regulations and work with the owner or manager to ensure continued compliance.

Obtain authorizations – HIPAA permits the use of PHI for treatment purposes, requesting or receiving payment, or pharmacy operations. Any other use or disclosure of PHI must be authorized by the patient in writing prior to PHI being used or disclosed.

Obtain business associate agreements – A third party that needs access to PHI or copies of PHI to perform a service on behalf of the pharmacy is classed as a business associate and is also required to comply with HIPAA Rules. A business associate must provide reasonable assurances to the covered entity, by means of a business associate agreement, that the requirements of HIPAA have been understood and that HIPAA Rules will be followed.

Ensure PHI is not impermissibly disclosed – Accidentally or deliberately disclosing PHI for reasons not permitted by the Privacy Rule can cause considerable harm to patients. Policies and procedures must be developed and implemented to reduce the risk of impermissible disclosures. Care must be taken not to disclose more than the ‘minimum necessary’ PHI.

Provide patients with copies of their PHI – The HIPAA Privacy Rule gives patients the right to obtain copies of their PHI on request. While that right is typically exercised with healthcare providers, pharmacies must also provide copies of pharmacy records related to an individual if requested.

Dispose of PHI correctly – PHI such as prescription labels and documents must be disposed of in a manner that prevents the PHI from being viewed or reconstructed. Paperwork such as labels should be shredded, pulverized, pulped, or incinerated. ePHI on electronic devices must be permanently erased before disposal.

Provide training to staff – All pharmacy staff are required to comply with HIPAA Rules, as well as volunteers and interns that are required to come into contact with PHI. All staff must be trained and made aware of HIPAA Rules that apply to them and what constitutes PHI.  Training should be provided as soon as possible with refresher training provided regularly. Pharmacies must also provide security awareness training to staff.

Inform patients of privacy practices – All HIPAA covered entities must document their privacy practices and share that information with patients. Signatures should be obtained from patients confirming they have received the notice of privacy practices.

Notify patients/OCR of a privacy breach – Patients must be informed when their PHI has been exposed or stolen and OCR must also be notified. Notifications must be sent to patients and OCR within 60 days of the discovery of a breach. OCR can be notified of a breach impacting fewer than 500 individuals no later than 60 days from the end of the calendar year in which the breach occurred.

Since HIPAA compliance for pharmacies can be complex and the penalties for noncompliance severe, we suggest contacting a compliance specialist who will be able to walk you through the steps you need to take to comply with all aspects of HIPAA Rules. Alternatively, if you are unsure about any aspect of HIPAA compliance for pharmacies, contact a healthcare attorney.

Penalties for HIPAA Violations by Pharmacies

It doesn’t matter how large or small your business is, HIPAA compliance for pharmacies is not optional. There have been several penalties for HIPAA violations by pharmacies over the past few years. Not only can HIPAA violations attract a significant fine, they can also seriously damage the reputation of your pharmacy.

The HHS’ Office for Civil Rights has increased enforcement activity in the past two years and fines and settlements over HIPAA violations are now far more common. State attorneys general are also taking action over privacy breaches and are pursuing financial settlements when PHI is exposed or impermissibly disclosed. State attorneys general can issue fines up to $250,000 for violations of the same type that are experienced in a single year. The HHS’ Office for Civil Rights can issue fines up to $1.5 million per violation category, per year.

  • In 2009, CVS Pharmacy settled potential HIPAA violations with OCR for $2.25 million after it was discovered prescription bottles and receipts had been disposed of improperly.
  • In 2010, Rite Aid Corp settled with OCR for $1 million to resolve violations of HIPAA relating to the improper disposal of PHI.
  • In 2014, Walgreens was fined $1.4 million for the impermissible disclosure of a patient’s PHI. A pharmacist shared a patient’s PHI with her husband and at least three other people.
  • In 2015, Cornell Pharmacy, a small pharmacy in Denver, was fined $125,000 for the improper disposal of PHI.

The post HIPAA Compliance for Pharmacies appeared first on HIPAA Journal.

Virtua Medical Group Fined $418,000 for Violations of HIPAA and New Jersey Law

Posted by HIPAA Journal

Virtua Medical Group – A network of physicians affiliated to over 50 medical practices in New Jersey – has been financially penalized by the New Jersey Attorney General’s Office for failing to protect the privacy of more than 1,650 patients whose medical information was accessible online without the need for any authentication.

The electronic protected health information was exposed as a result of a misconfigured server. The error occurred at a business associate of the medical group – Best Medical Transcription – which had been provided with audio files to transcribe medical notes.

