HIPAA Compliance News

HIPAA Rules on Contingency Planning

Posted by HIPAA Journal

In its March 2018 cybersecurity newsletter, OCR explained HIPAA Rules on contingency planning and urged healthcare organizations to plan for emergencies to ensure a return to normal operations can be achieved in the shortest possible time frame.

A contingency plan is required to ensure that when disaster strikes, organizations know exactly what steps must be taken and in what order.

Contingency plans should cover all types of emergencies, such as natural disasters, fires, vandalism, system failures, cyberattacks, and ransomware incidents. The steps that must be taken for each scenario could well be different, especially in the case of cyberattacks vs. natural disasters. The plan should incorporate procedures to follow for specific types of disasters.

Contingency planning is not simply a best practice. It is a requirement of the HIPAA Security Rule. Contingency planning should not be considered a onetime checkbox item necessary for HIPAA compliance. It should be an ongoing process with plans regularly checked, updated, and tested to ensure any deficiencies are identified and addressed.

What are the HIPAA Rules on Contingency Planning?

HIPAA Rules on contingency planning are concerned with ensuring healthcare organizations return to normal operations as quickly as possible and the confidentiality, integrity, and availability of PHI is safeguarded.

HIPAA Rules on contingency planning can be found in the Security Rule administrative safeguards -45 CFR § 164.308(a)(7)(ii)(A-E).

  • Develop and Implement a Data Backup Plan – 308(a)(7)(ii)(A)
  • Develop a Disaster Recovery Plan – 308(a)(7)(ii)(B)
  • Develop and Emergency Mode Operation Plan – 308(a)(7)(ii)(C)
  • Develop and Implement Procedures for Testing and Revision of Contingency Plans – 308(a)(7)(ii)(D)
  • Perform an Application and Data Criticality Analysis – 308(a)(7)(ii)(E)

A data backup plan ensures that when disaster strikes, PHI is not lost or destroyed. A viable copy of all ePHI must be created that allows exact copies of ePHI to be restored, which includes all forms of ePHI such as medical records, diagnostic images, test results, case management information, and accounting systems.  It is a good best practice to adopt a 3-2-1 approach for backups: Create three copies of data, store them on at least two different media, and have one copy stored securely offsite. Backups must also be tested to ensure the recovery of data is possible.

A disaster recovery plan should establish the procedures that must be followed to restore access to data, including how files should be restored from backups. A copy of the plan should be readily available and stored in more than one location.

The emergency mode operation plan must ensure critical business processes continue to maintain the security of ePHI when operating in emergency mode, for example when there is a technical failure or power outage.

All elements of the contingency plan must be regularly tested and revised as necessary. OCR recommends conducting scenario-based walkthroughs and live tests of the complete plan.

Covered entities should “assess the relative criticality of specific applications and data in support of other contingency plan components.” All software applications that are used to store, maintain, or transmit ePHI must be assessed to determine the level of criticality to business functions as it will be necessary to prioritize each when data is restored.

Summary of Key Elements of Contingency Planning

OCR has provided a summary of the key elements of contingency planning:

  • The primary goal is to maintain critical operations and minimize loss.
  • Define time periods – What must be done during the first hour, day, or week?
  • Establish Plan Activation – What event(s) will cause the activation of the contingency plan?  Who has the authority to activate the contingency plan?
  • Ensure the contingency plan can be understood by all types of employees.
  • Communicate and share the plan and roles and responsibilities with the organization.
  • Establish a testing schedule for the plan to identify gaps.
  • Ensure updates for plan effectiveness and increase organizational awareness.
  • Review the plan on a regular basis and situationally when there are technical, operational, environmental, or personnel changes in the organization.

The post HIPAA Rules on Contingency Planning appeared first on HIPAA Journal.

Class Action Lawsuit Seeks Damages for Victims of CVS Caremark Data Breach

Posted by HIPAA Journal

An alleged healthcare data breach that saw the protected health information of patients of CVS Caremark exposed has resulted in legal action against CVS, Caremark, and its mailing vendor, Fiserv.

The lawsuit, which was filed in Ohio federal court on March 21, 2018, relates to an alleged privacy breach that occurred as a result of an error that affected a July/August 2017 mailing sent to approximately 6,000 patients.

