HIPAA Compliance News

Deadline for Reporting 2017 HIPAA Data Breaches Approaches

The deadline for reporting 2017 HIPAA data breaches to the Department of Health and Human Services’ Office for Civil Rights is fast approaching.

HIPAA-covered entities have a maximum of 60 days from the discovery of a data breach to report security incidents to OCR and notify affected patients. Smaller breaches of PHI do not need to be reported to OCR within this time frame, instead covered entities can delay reporting those breaches to OCR until the end of the calendar year.

The maximum allowable time for reporting breaches impacting fewer than 500 individuals is 60 days from the end of the year in which the breach was experienced. The final day for reporting 2017 HIPAA data breaches to OCR is therefore March 1, 2018.

A HIPAA data breach is defined as an “acquisition, access, use, or disclosure” of unsecured protected health information (PHI) that is not permitted by the HIPAA Privacy Rule. Unsecured PHI is defined as PHI that is “not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology,” such as encryption. A breach of encrypted PHI is not reportable unless the key to unlock the encryption is also reasonably believed to have also been compromised.

Covered entities should be aware that ransomware incidents are usually reportable HIPAA data breaches, even if PHI has not been stolen in the attack. To avoid reporting a ransomware incident, a covered entity must be able to demonstrate a low probability of PHI being compromised in the attack. That determination must be based on a risk assessment (See 45 CFR § 164.402)

While covered entities can submit details of all ‘small’ PHI breaches at the same time, each breach must be reported as a separate event. They can not all be uploaded to the breach portal together.

While the HIPAA Breach Notification Rule allows covered entities additional time to report data breaches impacting fewer than 500 individuals, notifications for individuals impacted by those data breaches cannot be delayed. They must be issued within 60 days of the discovery of the breach, and without unnecessary delay, regardless how many individuals have been impacted by the breach.

It is a good best practice to report all breaches of PHI within 60 days of discovery. Oftentimes, full information about the breach is not available at the time of reporting, but it is possible to add further information to the OCR data breach reports when further information becomes available. If the number of individuals affected by the breach has not been confirmed, estimates should be provided. The final total can then be submitted to OCR as an update to the breach report when the number of individuals impacting has been determined.

The penalties for the late reporting of data breaches can be severe, and OCR made it clear in January 2017 that ignoring the deadline for reporting breaches, or unnecessarily delaying breach reports, is a HIPAA violation that will not be ignored. Presense Health became the first covered entity to be fined solely for delaying breach notifications and settled the HIPAA violation with OCR for $475,000.

OCR has yet to issue a financial penalty to a covered entity for the late reporting of small data breaches, but since OCR tends to set examples with its breach settlements, 2018 could well see the first penalty issued.

To avoid a HIPAA penalty, ensure all small breaches of PHI are reported to OCR between now and the end of February 2018 and no later than midnight on March 1.

The post Deadline for Reporting 2017 HIPAA Data Breaches Approaches appeared first on HIPAA Journal.

HHS Sued by CIOX Health Over Unlawful HIPAA Regulations

The Department of Health and Human Services is being sued by CIOX Health, a medical record retrieval company, over updates to HIPAA laws that place restrictions on the amount that can be charged to patients for providing them with copies of their medical records.

CIOX Health claims the HIPAA Omnibus Rule updates in 2013, “unlawfully, unreasonably, arbitrarily and capriciously,” restrict the fees that can be charged by providers and their business associates for providing copies of the health information stored on patients.

Changes to HIPAA Rules not only placed a limit on the fees, but also expanded the types of information that must be provided to patients, on request. Accessing some of that information, in particular health information that is not stored in electronic medical records, is costly. Yet, even though the costs of processing some requests are high, HIPAA limits charges to $6.50 according to the lawsuit.

CIOX Health argues that this flat rate fee is an arbitrary figure that bears no relation to the actual cost of honoring patient requests for copies of their health information, and such a low fee is hurting its business. CIOX Health wants the HHS to reverse the changes made to HIPAA in 2013 and 2016 with respect to how much can be charged and the provision of copies of any type of medical information.

While the flat fee of $6.50 is the maximum that can be charged, it should be noted that the maximum fee only applies if the healthcare provider or company chooses that option. HIPAA does not prevent healthcare organizations from charging more. If they choose not to charge a flat fee, they are permitted to charge patients “actual or average allowable costs for requests for electronic copies of PHI maintained electronically.” The HHS confirmed this in May 2016 in response to questions asked via its web portal.

Tremendous Financial Burdens on Healthcare Providers

In the lawsuit, CIOX Health says, “HHS’s continued application and enforcement of these rules impose tremendous financial and regulatory burdens on healthcare providers and threatens to upend the medical records industry that services them.”