Best Medical Transcription was contracted to transcribe dictations of medical notes, reports, and letters from three New Jersey medical practices: Virtua Pain and Spine Specialists in Voorhees, Virtua Gynecological Oncology Specialists, and Virtua Surgical Group in Hainesport.

The transcribed notes were uploaded to a password-protected FTP website; however, in January 2016 during a software upgrade on the FTP server, the password protection was accidentally removed allowing patient data to be accessed by anyone without the need for authentication.

Further, the content of the FTP server was indexed by search engines and could be found by typing in search terms contained in the notes. For example, typing in a patient’s name would allow the information to be found, which happened on at least one occasion. A patient found portions of her medical records online after performing a Google search.

The types of information exposed included names, medical diagnoses, and prescriptions of as many as 1,654 patients who had previously received medical services at one of the three medical centers.

When the privacy breach was discovered, Best Medical Transcription reinstated the password protection on the FTP server, although caches of the information remained accessible online and could still be found by performing a Google search.  The password was reinstated on January 15, 2016, although a week later, Virtua Medical Group received a call from a patient whose daughter’s medical records were still accessible online.

At that point, while Best Medical Transcription was aware of the lack of password and a potential breach, it had not notified Virtua Medical Group that data had been exposed. The investigation by Virtua Medical Group revealed 462 patients’ records had been indexed by the search engines. Virtua Medical Group submitted individual requests to Google to have the information taken down and patients were notified about the breach in March.

An investigation into the breach by the New Jersey Division of Consumer Affairs revealed there had been multiple failures to comply with Health Insurance Portability and Accountability Act (HIPAA) requirements. While the breach affected a business associate of Virtua Medical Group, it was the medical group that was penalized.

The Division of Consumer Affairs alleged there had been a failure to conduct a comprehensive risk analysis to identify threats to the confidentiality, integrity, and availability of ePHI and insufficient security protections had been implemented to reduce risk.

A security awareness and training program had not been implemented for the entire workforce, there were unacceptable delays in identifying and responding to the breach, no procedures had been established and implemented to create retrievable exact copies of the ePHI maintained on the FTP site, no written log of the number of times the FTP site was accessed had been maintained, and there had been an impermissible disclosure of patients’ ePHI.

Those errors and oversights constituted violations of the HIPAA Privacy and Security Rules and the New Jersey Consumer Fraud Act.

In addition to the financial penalty of $407,184 and $10,632 to reimburse attorney’s fees and investigation costs, Virtua Medical Group has agreed to implement a robust corrective action plan which includes hiring a third-party security professional to perform a comprehensive risk analysis relating to the storage, transmission and receipt of ePHI and to perform further risk assessments every two years.

The post Virtua Medical Group Fined $418,000 for Violations of HIPAA and New Jersey Law appeared first on HIPAA Journal.

What Happens if You Break HIPAA Rules?

Posted by HIPAA Journal

HIPAA requires covered entities to provide training to staff to ensure HIPAA Rules and regulations are understood. During HIPAA training, healthcare employees should be aware of the possible penalties for HIPAA violations, but what are those penalties, and what happens if you break HIPAA Rules?

What Happens if You Break HIPAA Rules?

If you break HIPAA Rules there are four potential outcomes:

  1. The violation could be dealt with internally by an employer
  2. You could be terminated
  3. You could face sanctions from professional boards
  4. You could face criminal charges which include fines and imprisonment

What happens if you break HIPAA Rules will depend on the severity of the violation. The actions of employers, professional boards, federal regulators, and the Department of Justice will depend on several factors:

  1. The nature of the violation
  2. Whether there was knowledge that HIPAA Rules were being violated, or by exercising due diligence, it should have been clear that HIPAA Rules were being violated
  3. Whether action was taken to correct the violation
  4. Whether there was malicious intent or HIPAA Rules were violated for personal gain
  5. The harm caused by the violation(s)
  6. The number of people impacted by the violation
  7. Whether there was a violation of the criminal provision of HIPAA

Civil Penalties for HIPAA Violations

Civil penalties for HIPAA violations start at $100 per violation by any individual who violates HIPAA Rules. The fine can rise to $25,000 if there have been multiple violations of the same type. These penalties are applied when the individual was aware that HIPAA Rules were being violated or should have been aware had due diligence been exercised. If there was no willful neglect of HIPAA Rules and the violation was corrected within 30 days from when the employee knew that HIPAA Rules had been violated, civil penalties will not apply.