In July 2017, CVS Caremark was contracted to operate as the pharmacy benefits manager for the Ohio HIV Drug Assistance Program (PhDAP), and under that program, CVS Caremark provides eligible patients with HIV medications and communicates with them about prescriptions.

In July/August 2017, CSV Caremark’s mailing vendor Fiserve sent letters to patients containing their membership cards and information about how they could obtain their HIV medications.

In the lawsuit the complaint alleges HIV-related information was clearly visible through the plastic windows of the envelopes, allowing the information to be viewed by postal service workers, family members, and roommates. It is alleged the mailing resulted in the disclosure of the recipient’s HIV status.

According to Ohio Department of Health policies, information related to HIV should only be sent in non-window envelopes. The mailing would have violated those policies and Health Information Portability and Accountability Act (HIPAA) Rules.

Such a HIPAA breach would need to be reported to the Department of Health and Human Services’ Office for Civil Rights within 60 days of discovery of the breach; however, the complainant alleges no breach report was submitted to OCR and notifications were not sent to affected individuals – A further breach of HIPAA Rules.

Plaintiffs are seeking punitive and compensatory damages and coverage of their legal costs.

There have been other breaches of HIV information in recent weeks, including a mailing error by a vendor of Aetna. In that case, HIV-related information was visible through the clear plastic windows of envelopes in a mailing to 12,000 individuals. Aetna settled a class action lawsuit filed on behalf of victims of the breach for $17,161,200 and is currently suing its mailing vendor to recover the costs. Aetna was also fined by the New York Attorney General over the breach and settled that case for $1.15 million.

The post Class Action Lawsuit Seeks Damages for Victims of CVS Caremark Data Breach appeared first on HIPAA Journal.

What is the Civil Penalty for Knowingly Violating HIPAA?

Posted by HIPAA Journal

What is the civil penalty for knowingly violating HIPAA Rules? What is the maximum financial penalty for a HIPAA violation and when are fines issued? In this post we answer these questions and explain about the penalties for violating HIPAA Rules

What is HIPAA?

The Health Insurance Portability and Accountability Act – HIPAA – is a federal law that applies to healthcare organizations and healthcare employees. HIPAA requires healthcare organizations to develop policies and procedures to protect the privacy of patients and implement safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI). HIPAA places restrictions on the uses of health data, who can be provides with copies of health information, and gives patients the right to obtain copies of their health data.

HIPAA covered entities are typically healthcare providers, health plans, and healthcare clearinghouses. HIPAA also applies to vendors and suppliers (business associates) that require access to PHI to perform their contracted duties.

As with other federal laws, there are penalties for noncompliance. The financial penalties for HIPAA violations can be severe, especially when HIPAA has been “knowingly” violated – When HIPAA Rules have been consciously violated with intent.

Financial Penalties for Healthcare Organizations Who Knowingly Violating HIPAA

The civil penalty tier system for healthcare organizations is based on the extent to which the HIPAA covered entity was aware that HIPAA Rules were violated. The maximum civil penalty for knowingly violating HIPAA is $50,000 per violation up to a maximum of $1.5 million per violation category.

Penalty Structure for HIPAA Violations

 

Civil penalties will be dictated by the nature and extent of the violation, the number of individual affected, and the harm that has been caused to those individuals.

Healthcare Employees May Have to Pay a Civil Penalty for Knowingly Violating HIPAA

As with healthcare organizations, healthcare employees can also be fined for violating HIPAA Rules. Civil penalties can be issued to any person who is discovered to have violated HIPAA Rules. The Office for Civil Rights can impose a penalty of $100 per violation of HIPAA when an employee was unaware that he/she was violating HIPAA Rules up to a maximum of $25,000 for repeat violations.

In cases of reasonable cause, the fine rises to $1,000 per violation with a maximum of $100,000 for repeat violations, for willful neglect of HIPAA Rules where the violation was corrected the fine is $10,000 and up to $250,000 for repeat violations and willful neglect with no correction carries a penalty of $50,000 per violation and up to $1.5 million for repeat violations.