These changes to HIPAA Rules “threaten to bankrupt the dedicated medical-records providers who service the healthcare industry by effectively and quite deliberately mandating that they fulfill a rapidly growing percentage of requests for protected health information at a net loss.”

The changes to the types of health information that must be provided on request now includes medical information in any form whatsoever, including electronic medical records in EHR systems, but also paper records and films that have been transferred to third parties.

In the case of electronic records, they can be located in several different virtual locations, while paper records and films may be stored in several different physical locations. Providing copies of complete record sets requires staff to be sent to each of those locations to retrieve the records, and even accessing multiple virtual locations is a time consuming and costly process. Records must also be verified and compiled, which all takes time.

CIOX Health serves more than 16,000 physician practices and processes tens of millions of requests for copies of medical records every year. The restrictions on charges has potentially hurt its business, according to the lawsuit.

This is not the only legal action that CIOX Health is involved in which is related to providing patients with copies of their medical records. CIOX is the co-defendant in a November 2017 lawsuit that claims more than 60 Indiana hospitals have been failing to provide copies of medical records to patients within 3 days, as required by the HITECH Act, even though they accepted payments and claimed that they were meeting HITECT Act requirements. The defendants are also alleged to have overcharged patients for copies of medical records.

The post HHS Sued by CIOX Health Over Unlawful HIPAA Regulations appeared first on HIPAA Journal.

Achieving HIPAA Compliant File Sharing In and Outside the Cloud

HIPAA compliant file sharing consists of more than selecting the right technology to ensure the security, integrity and confidentiality of PHI at rest or in transit. Indeed, you could implement the most HIPAA compliant file sharing technology available and still be a long way short of achieving HIPAA compliance.

It is not the technology that is at fault. Many Covered Entities and Business Associates fail to configure the technology properly or train employees how to use the technology in compliance with HIPAA. According to a recent IBM X-Force Threat Intelligence Report, 46% of data breaches in the healthcare industry are attributable to “inadvertent actors”.

Of the remaining 54% of data breaches in the healthcare industry, 29% are attributable to “outsiders”, while the remaining 25% are the work of “malicious insiders”. Therefore, if a Covered Entity implements HIPAA compliant file sharing technology, but fails to configure it properly, train employees how to use it compliantly, or introduce mechanisms to monitor access to PHI, it may only be 29% of the way towards achieving HIPAA compliance.

Understanding the Risks to PHI when Sharing Data

In order to fully understand the risks to PHI when sharing data, it is important to conduct a thorough risk assessment detailing how PHI is created, used, stored and shared – and what happens to the data once it has been shared. When the risk assessment is completed, it is necessary to conduct a risk analysis to identify vulnerabilities and weaknesses that could result in the unauthorized disclosure of PHI.

Part of the risk analysis should concern what happens to data shared with Business Associates. Business Associates should conduct their own risk assessments and risk analyses, and it is a HIPAA Security Officer´s duty to conduct due diligence on any Business Associate data is shared with, in order to ensure their file sharing procedures are also HIPAA compliant.

HIPAA Compliant File Sharing Exists Outside the Cloud

Most articles relating to file sharing and HIPAA compliance focus on the technology available to share files securely in the cloud. Although these articles provide valuable information about one specific area of sharing data, they do not address the subject of HIPAA compliant file sharing in its entirety – for example, when data is shared within a private network or in physical format.

As well as evaluating cloud-based technology for HIPAA compliant file sharing, HIPAA Security Officers should also consider access controls to files and folders stored on private networks and access logs to monitor when PHI is accessed – both online and in physical format. Done effectively, this should help prevent the #1 cause of HIPAA security breaches – employee snooping.

Explaining File Sharing and HIPAA Compliance to Employees

Employee snooping – viewing the healthcare records of family, friends, colleagues or personalities without authorization – may not result in headline data breaches, but it is a HIPAA violation – and a common one at that. However, without being told it is a violation, many employees would consider snooping no more than a misdemeanor with inquisitive intent.

Explaining that snooping is a HIPAA violation punishable by sanctions is a good foundation for explaining file sharing and HIPAA compliance to employees. It will help them better understand the seriousness of unauthorized disclosures of PHI and make them more careful about taking shortcuts “to get the job done” – a leading cause of data breaches in the healthcare industry attributable to “inadvertent actors”.

Train, Monitor, Sanction when Necessary, then Review

Whenever new HIPAA-related technology is introduced or working practices are changed, it is essential employees are provided with adequate training on the new technology or working practices. By using employee HIPAA training sessions to reinforce the message about file sharing and HIPAA compliance, the message will likely be better absorbed.

If the Covered Entity is able to support employee training with mechanisms to monitor access to PHI, and the enforcement of sanctions when necessary, the likelihood is “malicious insiders” will likely think twice before attempting to access PHI without authorization. Thereafter, HIPAA Security Officers should review policies and procedures to assess whether any further adjustments need to be made in order to ensure HIPAA compliant file sharing.

