HIPAA Compliance News

L.A. Care Health Plan Settles Multiple HIPAA Violations for $1.3 Million

Posted by Steve Alder

The Local Initiative Health Authority for Los Angeles County, operating as L.A. Care Health Plan, has settled multiple violations of the HIPAA Privacy and Security Rules with the HHS’ Office for Civil Rights (OCR) and will pay a $1,300,000 penalty and adopt a robust corrective action plan.

L.A. Care Health Plan is the largest publicly operated health plan in the United States and has more than 2.7 million members. OCR said it launched two separate investigations of L.A. Care Health Plan to assess the state of HIPAA compliance, the first of which was in response to a media report about impermissible disclosures of protected health information (PHI) via its member portal and the second was in response to a breach that was reported to OCR involving the PHI of 1,498 members.

In 2016, a media outlet reported that members of the health plan were able to access the protected health information (PHI) of other members via the online member portal over a 2-day period in 2014 due to a manual processing error. OCR informed L.A. Care Health Plan it had initiated a compliance review and in February 2016, L.A. Care Health Plan reported the breach to OCR as affecting fewer than 500 individuals. In March 2019, L.A. Care Health Plan notified OCR about a 1,498-record data breach caused by a mailing error that saw members receive the ID cards of other health plan members.

OCR determined that there had been several failures to fully comply with the requirements of the HIPAA Privacy and Security Rules. The resolution agreement lists 6 potential HIPAA violations identified by its investigators.

  1. A failure to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI – 45 C.F.R. § 164.308(a)(1)(ii)(A).
  2. A failure to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level – 45 C.F.R. § 164.308(a)(1)(ii)(B).
  3. A failure to implement sufficient procedures to regularly review records of information system activity – 45 C.F.R. § 164.308(a)(1)(ii)(D).
  4. A failure to perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of ePHI – 45 CFR F.R. § 164.308(a)(8).
  5. A failure to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI – 45 C.F.R. 164.312(b).
  6. The impermissible disclosure of the ePHI of 1,498 individuals – 45 C.F.R. § 164.502(a).

L.A. Care Health Plan chose to settle the investigations with no admission of liability and agreed to pay a $1,300,000 financial penalty and adopt a corrective action plan to correct the alleged HIPAA violations. The corrective action plan includes the requirement to conduct a comprehensive, organization-wide risk analysis, develop a risk management plan, develop, implement, and distribute policies and procedures for a risk analysis and risk management plan, report to OCR when evaluations of environmental and operational changes are conducted, and to report HIPAA violations by employees to OCR within 30 days.

“Breaches of protected health information by a HIPAA-regulated entity often reveal systemic, noncompliance with the HIPAA Rules,” said OCR Director Melanie Fontes Rainer.  “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies.  Entities such as LA Care must protect the health information of its insureds while providing health care for the most vulnerable residents of Los Angeles County through its coverage, which includes Medicaid, Medicare, and Affordable Care Act health plans.”

The post L.A. Care Health Plan Settles Multiple HIPAA Violations for $1.3 Million appeared first on HIPAA Journal.

Kaiser Pays $49 Million to Settle Improper Disposal Investigation

Posted by Steve Alder

California Attorney General Rob Bonta has announced a $49 million settlement has been reached with Kaiser Foundation Health Plan Foundation Inc. and Kaiser Foundation Hospitals to resolve allegations of improper disposal of hazardous waste, medical waste, and protected health information.

Oakland, CA-based Kaiser is the largest healthcare provider in California with more than 700 healthcare facilities in the state, serving more than 8.8 million patients. An investigation was launched by 6 district attorneys from Alameda, San Bernardino, San Francisco, San Joaquin, San Mateo, and Yolo counties into the unlawful dumping of dangerous items.  Undercover staff from the district attorneys’ offices inspected dumpsters at 16 different Kaiser facilities. The dumpsters were not secured and the contents were destined for disposal in landfill sites.