Criminal Charges for HIPAA Violations

The Office for Civil Rights enforces HIPAA Rules in conjunction with the Department of Justice and will refer cases of possible criminal violations of HIPAA Rules to the DoJ. Directors, officers, and employees may be deemed to be criminally liable for violations of HIPAA Rules under the principle of corporate criminal liability, and if not directly liable, could be charged with aiding and abetting or conspiracy.

The penalty tiers are based on the extent to which an employee was aware that HIPAA Rules were being violated. At the lowest level, a violation of HIPAA Rules could attract a maximum penalty of $50,000 and/or up to one year imprisonment.

If HIPAA Rules are violated under false pretenses the maximum fine rises to $100,000 and/or up to 5 years imprisonment. The maximum civil penalty for knowingly violating HIPAA Rules is $250,000, such as when healthcare information is stolen with the intent to sell, transfer, or use for personal gain, commercial advantage, or malicious harm. In addition to a fine, the maximum jail term is 10 years.

In addition to the punishment provided, aggravated identity theft carries a prison term of 2 years. When PHI has been stolen and patients have been defrauded, restitution may also need to be paid.

The post What is the Civil Penalty for Knowingly Violating HIPAA? appeared first on HIPAA Journal.

Can You Make WordPress HIPAA Compliant?

Posted by HIPAA Journal

WordPress is a convenient content management system that allows websites to be quickly and easily constructed. The platform is popular with businesses, but is it suitable for use in healthcare? Can you make WordPress HIPAA compliant?

Before assessing whether it is possible to make WordPress HIPAA compliant, it is worthwhile covering how HIPAA applies to websites.

HIPAA and Websites

HIPAA does not specifically cover compliance with respect to websites, HIPAA requirements for websites are therefore a little vague.

As with any other forms of electronic capture or transmission of ePHI, safeguards must be implemented in line with the HIPAA Security Rule to ensure the confidentiality, integrity, and availability of ePHI. Those requirements apply to all websites, including those developed from scratch or created using an off-the-shelf platform such as WordPress.

Websites must incorporate administrative, physical, and technical controls to ensure the confidentiality of any protected health information uploaded to the website or made available through the site.

  • HIPAA-covered entities must ensure there are access controls in place to prevent unauthorized individuals from gaining access to PHI or to the administration control panel
  • Audit controls must be in place that log access to the site and any activity on the site that involves ePHI
  • There must be integrity controls in place that prevent ePHI from being altered or destroyed
  • Transmission security controls must be implemented to ensure any ePHI uploaded to the site is secured (and encrypted in transit) and data must be appropriately secured at rest (encrypted on a third-party server or encrypted/otherwise secured on a covered entity’s web server)
  • Physical security controls must be implemented to prevent unauthorized access to the web server
  • Administrators and any internal users should be trained on use of the website and made aware of HIPAA Privacy and Security Rules
  • The website must be hosted with a HIPAA-compliant hosting provider (or internally)
  • If a third-party hosting company is used, a business associate agreement is required

Once all the necessary controls have been implemented that satisfy the requirements of the HIPAA Security Rule, the website (and plugins) and all associated systems that interact with the site must be subjected to a risk analysis. All risks to the confidentiality, integrity, and availability of ePHI must be identified and those risks and addressed via risk management processes that reduce those risks to a reasonable and acceptable level.

WordPress and Business Associate Agreements

WordPress will not sign a business associate agreement with HIPAA covered entities and there is no mention of BAAs on the WordPress site. So, does that mean that the platform cannot be used in healthcare?

A business associate agreement is not necessarily required. If you simply want to create a blog to communicate with patients, provided you do not upload any PHI to the site or collect PHI through the site (such as making appointments), a business associate agreement would not be required.

You would also not need a BAA if PHI is stored separately from the website and is accessed via a plugin. If the plugin has been developed by a third party, you would need a business associate agreement with the plugin developer.

If you want to use the website in connection with PHI, there are several steps you must take to make WordPress HIPAA compliant.

How to Make WordPress HIPAA Compliant

A standard off-the-shelf WordPress installation will not be HIPAA compliant as WordPress does not offer a HIPAA-compliant service. It is possible to make WordPress HIPAA compliant, but it will be a major challenge. You will need to ensure the following before any ePHI is uploaded to or collected through the website.