The post Achieving HIPAA Compliant File Sharing In and Outside the Cloud appeared first on HIPAA Journal.

What is Individually Identifiable Health Information?

What is individually identifiable health information and what must HIPAA-covered entities do to the information before it can be shared for reasons not detailed in the permitted uses and disclosures of the HIPAA Privacy Rule?

What is Individually Identifiable Health Information?

Before answering the question, what is individually identifiable health information, it is necessary to define health information.

HIPAA defines health information as any information created or received by a HIPAA-covered entity (healthcare provider, health plan, or healthcare clearinghouse) or business associate of a HIPAA-covered entity.

Health information includes past, present, and future information about mental and physical health and the condition of an individual, the provision of healthcare to an individual, and information related to payment for healthcare, again in the past, present, or future. Health information also includes demographic information about an individual.

Individually identifiable health information is a subset of health information, and as the name suggests, is health information that can be linked to a specific person, or if it would be reasonable to believe that an individual could be identified from the information. (See 45 CFR 46.160.103).

The HIPAA Privacy Rule places restrictions on uses and disclosures of individually identifiable health information, but not on health information that does not allow an individual to be identified.

If a HIPAA-covered entity has a data set containing individually identifiable health information, before the information can be shared with an organization or individual for a reason that would otherwise be prohibited under the HIPAA Privacy Rule, the data must first be de-identified.

De-identifying health information requires the following 18 identifiers to be removed from the data set prior to sharing:

  1. Full name or last name and initial(s)
  1. Geographical identifiers smaller than a state, except the initial three digits of a zip code, provided the combination of all zip codes starting with those three digits. When the initial three digits of a zip code contains 20,000 or fewer people it is changed to 000
  2. Dates directly related to an individual, other than year
  3. Phone Numbers
  4. Fax numbers
  5. Email addresses
  6. Social Security numbers
  7. Medical record numbers
  8. Health insurance beneficiary numbers
  9. Account numbers
  10. Certificate/license numbers
  11. Vehicle identifiers
  12. Device identifiers and serial numbers;
  13. Web Uniform Resource Locators (URLs)
  14. IP addresses
  15. Biometric identifiers, including finger, retinal and voice prints
  16. Full face photographic images and any comparable images
  17. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

Further information on how to deidentify health information can be viewed on this link.

The post What is Individually Identifiable Health Information? appeared first on HIPAA Journal.

What is Protected Health Information?

The latest article in our HIPAA basics series answers the question what is protected health information?

The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to implement safeguards to ensure the confidentiality, integrity, and availability of protected health information, but what is protected health information?

First, it is worthwhile explaining two other important terms detailed in HIPAA regulations: A covered entity and a business associate. A covered entity is a healthcare provider, health plan, or healthcare clearinghouse which transmits health data electronically for transactions that the U.S. Department of Health and Human Services has adopted standards. A business associate is an organization or individual who performs services on behalf of a HIPAA-covered entity that requires access to, or the use of, protected health information.

What is Protected Health Information?

Protected health information is the term given to health data created, received, stored, or transmitted by HIPAA-covered entities and their business associates in relation to the provision of healthcare, healthcare operations and payment for healthcare services.  Protected health information is often shortened to PHI, or in the case of electronic health information, ePHI.

HIPAA Protected Health Information Definition

Protected health information “Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual” that is:

  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.

Protected Health Information Includes…

Protected health information includes all individually identifiable health information, including demographic data, medical histories, test results, insurance information, and other information used to identify a patient or provide healthcare services or healthcare coverage. ‘Protected’ means the information is protected under the HIPAA Privacy Rule.

Protected health information is defined in the Code of Federal Regulations and applies to health records, but not education records which are covered by other federal regulations, and neither records held by a HIPAA-covered entity related to its role as an employer. In the case of an employee-patient, protected health information does not include information held on the employee by a covered entity in its role as an employer, only in its role as a healthcare provider.

PHI does not include individually identifiable health information of persons who have been deceased for more than 50 years.

What is Individually Identifiable Health Information?

When individually identifiable information is used by a HIPAA covered entity or business associate in relation to healthcare services or payment it is classed as protected health information.

There are 18 identifiers that can be used to identify, contact, or locate a person. If health information is used with any of these identifiers it is considered identifiable. If PHI has all of these identifiers removed, it is no longer considered to be protected health information. (see de-identification of protected health information)

  1. Names (Full or last name and initial)
  2. All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
  3. Dates (other than year) directly related to an individual
  4. Phone Numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health insurance beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers (including serial numbers and license plate numbers)
  13. Device identifiers and serial numbers;
  14. Web Uniform Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger, retinal and voice prints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

PHI Health Apps

There is some confusion around PHI and health apps as they often collect information that is classed as PHI when it is recorded or used by a healthcare provider. Health apps record information such as heart rate data and the data include personal identifiers. However, the data collected by these apps and trackers is not always covered by HIPAA Rules. App developers can be business associates, but in the most part they are not.