The inspectors found hundreds of items of hazardous and medical waste, including aerosols, cleansers, sanitizers, batteries, syringes, medical tubing containing body fluids, pharmaceuticals, and electronic wastes. The dumpsters also contained more than 10,000 paper records that contained the protected health information of 7,700 patients. The California Department of Justice later joined the investigation and expanded it statewide at other Kaiser facilities. Kaiser was alleged to have violated the Health Insurance Portability and Accountability Act (HIPAA), and California’s Hazardous Waste Control Law, Medical Waste Management Act, Confidentiality of Medical Information Act, Customer Records Law, and Unfair Competition Law.

In response to the investigation, Kaiser engaged a third-party consultant to conduct more than 1,100 trash audits at its facilities and its operating procedures have been updated to ensure proper waste disposal across its facilities in California. The settlement consists of $37,513,000 in civil penalties, $4,832,000 in attorneys’ fees and costs, and $4,905,000 for supplemental environmental projects. A further $1.75 million in civil monetary penalties must be paid if Kaiser has not invested a further $3.5 million in its Californian facilities to provide enhanced environmental compliance measures.

Kaiser is also required to retain an independent third-party auditor to conduct more than 520 trash compactor audits at its California facilities to make sure hazardous items and protected health information are not being disposed of in regular trash, and at least 40 programmatic field audits must be conducted each year for the next 5 years to evaluate compliance with its policies covering hazardous waste, medical waste, and protected health information.

“The illegal disposal of hazardous and medical waste puts the environment, workers, and the public at risk. It also violates numerous federal and state laws,” said Attorney General Bonta. “As a healthcare provider, Kaiser should know that it has specific legal obligations to properly dispose of medical waste and safeguard patients’ medical information. I am pleased that Kaiser has been cooperative with my office and the district attorneys’ offices, and that it took immediate action to address the alleged violations.”

The post Kaiser Pays $49 Million to Settle Improper Disposal Investigation appeared first on HIPAA Journal.

OCR, FTC Publish Online Tracking Technology Warning Letters

Posted by Steve Alder

The Department of Health and Human Services’ Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) have published the letters that were sent to hospital systems and telehealth providers in July 2023 advising them about the privacy risks associated with website tracking technologies such as Meta Pixel and Google Analytics.

The widespread use of these tools on hospital websites and the risk of impermissible disclosures of protected health information (PHI) prompted OCR to issue guidance for HIPAA-regulated entities in December 2022. OCR stated in the guidance that these tools are not permitted under HIPAA unless consent is obtained via HIPAA authorizations or if there is a valid business associate relationship with the technology provider and a corresponding HIPAA-compliant business associate agreement (BAA). The FTC has also taken an interest in these tools and has taken action against non-HIPAA-regulated entities for alleged violations of the FTC Act and the FTC’s Health Breach Notification Rule with respect to tracking technologies.

The July 2023 letters explain that serious privacy and security risks have been identified with online tracking technologies and the recipients of the letters were warned that their websites and mobile applications may have these tracking tools in place that could be disclosing consumers’ sensitive personal health information to third parties. The types of information disclosed would depend on where the tracking technologies have been added. If they have been added to appointment scheduling apps or behind the logins of patient portals they could disclose highly sensitive information to third parties such as health conditions, diagnoses, medications, treatment information, treatment locations, frequency of visits, and more, along with identifiers that link that information to individuals. The disclosed information could be used by third parties for advertising purposes and could potentially result in identity theft, financial loss, discrimination, stigma, mental anguish, or other serious negative consequences to the reputation, health, or physical safety of the individual or to others.

The recipients of the letters, which include a diverse range of HIPAA-regulated entities and non-HIPAA-covered entities that collect health information, have been advised to review OCR and FTC guidance, assess the extent to which tracking technologies are in use, and ensure they are fully protecting the privacy and security of individuals’ health information.

The recipients of the letters have now been made public in the 387-page PDF document jointly published by OCR and FTC on their websites. While OCR and the FTC had reason to issue the letters to these organizations, receipt of a letter does not mean that tracking technologies are currently being used or HIPAA, the FTC Act, or the Health Breach Notification Rule have been violated. The recipients of the letters are listed below.