  • Perform a risk analysis prior to using the site in connection with any ePHI and reduce risks to a reasonable and acceptable level
  • Use a HIPAA compliant hosting service for your website. Simply hosting the site with a HIPAA compliant hosting provider does not guarantee compliance. Ensure that all access, audit, and integrity controls are in place and safeguards implemented to secure data at rest and in transit
  • Perform a security scan of the site to check for vulnerabilities
  • Only use plugins from trustworthy sources
  • Ensure all plugins are updated and the latest version of WordPress is installed
  • Use security plugins on the website – Wordfence for example
  • Use a SaaS provider that can interface the ePHI component into your website or develop the interface internally
  • Ensure ePHI is stored outside of WordPress
  • Set strong passwords and admin account names to reduce the potential for brute force attacks. Use rate limiting to further enhance security and use two factor authentications for administrator accounts
  • Ensure that users cannot sign up for accounts directly without first being vetted
  • Ensure any data collected via web forms is encrypted in transit
  • Obtain business associate agreements with all service providers/plugin developers who require access to ePHI or whose software touches ePHI

WordPress was not developed to confirm to HIPAA standards so making WordPress HIPAA compliant is complicated. Ensuring a WordPress site remains HIPAA compliant is similarly difficult. There have also been several security issues with WordPress over the years and vulnerabilities are frequently identified. WordPress is not the only problem. Plugins are frequently found to have vulnerabilities and there is considerable potential for those vulnerabilities to be exploited.

While it is possible to make WordPress HIPAA compliant, the potential risks to ePHI are considerable. WordPress makes website creation simple, but not as far as HIPAA compliance is concerned.

Our recommendation is to develop your own website from scratch that is easier to secure and maintain, host the site with a HIPAA compliant hosing company, and if you do not have employees with the correct skill sets, use a vendor that specializes in developing HIPAA compliant websites and patient portals.

The post Can You Make WordPress HIPAA Compliant? appeared first on HIPAA Journal.

Banner Health Anticipates Potential Financial Penalty from OCR over 2016 Cyberattack

Posted by HIPAA Journal

According to a financial report issued by Banner Health, OCR is investigating the colossal 2016 Banner Health data breach which saw the protected health information of 3.7 million patients exposed. The breach involved Banner Health facilities at 27 locations in Alaska, Arizona, California, Colorado, Nebraska, Nevada, and Wyoming and resulted in the exposure of highly sensitive protected health information including names, dates of birth, Social Security numbers, and health insurance information.

The attackers gained access to the payment processing system used in its food and beverage outlets with a view to obtaining credit card numbers. However, once access to the network was gained, they also accessed servers containing PHI.

Banner Health reports that it has cooperated with OCR’s investigation into the breach and has supplied information as requested. However, OCR was not satisfied with its response and the evidence supplied on its HIPAA compliance efforts. Specifically, OCR was not satisfied with the documentation supplied to demonstrate “past security assessment activities” with its responses rated as “inadequate”.

Banner Health has respond and provided additional evidence of its security efforts but “negative findings” are anticipated. Banner Health suspects a financial penalty may be pursued by OCR, although it is not known how much the penalty is likely to be.

The Department of Health and Human Services’ Office for Civil Rights investigates all data breaches over 500 records. OCR can issue fines of up to $1.5 million per violation category, per year. HIPAA violations that have been allowed to persist over several years, and cases where there have been multiple violations of HIPAA Rules, can see multi-million-dollar financial penalties pursued. Fines have been issued of $25,000, although there have also been settlements in excess of $4 million dollars.

Based on previous HIPAA settlements, a breach of this magnitude is likely to see a fine toward the upper end of the spectrum.

In addition to a potential fine from OCR for non-compliance with HIPAA Rules, nine lawsuits were filed by plaintiffs affected by the 2016 data breach which have since been consolidated into a single class action lawsuit.

While many data breach lawsuits have been dismissed for lack of standing, this lawsuit appears to be going the distance. The plaintiffs have already demonstrated impending injury as a result of the exposure and theft of their health information.