If a HIPAA covered entity develops a health app for use by patients or plan members and it collects, uses, stores, or transmits protected health information, the information must be protected in line with HIPAA Rules.

If a physician recommends a PHI health app be used by a patient, such as for tracking BMI or heart rate data, the information is not subject to HIPAA Rules as the app was not created for the physician.

A third-party health app developer would be classed as a business associate, and required to comply with HIPAA, if the app has been created for a HIPAA-covered entity and it collects, uses, stores, or transmits identifiable health information or if the developer is contracted with a HIPAA-covered entity to provide health monitoring services via the app.

PHI health app guidance was issued by OCR in 2016 and can be viewed on this link (PDF).

PHI Information Technology

The HIPAA Security Rule requires safeguards to be implemented by HIPAA-covered entities and their business associates to protect PHI that is created, used, received, stored, or transmitted in electronic format. Administrative, physical, and technical controls must be implemented to ensure the confidentiality, integrity, and availability of ePHI.

Failures to protect ePHI and subsequent privacy violations can result in significant fines, although since there is no private cause of action in HIPAA, patients affected by data breaches cannot sue HIPAA covered entities for the exposure, theft, or impermissible disclosure of their PHI.

The HIPAA Privacy Rules stipulates allowable uses and disclosures of PHI and gives patients the right to obtain a copy of the PHI that is held by their healthcare providers. HealthIT can be used to help patients access their PHI. Many healthcare providers now allow patients to access some or all of their health information via patient portals. If only partial information is available through a patient portal, patients can still exercise their right to obtain all PHI in a designated record set held by their healthcare providers by submitting a request in writing.

FAQs

Would patient information such as “Mrs. Green from Miami” be considered PHI?

Although there could be thousands of Mrs. Greens in Miami, there is likely to be fewer Mrs. Kawtowskis in Maryland. As it would be impractical for HIPAA to stipulate there has to be fewer than so many “Mrs. As” in a population of “B” before the two identifiers combined are considered to be PHI, all combinations of identifiers are consider PHI under HIPAA – even “Mrs. Green from Miami”.

What are allowable uses and disclosures of PHI?

Without an authorization from the patient, a covered entity is only allowed to use and disclose a patient´s PHI for its own treatment, payment, and health care operations. A covered entity can also disclose the patient´s PHI to a business associate provided both the covered entity and the business associated have signed a HIPAA-compliant business associate agreement.

What are incidental uses and disclosures of PHI?

Incidental uses and disclosures of PHI are those that occur accidentally as a by-product of another allowable use or disclosure. Provided the covered entity or business associate has applied reasonable safeguards and implemented the minimum necessary standard with respect to the primary use or disclosure, there is no violation of HIPAA.

Can you provide an example of an incidental disclosure?

An example of an incidental disclosure is when an employee of a business associate walks into a covered entity´s facility and recognizes a patient in the waiting room. Although the business associate does not need to know the identity of any patients at the covered entity´s facility, the business associate has a compliant business associate agreement in place and is visiting the facility to carry out work described in the agreement. Therefore the disclosure of PHI is incidental to the compliant work being done.

Would a personal wearable device such as a step counter be considered a PHI health app?

Unless the personal wearable device collects, uses, and/or stores data, and that data is transmitted to – or downloaded at – a physician´s office or healthcare facility, the device is not a PHI health app. So, in most cases, a wearable step counter would not be considered a PHI health app provided it is used for personal use only.

The post What is Protected Health Information? appeared first on HIPAA Journal.

Is Azure HIPAA Compliant?

Is Azure HIPAA compliant? Can Microsoft’s cloud services be used by HIPAA covered entities without violating HIPAA Rules?

Many healthcare organizations are considering moving some of their services to the cloud, and a large percentage already have. The cloud offers considerable benefits and can help healthcare organizations lower their IT costs, but what about HIPAA?

HIPAA does not prohibit healthcare organizations from taking advantage of cloud services; however, it does place certain restrictions on the services that can be used, at least as far as protected health information is concerned.

Most healthcare organizations will consider the three main providers of cloud services. Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. We have already covered AWS HIPAA compliance here, but what about Azure? Is Azure HIPAA compliant?

Is Azure HIPAA Compliant?

Before any cloud service can be used by healthcare organizations, they must first enter into a business associate agreement with the service provider.

Under HIPAA Rules, cloud service providers are considered business associates. Before any PHI can be uploaded to the cloud, HIPAA-covered entities must obtain satisfactory assurances that the service incorporates all the appropriate privacy and security safeguards to meet the requirements of the HIPAA Privacy and Security Rules.