Criminal Penalties for HIPAA Violations

The criminal penalties for HIPAA violations can be severe. The minimum fine for willful violations of HIPAA Rules is $50,000. The maximum criminal penalty for a HIPAA violation by an individual is $250,000. Restitution may also need to be paid to the victims. In addition to the financial penalty, a jail term is likely for a criminal violation of HIPAA Rules.

As with the penalties for HIPAA violations for HIPAA covered entities and business associates, there are penalty tiers.

Criminal violations that occur as a result of negligence can result in a prison term of up to 1 year. Obtaining protected health information under false pretenses carries a maximum prison term of 5 years. Knowingly violating HIPAA Rules with malicious intent or for personal gain can result in a prison term of up to 10 years in jail. There is also a mandatory two-year jail term for aggravated identity theft.

What Happens if You Break HIPAA Rules FAQs

What happens if you violate HIPAA?

If you are a member of a Covered Entity´s or Business Associate´s workforce, the consequences of the violation will depend on the organization´s sanctions policy. If you are a Covered Entity or Business Associate, you are required to report the violation to HHS´ Office for Civil Rights if it has resulted in an impermissible disclosure of unsecured PHI.

What are the consequences of violating HIPAA?

This again depends on your HIPAA “status” (Covered Entity, Business Associate, workforce member, etc.) and the nature of the violation. However, in most cases, the consequences of violating HIPAA are more training. Covered Entities and Business Associates are required to conduct periodic HIPAA risk assessments which should consider HIPAA training as a preventative tool, while more than a third of Corrective Action Plans issued by HHS´ Office for Civil Rights involve additional training.

What happens if a medical facility violates the HIPAA Privacy Rule?

The consequences of a medical facility violating the HIPAA Privacy Rule depends on who identifies the violation and what they do with that information. For example, if a member of the workforce identifies the information, it is likely to be reported to a compliance officer and the violation resolved internally. Similarly, a patient could report the violation to the person indicated on the Notice of Privacy Practices, which would again result in an internal resolution.

However, both the member of the workforce and the patient could report the HIPAA violation to HHS´ Office for Civil Rights via the OCR Complaints Portal. In this case, OCR would review the case, seek evidence of the violation from the complainant; and, if there is sufficient evidence to suggest a violation has occurred, OCR may choose to conduct an investigation. If found guilty of a violation, the penalty will reflect the nature and seriousness of the violation.

What happens if a doctor violates HIPAA?

This depends on the doctor´s HIPAA status. If he or she is employed by a Covered Entity or Business Associate, the doctor will be subject to the penalties stipulated by their employer´s sanctions policy. If the doctor is a sole practitioner, and the violation is reported to HHS´ Office for Civil Rights, the doctor may be investigated and required to comply with a Corrective Action Plan and/or issued with a civil monetary penalty.

What happens if you break HIPAA rules due to a lack of training?

If you break HIPAA rules due to a lack of training, your employer is at fault because he or she has a legal requirement to provide training “as necessary and appropriate for members of the workforce to carry out their function in a HIPAA-compliant manner” (HIPAA Privacy Rule). To prevent any dispute about whether appropriate training has been provided, employers are required to document what training has been provided, when it was provided, and who attended.

Can I get in trouble for disclosing more than the minimum necessary information?

This depends on the circumstances, how much information was disclosed, and whether it had a negative impact on the patient. The Privacy Rule does allow for incidental disclosures – which are “by-products of another permissible use or disclosure” – provided the minimum necessary rule has been applied with respect to the primary use or disclosure.

Who is to blame for inadvertent disclosures caused by a computer error?

Covered Entities and Business Associates are required to implement administrative, technical, and physical safeguards to prevent events such as computer errors. If the inadvertent disclosure is attributable to a Covered Entity or Business Associate failing to implement safeguards – or failing to provide instruction on how to use the computer securely – the employer is at fault. If, however, the inadvertent disclosure is attributable to operator error, the employee is at fault.

How are breaches of HIPAA identified?

Breaches of HIPAA can be identified in various ways. The Covered Entity or Business Associate can find them during a risk analysis, the HHS Office for Civil Rights can find them during a HIPAA audit, or the patient(s) whose data has been disclosed without authorization can report it. Third parties scouring the Internet for vulnerable applications and storage volumes can also identify breaches of HIPAA.

What if I am aware of a colleague breaking HIPAA rules?

Your employer should have a process for reporting breaches of HIPAA that include when a colleague breaks the rules. Usually you would report the breach to a supervisor, manager, or departmental head; but, if you are uncomfortable speaking with somebody in your department – or that person is the colleague breaking HIPAA rules – you should be able to speak with the HIPAA Privacy Officer.

The post What Happens if You Break HIPAA Rules? appeared first on HIPAA Journal.