Banner Health holds an insurance policy against cyberattacks although the extent of insurance coverage is not known. Banner Health is vigorously defending the lawsuit, but should its efforts fail, the health system believes a substantial proportion of the legal costs and any settlement will be covered by its cyber risk insurance policy.

The post Banner Health Anticipates Potential Financial Penalty from OCR over 2016 Cyberattack appeared first on HIPAA Journal.

Jail Terms for HIPAA Violations by Employees

Posted by HIPAA Journal

The penalties for HIPAA violations by employees can be severe, especially those involving the theft of protected health information.

HIPAA violations by employees can attract a fine of up to $250,000 with a maximum jail term of 10 years and a 2-year jail term for aggravated identity theft.

This month there have been two notable cases of HIPAA violations by employees, one of which has resulted in a fine and imprisonment, with the other likely to result in a longer spell in prison when sentencing takes place in June.

Jail Term for Former Transformations Autism Treatment Center Employee

In February, a former Behavioral Analyst at the Transformations Autism Treatment Center (TACT) was discovered to have stolen the protected health information of patients following termination.

Jeffrey Luke, 29, of Collierville, TN gained access to a TACT Google Drive account containing the PHI of patients following termination and downloaded the PHI of 300 current and former patients onto his personal computer.

Approximately one month after Luke was terminated, TACT discovered patient information had been remotely accessed and downloaded. An investigation was launched and law enforcement was notified, with the latter alerting the FBI. Luke was identified as the perpetrator from his IP address, with the search of his residence uncovering a computer containing stolen electronic patient records and TACT forms and templates.

Luke’s access rights to Google Drive had been terminated by TACT in accordance with HIPAA Rules; however, after termination, Luke had gained access to a shared Google Drive account and authorized access from his personal Gmail account.

It is unclear exactly how that was achieved after his access rights were terminated. Court documents say Luke hacked the account and law enforcement found evidence Luke had researched how to gain access to the data.

Law enforcement discovered this was not the first time Luke had stolen data from an employer. His computer also contained patient data from another former employer – Somerville, TN-based Behavioral and Counseling Services.

Luke pleaded guilty to the charges and was sentenced to 30 days in jail and 3 years of supervised release. Luke was also ordered to pay $14,941.36 in restitution.

This case sends a message to healthcare employees considering stealing healthcare data to sell, use, or pass on to a new employer, that data theft carries stiff penalties. While Luke will only serve 30 days in jail, he will have a criminal record which will hamper future employment.

Healthcare organizations should also take precautions to minimize the opportunity for ex-employees to access PHI remotely after they have left employment. When an employment contract ends, or an employee is terminated, access to all systems must be blocked and passwords should be changed on any shared accounts.

Nursing Home Employee Pleads Guilty to Theft of Credit Card Numbers

A former employee at a nursing home in St. Louis County, MO has pleaded guilty to the theft of credit card numbers.

Shaniece Borney, 29, of St. Louis County, was employed at a NHC Health Care nursing home between 2016 and 2017. Borney abused her access to the computer system and stole the credit card details of patients. The credit card details were used to make purchases for herself and family members.

Borney faces up to 10 years in jail and could be fined up to $250,000 and will be required to pay restitution to the victims of the fraud. Borney will be sentenced on June 21, 2018.

The post Jail Terms for HIPAA Violations by Employees appeared first on HIPAA Journal.

Is Liquid Web HIPAA Compliant?

Posted by HIPAA Journal

Healthcare organizations searching for a hosting solution may identify Liquid Web as a potential vendor, but is Liquid Web HIPAA compliant? Can its cloud services be used by HIPAA-covered entities for hosting applications and projects that include electronic protected health information?

Any healthcare organization that wants to use the cloud to host applications that use the protected health information (PHI) of patients must select a vendor whose service includes safeguards to ensure the confidentiality, integrity, and availability of ePHI that meet the requirements of the HIPAA Security Rule.

Cloud service providers, including hosting companies, are classed as business associates since they potentially have access to their clients’ data. While many cloud service providers claim they do not access customers’ data, they are still classed as business associates. HIPAA-covered entities and their business associates must therefore enter into a business associate agreement with the service provider before any ePHI is uploaded to the cloud.