Those assurances come in the form of a business associate agreement – essentially a contract with a vendor in which the responsibilities of the vendor are explained. The BAA must be obtained before any cloud service can be used for storing, processing, or sharing PHI. It does not matter is the service provider does not access customers’ data. A BAA is still required.

Microsoft Will Sign a BAA for Azure

Microsoft is willing to sign a BAA with healthcare organizations that covers Azure*, so does that make Azure HIPAA compliant?

Unfortunately, it is not that simple. No cloud platform can be truly HIPAA compliant. Cloud HIPAA compliance is not so much about platforms and security controls, but how those services are used. Even a cloud service such as Azure can easily be used in a way that violates HIPAA Rules. It is the responsibility of the covered entity to ensure cloud instances are configured correctly.

So Azure is not HIPAA compliant per se, but it does support HIPAA compliance, and incorporates all the necessary safeguards to ensure HIPAA requirements can be satisfied.

Access, Integrity, Audit and Security Controls

Microsoft provides a secure VPN to connect to Azure, so any data uploaded to, or downloaded from, Azure is encrypted and all data stored in its cloud instances are encrypted.

HIPAA requires access controls to be implemented to limit who can access to PHI. Azure offers these controls and uses Active Directory to allow permissions to be set. Multi-factor authentication can also be added.

Audit controls are also necessary for HIPAA compliance. Azure includes detailed logging, so administrators can see who accessed, attempted to access PHI.

So, is Azure HIPAA compliant? Azure can be used in a way that satisfies HIPAA Rules, but note that it is the responsibility of the covered entity to ensure the service is configured and used correctly and staff are trained on its use. Microsoft will accept no responsibility for HIPAA violations caused as a result of the misuse of its services.

*Not all Azure services are included in the BAA. See here for up-to-date information.

The post Is Azure HIPAA Compliant? appeared first on HIPAA Journal.

Largest Healthcare Data Breaches of 2017

This article details the largest healthcare data breaches of 2017 and compares this year’s breach tally to the past two years, which were both record-breaking years for healthcare data breaches.

2015 was a particularly bad year for the healthcare industry, with some of the largest healthcare data breaches ever discovered. There was the massive data breach at Anthem Inc., the likes of which had never been seen before. 78.8 million healthcare records were compromised in that single cyberattack, and there were also two other healthcare data breaches involving 10 million or more records. 2015 was the worst ever year in terms of the number of healthcare records exposed or stolen.

2016 was a better year for the healthcare industry in terms of the number of healthcare records exposed in data breaches. There was no repeat of the mega data breaches of the previous year. Yet, the number of incidents increased significantly. 2016 was the worst ever year in terms of the number of breaches reported by HIPAA-covered entities and their business associates. So how have healthcare organizations fared in 2017? Was 2017 another record-breaking year?

Healthcare Data Breaches Increased in 2017

The mega data breaches of 2015 were fortunately not repeated in 2017, and the decline in massive data breaches continued in 2017.

Last year, there were three breaches reported that impacted more than one million individuals and 14 breaches of more than 100,000 records.

In 2017, there was only one reported data breach that impacted more than 500,000 people and 8 breaches that impacted 100,000 or more individuals. The final total for individuals impacted by breaches last year was 14,679,461 – considerably less than the 112,107,579 total the previous year.

The final figures for 2017 cannot yet be calculated as there is still time for breaches to be reported to OCR. The HIPAA Breach Notification Rules allows covered entities up to 60 days to report data breaches of more than 500 records, so the final figures for 2017 will not be known until March 1, 2018. However, based on current data, 2017 has been a reasonably good year in terms of the number of exposed healthcare records. The current total stands at 3,286,498 records – A 347% reduction in breached records year on year.

While it is certainly good news that the severity of breaches has reduced, that only tells part of the story. Breaches of hundreds of thousands of records have reduced, but breaches of more than 10,000 records have remained fairly constant year over year. In 2015, there were 52 breaches of 10,000 or more records. That figure jumped to 82 in 2016. There were 78 healthcare data breaches in 2017 involving more than 10,000 records.

The bad news is there has been a significant rise in the number of healthcare data breaches in 2017.  As of January 4, 2017, there have been 342 healthcare security breaches listed on the OCR breach portal for 2017. It is likely more incidents will be added in the next few days.

The final total for 2015 was 270 breaches, and there were 327 breaches reported in 2016. The severity of healthcare security incidents may have fallen, but the number of incidents continues to rise year on year.

 

reported healthcare data breaches in 2017

 

Unfortunately, there is little evidence to suggest that the annual rise in healthcare data breaches will stop in 2018. Many cybersecurity firms have made predictions for the coming year, and they are united in the view that healthcare data breaches will continue to increase.