Liquid Web Business Associate Agreements

Liquid Web has been providing hosting solutions to SMBs for 20 years. Last year, the company underwent an independent audit of its hosting services to assess compliance with HIPAA/HITECH regulations. While there is no official HIPAA compliance certification, the accounting firm UHY LLP did certify that the company has implemented appropriate administrative, physical, and technical safeguards to satisfy HIPAA Rules. Liquid Web has also passed EU- US and Swiss-US Privacy Shield audits, SOC 1, 2, 3 attestations, and PCI Service Provider recertification.

Liquid Web is prepared to enter into business associate agreements with HIPAA covered entities that require hosting services for web content and applications that include PHI. The BAA covers its single server and multiple server hosting services.

Is Liquid Web HIPAA Compliant?

The privacy and security controls implemented by Liquid Web allow HIPAA covered entities to ensure their data is secure and always available. Liquid Web can be a HIPAA compliant hosting service, provided access, security, and audit controls are set appropriately and a signed business associate agreement is obtained prior to use of the hosting services in connection with any ePHI.

The post Is Liquid Web HIPAA Compliant? appeared first on HIPAA Journal.

Healthcare Data Breach Statistics

Posted by HIPAA Journal

We have compiled healthcare data breach statistics from October 2009 when the Department of Health and Human Services’ Office for Civil Rights first started publishing summaries of healthcare data breaches on its website.

The healthcare data breach statistics below only include data breaches of 500 or more records as smaller breaches are not published by OCR. The breaches include closed cases and breaches still being investigated by OCR.

Our healthcare data breach statistics clearly show there has been an upward trend in data breaches over the past 9 years, with 2017 seeing more data breaches reported than any other year since records first started being published.

There have also been notable changes over the years in the main causes of breaches. The loss/theft of healthcare records and electronic protected health information dominated the breach reports between 2009 and 2015, although better policies and procedures and the use of encryption has helped reduce these easily preventable breaches. Our healthcare data breach statistics show the main causes of healthcare data breaches is now hacking/IT incidents, with unauthorized access/disclosures also commonplace.

Healthcare Data Breaches by Year

Between 2009 and 2017 there have been 2,181 healthcare data breaches involving more than 500 records. Those breaches have resulted in the theft/exposure of 176,709,305 healthcare records.  That equates to more than 50% of the population of the United States (54.25%). Healthcare data breaches are now being reported at a rate of more than one per day.

Healthcare data breaches 2019-2017

Healthcare Records Exposed by Year

While there has been a general upward trend in the number of records exposed each year, there was a massive improvement in 2017 – the best year since 2012 in terms of the number of records exposed. However, while breaches were smaller in 2017, it was a record breaking year in terms of the number of healthcare data breaches reported – 359 incidents.

Records Exposed in Healthcare data breaches

Average/Median Healthcare Data Breach Size by Year

Average Size of Healthcare Data Breaches

 

Median Size of Healthcare Data Breaches

 

Largest Healthcare Data Breaches (2009-2017)

Rank Year Entity Entity Type Records Exposed/Stolen Cause of Breach
1 2015 Anthem, Inc. Affiliated Covered Entity Health Plan 78800000 Hacking/IT Incident
2 2015 Premera Blue Cross Health Plan 11000000 Hacking/IT Incident
3 2015 Excellus Health Plan, Inc. Health Plan 10000000 Hacking/IT Incident
4 2011 Science Applications International Corporation Business Associate 4900000 Loss
5 2014 Community Health Systems Professional Services Corporation Business Associate 4500000 Theft
6 2015 University of California, Los Angeles Health Healthcare Provider 4500000 Hacking/IT Incident
7 2013 Advocate Medical Group Healthcare Provider 4029530 Theft
8 2015 Medical Informatics Engineering Business Associate 3900000 Hacking/IT Incident
9 2016 Banner Health Healthcare Provider 3620000 Hacking/IT Incident
10 2016 Newkirk Products, Inc. Business Associate 3466120 Hacking/IT Incident
11 2016 21st Century Oncology Healthcare Provider 2213597 Hacking/IT Incident
12 2014 Xerox State Healthcare, LLC Business Associate 2000000 Unauthorized Access/Disclosure
13 2011 IBM Business Associate 1900000 Unknown
14 2011 GRM Information Management Services Business Associate 1700000 Theft
15 2010 AvMed, Inc. Health Plan 1220000 Theft
16 2015 CareFirst BlueCross BlueShield Health Plan 1100000 Hacking/IT Incident
17 2014 Montana Department of Public Health & Human Services Health Plan 1062509 Hacking/IT Incident
18 2011 The Nemours Foundation Healthcare Provider 1055489 Loss
19 2010 BlueCross BlueShield of Tennessee, Inc. Health Plan 1023209 Theft
20 2011 Sutter Medical Foundation Healthcare Provider 943434 Theft

Healthcare Hacking Incidents by Year

Our healthcare data breach statistics show hacking is now the leading cause of healthcare data breaches, although healthcare organizations are now much better at detecting breaches when they do occur. The low hacking/IT incidents in the earlier years is likely to be due, in part, to the failure to detected hacking incidents and malware infections quickly. Many of the hacking incidents in 2014-2017 occurred many months, and in come cases years, before they were detected.

Healthcare Data Breaches - Hacking

 

Records Exposed in Healthcare Data Breaches - Hacking

Unauthorized Access/Disclosures by Year

As with hacking, healthcare organizations are getting better at detecting internal breaches and also reporting those breaches to the Office for Civil Rights. While hacking is the main cause of breaches, unauthorized access/disclosure incidents are in close second.

Healthcare Data Breaches - unauthorized access/disclosures

 

records exposed in authorized access/disclosures

Loss/Theft of PHI and Unencrypted ePHI by Year

Our healthcare data breach statistics show HIPAA covered entities and business associates have got significantly better at protecting healthcare records with administrative, physical, and technical controls such as encryption, although unencrypted laptops and other electronic devices are still being left unsecured in vehicles and locations accessible by the public.

healthcare theft/loss data breaches

 

records exposed by healthcare theft/loss data breaches

Improper Disposal of PHI/ePHI by Year

healthcare data breaches - improper disposal incidents

 

records exposed in healthcare improper disposal incidents

 

Breaches by Entity Type

Year Provider Health Plan Business Associate Other Total
2009 14 1 3 0 18
2010 134 21 44 0 199
2011 137 20 42 1 200
2012 155 22 36 4 217
2013 199 18 56 5 278
2014 202 71 41 0 314
2015 196 62 11 0 269
2016 257 51 19 0 327
2017 288 52 19 0 359
Total 1582 318 271 10 2181

OCR Settlements and Fines for HIPAA Violations

The penalties for HIPAA violations can be severe with multi-million-dollar fines possible when violations have been allowed to persist for several years or when multiple violations of HIPAA Rules have been allowed to occur.

The penalty structure for HIPAA violations is detailed in the infographic below:

Penalty Structure for HIPAA Violations

OCR Settlements and Fines Over the Years

The data for the healthcare data breach statistics on fines and settlements can be viewed on our HIPAA violation fines page, which details all HIPAA violation fines issued by OCR between 2008 and 2018. As the graph below shows, there has been a steady increase in HIPAA enforcement over the past 9 years.

HIPAA Fines and Settlements 2008-2017

 

How Much Has OCR Fined HIPAA Covered Entities and Business Associates?

In addition to an increase in fines and settlements, the level of fines has increased substantially. Multi-million-dollar fines for HIPAA violations are now the norm.

HIPAA Fine and Settlement Amounts 2008-2017

 

average HIPAA Fines and Settlements 2008-2017

 

Median HIPAA Fines and Settlements 2008-2017

As the graphs above show, there has been a sizable increase in both the number of settlements and civil monetary penalties and the fine amounts in recent years. OCR’s budget has been cut so there are fewer resources to put into pursuing financial penalties in HIPAA violation cases. 2018 is likely to see fewer fines for HIPAA covered entities than the past two years, although settlement amounts are likely to remain high and even increase in 2018.OCR Director Roger Severino has indicated financial penalties are most likely to be pursued for particularly egregious HIPAA violations.

State Attorneys General HIPAA Fines and Other Financial Penalties for Healthcare Organizations

State attorneys general can issue fines ranging from $100 per HIPAA violation up to a maximum of $25,000 per violation category, per year.