The 20 Largest Healthcare Breaches of 2017

The list of the 20 largest healthcare data breaches of 2017 is listed below.

Position Breached Entity Entity Type Records Exposed Cause of Breach
1 Commonwealth Health Corporation Healthcare Provider 697,800 Theft
2 Airway Oxygen, Inc. Healthcare Provider 500,000 Hacking/IT Incident
3 Women’s Health Care Group of PA, LLC Healthcare Provider 300,000 Hacking/IT Incident
4 Urology Austin, PLLC Healthcare Provider 279,663 Hacking/IT Incident
5 Pacific Alliance Medical Center Healthcare Provider 266,123 Hacking/IT Incident
6 Peachtree Neurological Clinic, P.C. Healthcare Provider 176,295 Hacking/IT Incident
7 Arkansas Oral & Facial Surgery Center Healthcare Provider 128,000 Hacking/IT Incident
8 McLaren Medical Group, Mid-Michigan Physicians Imaging Center Healthcare Provider 106,008 Hacking/IT Incident
9 Harrisburg Gastroenterology Ltd Healthcare Provider 93,323 Hacking/IT Incident
10 VisionQuest Eyecare Healthcare Provider 85,995 Hacking/IT Incident
11 Washington University School of Medicine Healthcare Provider 80,270 Hacking/IT Incident
12 Emory Healthcare Healthcare Provider 79,930 Hacking/IT Incident
13 Salina Family Healthcare Center Healthcare Provider 77,337 Hacking/IT Incident
14 Stephenville Medical & Surgical Clinic Healthcare Provider 75,000 Unauthorized Access/Disclosure
15 Morehead Memorial Hospital Healthcare Provider 66,000 Hacking/IT Incident
16 Primary Care Specialists, Inc. Healthcare Provider 65,000 Hacking/IT Incident
17 Enterprise Services LLC Business Associate 56,075 Unauthorized Access/Disclosure
18 ABCD Pediatrics, P.A. Healthcare Provider 55,447 Hacking/IT Incident
19 Network Health Health Plan 51,232 Hacking/IT Incident
20 Oklahoma Department of Human Services Health Plan 47,000 Hacking/IT Incident

The Largest Healthcare Data Breaches of 2017 Were Due to Hacking

One thing is abundantly clear from the list of the largest healthcare data breaches of 2017 is hacking/IT incidents affect more individuals than any other breach type. Hacking/IT incidents accounted for all but three of the largest healthcare data breaches of 2017.

In 2016, hacking incidents only accounted for 11 out of the top 20 data breaches and 12 of the top 20 in 2015. Hacking incidents therefore appear to be rising.

 

healthcare data breaches in 2017 (hacking)

 

The rise in hacking incidents can partly be explained by the increase in ransomware attacks on healthcare providers in 2017. Healthcare organizations are also getting better at discovering breaches.

Other Major Causes of Healthcare Data Breaches in 2017

Unauthorized access/disclosures continue to be a leading cause of healthcare data breaches, although there was a slight fall in numbers of these incidents in 2017. That decrease is offset by an increase in incidents involving the improper disposal of physical records and electronic devices used to store ePHI.

 

healthcare data breaches of 2017 (Unauthorized access/disclosures)

 

The use of encryption for stored data is more widespread, with many healthcare organizations having implemented encryption on all portable storage devices and laptops, which has helped to reduce the exposure of ePHI when electronic devices are stolen.

 

Healthcare Data Breaches of 2017 (loss/theft)

Minimizing the Risk of Healthcare Data Breaches

This year saw OCR publish the preliminary findings of its HIPAA compliance audits on HIPAA-covered entities. The audits revealed there is still widespread non-compliance with HIPAA Rules.

One of the biggest problems was not a lack of cybersecurity defenses, but the failure to conduct an enterprise-wide risk analysis.

Even with several layers of security, vulnerabilities are still likely to exist. Unless a comprehensive risk analysis is performed to identify security gaps, and those gaps are addressed, it will only be a matter of time before they are exploited.

Complying with HIPAA Rules will not prevent all data breaches, but it will ensure healthcare organizations achieve at least the minimum standard for data security, which will prevent the majority of healthcare data breaches.

There is a tendency to invest cybersecurity budgets in new technology, but it is important not to forget the basics. Many healthcare data breaches in 2017 could have been prevented had patches been applied promptly, if secure passwords had been chosen, and if cloud storage services and databases had been configured correctly. Many data breaches were caused as a result of employees leaving unencrypted laptops in risky locations – in unattended vehicles for instance.