Even when action is taken by state attorneys general over potential HIPAA violations, healthcare organizations are typically fined for violations of state laws. Only a handful of U.S. states have issued fines solely for HIPAA violations

Some of the major fines issued by state attorneys general for HIPAA violations and violations of state laws are listed below.

 

Year State Covered Entity Amount Individuals affected Settlement/CMP Reason
2018 NY EmblemHealth $575,000 81,122 Settlement Mailing error
2018 NY Aetna $1,150,000 12,000 Settlement Mailing error
2017 CA Cottage Health System $2,000,000 More than 54,000 Settlement Failure to adequately protect medical records
2017 MA Multi-State Billing Services $100,000 2,600 Settlement Theft of unencrypted laptop containing PHI
2017 NJ Horizon Healthcare Services Inc., $1,100,000 3.7 million Settlement Loss of unencrypted laptop computers
2017 VT SAManage USA, Inc. $264,000 660 Settlement Spreadsheet indexed by search engines and PHI viewable
2017 NY CoPilot Provider Support Services, Inc $130,000 221,178 Settlement Delayed breach notification
2015 NY University of Rochester Medical Center $15,000 3,403 Settlement List of patients provided to nurse who took it to a new employer
2015 CT Hartford Hospital/ EMC Corporation $90,000 8,883 Settlement Theft of unencrypted laptop containing PHI
2014 MA Women & Infants Hospital of Rhode Island $150,000 12,000 Settlement Loss of backup tapes containing PHI
2014 MA Boston Children’s Hospital $40,000 2,159 Settlement Loss of laptop containing PHI
2014 MA Beth Israel Deaconess Medical Center $100,000 3,796 Settlement Loss of laptop containing PHI
2013 MA Goldthwait Associates $140,000 67,000 Settlement Improper disposal
2012 MN Accretive Health $2,500,000 24,000 Settlement Mishandling of PHI
2012 MA South Shore Hospital $750,000 800,000 Settlement Loss of backup tapes containing PHI
2011 VT Health Net Inc. $55,000 1,500,000 Settlement Loss of unencrypted hard drive/delayed breach notifications
2011 IN WellPoint Inc. $100,000 32,000 Settlement Failure to report breach in a reasonable timeframe
2010 CT Health Net Inc. $250,000 1,500,000 Settlement Loss of unencrypted hard drive/delayed breach notifications

The post Healthcare Data Breach Statistics appeared first on HIPAA Journal.

Is Intercom HIPAA Compliant?

Posted by HIPAA Journal

Intercom’s messaging software-as-a-service solutions are popular with businesses for chatting with potential customers. The solutions have potential for use in the healthcare industry for chatting with patients, but is Intercom HIPAA compliant? Can the company’s solutions be used in connection with electronic protected health information or would that constitute a violation of HIPAA Rules?

Is Intercom Prepared to Sign a Business Associate Agreement?

HIPAA covered entities and their businesses are only permitted to use software products and services in connection with electronic protected health information if there are safeguards in place to protect the confidentiality, integrity, and availability of ePHI. Any software platform must incorporate audit and access controls and data must be appropriately secured in transit and at rest.

Before software-as-a-service can be used to send or store ePHI, a HIPAA covered entity must enter into a business associate agreement with the service provider in which the company’s responsibilities under HIPAA are explained.

There are exceptions for certain service providers such as ISPs. ISPs are exempt under the HIPAA Conduit Exception Rule. Messaging services such as those provided by Intercom are not exempt and business associate agreements would need to be obtained before the service can be used.

In Intercom’s terms and conditions it is made clear that Intercom does not consider itself a business associate and will not sign a business associate agreement with HIPAA covered entities. The company also explains that the platform should not be used for collecting, storing, processing, or transmitting sensitive personal information.

Is Intercom HIPAA Compliant?

At present, Intercom does not class itself as a business associate and will not sign a business associate agreement with HIPAA covered entities and the platform does not have the necessary privacy and security controls to be used in connection with electronic protected health information.

Consequently, Intercom is not HIPAA compliant and should not be used by healthcare organizations for sending or storing any ePHI.

The post Is Intercom HIPAA Compliant? appeared first on HIPAA Journal.