Phishing remains one of the main ways that malicious actors gain access to protected health information, yet security awareness training is still not being provided frequently. As a result, employees are continuing to fall for phishing and social engineering scams. Technological solutions to block phishing emails are important, but healthcare organizations must also educate employees about the risks, teach them how to recognize scams, and reinforce training regularly. Only then will organizations be able to reduce the risk from phishing to an acceptable and appropriate level.

Insiders continue to be a major threat in healthcare. The value of data on the black market is high, and cash-strapped healthcare employees can be tempted to steal data to sell to identity thieves. Healthcare organizations can hammer the message home that data theft will be discovered and reported to law enforcement, but it is the responsibility of healthcare organizations to ensure policies and technologies are implemented to ensure that the unauthorized accessing of records – theft or snooping – is identified rapidly.  That means frequent audits of access logs and the use of automated monitoring solutions and user behavior analytics.

2017 was a bad year for ransomware attacks and extortion attempts on healthcare organizations. There is no sign that these attacks will slow in 2018, and if anything, they are likely to increase. Ensuring data is backed up will allow organizations to recover files in the event of an attack without having to pay a ransom. The rise in sabotage attacks – NotPetya for example – mean data loss is a real possibility if backups are not created.

By getting the basics right and investing in new technologies, it will be possible for the year on year rise in data breaches to be stopped. But until healthcare organizations get the basics right and comply with HIPAA Rules, healthcare data breaches are likely to continue to rise.

The post Largest Healthcare Data Breaches of 2017 appeared first on HIPAA Journal.

HHS Publishes Final Rule on Confidentiality of Substance Use Disorder Patient Records

The Department of Health and Human Services has published its final rule on the Confidentiality of Substance Use Disorder Patient Records, altering Substance Abuse and Mental Health Services Administration (SAMHSA) regulations.

The aim of the update is to better align regulations with advances in healthcare delivery in the United States, while ensuring patient’s privacy is protected when treatment for substance abuse disorders is sought. The final rule addresses the permitted uses and disclosures of patient identifying information for healthcare operations, payment, audits and evaluations.

The last substantial changes to the Confidentiality of Alcohol and Drug Abuse Patient Records (42 CFR part 2) regulations were in 1987. In 2016, SAMHSA submitted a Notice of Proposed Rulemaking in the Federal Register proposing updates to 42 CFR part 2. The proposed updates reflected the development of integrated health care models and the use of electronic exchange of patient information, while still ensuring patient privacy was protected to prevent improper disclosures.

After considering public comments, a final rule was published by SAMHSA in January 2017, which incorporated greater flexibility for disclosures within the healthcare system while still continuing to protect the confidentiality of substance use disorder records.

A supplemental notice of proposed rulemaking was also issued and public comments were sought on those additional proposals, which covered disclosures related to payment and healthcare operations that can be made to contractors, subcontractors, and legal representatives by lawful holders under the part 2 rule consent provisions, and disclosures for purposes of carrying out Medicaid, Medicare or Children’s Health Insurance Program (CHIP) audits or evaluations.

SAMHSA has now considered all 55 comments received, and has finalized its proposed revisions, taking those comments into consideration.

Several of the commenters sought better alignment with the Health Insurance Portability and Accountability Act (HIPAA) and/or the Health Information Technology for Economic and Clinical Health (HITECH) Act to promote better information flow, provide greater discretion for providers and administrators of services, the establishment of uniform workable regulations with respect to treatment, payment and operations, and to promote more innovative models of health care delivery.

SAMHSA has attempted to align the revisions with HIPAA and the HITECH Act as far as is possible, but explained, “It is important to note that part 2 and its authorizing statute are separate and distinct from HIPAA, the HITECH Act, and their implementing regulations.”

“Part 2 provides more stringent federal protections than other health privacy laws such as HIPAA and seeks to protect individuals with substance use disorders who could be subject to discrimination and legal consequences in the event that their information is improperly used or disclosed.”

Comments were received suggesting SAMHSA should make it easier for healthcare providers using alternative payment models to share records, as the lack of information about substance abuse disorders could negatively affect patient care.

There was considerable disagreement in the comments about whether care coordination and case management should be included in the list of permissible activities under payment and health care operations.

SAMHSA has decided not to include care coordination and case management and the list of permissible activities that SAMHSA considers to be payment and health care operations, and the list is ‘substantively unchanged.’

SAMHSA has also included language in the regulatory text that clarifies disclosures to contractors, subcontractors and legal representatives are not permitted for activities related to a patient’s diagnosis, treatment, or referral for treatment.

SAMHSA will continue to review all of the issues raised in the comments and will explore ways to better align Part 2 with HIPAA and HITECH, including future additional rulemaking for 42 CFR part 2.

A public meeting will also be held prior to March 21, 2018, to determine the effects of 42 CFR part 2 on patient care, health outcomes, and patient privacy. Stakeholders will be given the opportunity to provide input on implementation of part 2, including the changes adopted in the final rule.

The post HHS Publishes Final Rule on Confidentiality of Substance Use Disorder Patient Records appeared first on HIPAA Journal.

CMS Clarifies Position on Use of Text Messages in Healthcare

In November, the Centers for Medicare and Medicaid Services (CMS) explained in emails to healthcare providers that the use of text messages in healthcare is prohibited due to concerns about security and patient privacy.

SMS messages are not secure. The CMS was concerned that the use of text messages in healthcare will lead to the exposure of sensitive patient data and could threaten the integrity of medical records. While this is understandable as far as SMS messages are concerned, many secure messaging applications satisfy all the requirements of HIPAA – e.g. transmission security, access and authentication controls, audit controls, and safeguards to ensure the integrity of PHI.

The use of secure messaging platforms was raised with the CMS by some hospitals; however, the position of the CMS, based on the emails, appeared to be a total ban on the use of text messages in healthcare, even the use of secure messaging platforms.

In the emails, the CMS said, “After meeting with vendors regarding these [secure messaging] products, it was determined they cannot always ensure the privacy and confidentiality of PHI of the information being transmitted. This resulted in the no texting determination.”

In December, the Health Care Compliance Association (HCCA) published an article questioning the stance of the CMS. HCCA said in its Report on Medicare Compliance, that at least two hospitals had received emails from the CMS explaining all forms of text messaging were prohibited.

Nina Youngstrom, Managing Editor of the Report on Medicare Compliance, said in the article that several compliance officers and healthcare attorneys were horrified about the position of the CMS. One attorney said a total ban would be “Like going back to the dark ages.”

CMS explained that concern about text messages in healthcare was not just about transmission security. There was the potential for a lack of access controls on the senders’ and receivers’ devices, stored data may not necessarily be secure and encrypted, and the privacy of patients is not guaranteed. Another concern was information transmitted via text messages also needs to be entered into the patient record and made available for retrieval.

Last year, the Joint Commission relaxed its ban on the use of text messages in healthcare for sending patient orders, only to later backtrack and reinstate the ban. The Joint Commission’s current position is the use of text messaging in healthcare is permitted, provided a secure messaging platform is used. However, the ban on the use of text messages for sending orders for patient care remains in place.

The CMS appeared to be saying no to all forms of text messaging, even though a large percentage of hospitals have switched over to secure text messaging platforms and are finally replacing their outdated pagers. Such a ban would therefore not be too dissimilar to implementing a ban on email, given how text messaging is so extensively used in healthcare.

A recent survey conducted by the Institute for Safe Medication Practices (ISMP) confirms this. In its survey of 788 healthcare professionals, 45% of pharmacists and 35% percent of nurses said texting was used in their facilities. 53% said there was a policy in place prohibiting the use of text messages for patient orders, but despite the Joint Commission ban, 12% said texting patient orders was allowed – 8% only when a secure platform was used and 3% said text messages were permitted under any circumstances.

CMS Confirms The Use of Text Messages in Healthcare is Permitted

On December 28, 2017, a month after the emails were sent, the CMS sent a memo clarifying its position on the use of text messages in healthcare, confirming there is not a total ban in place.

The CMS explained that the ban on the use of all forms of text messaging, including secure text messaging systems, remains in place for orders by physicians or other health care providers. “The practice of texting orders from a provider to a member of the care team is not in compliance with the Conditions of Participation (CoPs) or Conditions for Coverage (CfCs),” specifically stating §489.24(b) and §489.24(c) apply.

Order entries should be made by providers using Computerized Provider Order Entry (CPOE), or via hand written orders. The CMS explained that, “An order if entered via CPOE, with an immediate download into the provider’s electronic health records (EHR), is permitted as the order would be dated, timed, authenticated, and promptly placed in the medical record.”

The CMS accepts that text messages are an important means of communication in healthcare, and that text messages are now essential for effective communication between care team members. However, in order to comply with the CoPs and CfCs, healthcare organizations must use and maintain text messaging systems/platforms that are secure.

Those platforms must encrypt messages in transit and healthcare organizations are required to assess and minimize the risks to the confidentiality, integrity, and availability of PHI as required by HIPAA. The CMS also explained that “It is expected that providers/organizations will implement procedures/processes that routinely assess the security and integrity of the texting systems/platforms that are being utilized, in order to avoid negative outcomes that could compromise the care of patients.”

The stance of the CMS is therefore aligned with that of the Joint Commission. Secure text messaging platforms can be used in healthcare, just not for texting orders. Even though secure text messaging meet HIPAA requirements for privacy and security, the ban remains in place over concerns about inputting orders sent by text messages into the EHR. CPOE is still the preferred method of entry to ensure accuracy.

The post CMS Clarifies Position on Use of Text Messages in Healthcare appeared first on HIPAA Journal.