ADHD Online, MI DearBrightly, CA Kick Health, WA Peace Health, WA Strut Health, TX
Advocate Aurora Health, WI Done, CA KwikMed, AZ Penn Medicine Chester County Hospital, PA Talkiatry, NY
Alfie, NY Dorsal, NY LCMC Health System, LA Penn Medicine, PA Talkspace, NY
Alpha, CA Duke University Health System, NC Lemonaid, CA Picnic, NY Tampa General Hospital, FL
Apostrophe, CA El Camino Hospital, CA Loyola Medicine, IL Piedmont Healthcare, GA Texas Health Resources, TX
Array Behavioral Care, NJ Eleanor Health, MA Mantra Health, NY Plume, CO The Wellness Company, RI
Ascension, MO Elektra Health, NY Marshall Medical Center, CA PRJKT RUBY, AZ Thomas Jefferson Hospital, PA
Barnes-Jewish Hospital, MO Everlywell, TX MedStar Health, MD Push Health, CA Tufts Medical Center, MA
Barton Healthcare System, CA Facet, NY Memorial Healthcare System, FL QCare Plus, FL UC Davis Health, CA
Beaumont Health System, MI Favor, CA MemorialCare Long Beach Medical Center, CA Quick MD, CA UCLA Reagan Medical Center, CA
Bellin Health, WI Folx, MA Mercy Medical Center, MD Relief Labs, Inc. d/b/a Clearing, NY UCSF Office of Legal Affairs, CA
Bicycle Health, MA Found, CA Middlesex Health, CT Remedy Psychiatry, CA UnityPoint Health, IA
Bon Secours Mercy Health, OH Froedtert Hospital and the Medical College of Wisconsin, WI Mindbloom, FL Renown Health, NV University Hospitals Cleveland Medical Center, OH
Boulder Care, OR Gennev, WA Minded, NY Riverside Health System, VA University of Chicago Medicine, IL
Brigham and Women’s Faulkner Hospital, MA Grady Health System, GA Mistr, FL Rochester Regional Health, NY University of Iowa Hospitals and Clinics, IA
Brightline, CA Henry Ford Hospital, MI MultiCare Health System, WA Roman, NY University of Kansas Health System, KS
Brightside, CA Hers, CA Musely, CA Rush University Medical Center, IL University of Pittsburgh Medical Center, PA
Calibrate, NY Hims, CA My Ketamine Home, FL Salem Health, OR University of Texas Southwestern Medical Center, TX
CallonDoc, TX Hone Health, NY Nemours Children’s Health, FL Sanford USD Medical Center, SD University of Vermont Health Network, VT
Cedars-Sinai Medical Center, CA Honor Health, AZ New York Presbyterian Hospital, NY Sarasota Memorial Health Care System, FL Wexner Medical Center, OH
Chesapeake Regional Healthcare, VA Houston Methodist, TX Northwestern Medicine Central DuPage Hospital, IL Scripps Memorial Hospital La Jolla – Scripps Health, CA Willis-Knighton Health System, LA
Children’s Wisconsin, WI Inova Health System, VA Northwestern Memorial Healthcare, IL Sharp Healthcare, CA Wisp, CA
Cone Health, NC Invigor Medical, WA Nue Life, FL Sparrow Health Systems, MI Wondermed, CA
Cove, NY Johns Hopkins Hospital, MD Nurx, CA St. Joseph Mercy Health System, MI Workit, FL
Covenant Health, TN K Health, NY Oar, NY St. Luke’s Health System, ID Yale New Haven Health, CT
Curology, CA Keeps, NY Ophelia, NY St. Tammany Health System, LA

The post OCR, FTC Publish Online Tracking Technology Warning Letters appeared first on HIPAA Journal.

Judge Questions Whether Website Metadata is Regulated by HIPAA

Posted by Steve Alder

The HHS’ Office for Civil Rights released guidance in 2022 on HIPAA and website tracking technologies and confirmed disclosures of protected health information to third parties via website tracking technologies is a HIPAA violation unless authorization has been received from patients or if there is a valid business associate agreement in place. OCR and the Federal Trade Commission also wrote to 130 healthcare and telehealth providers to warn them about tracking technologies on their websites and OCR has made HIPAA violations related to website tracking tools an enforcement priority.

However, OCR’s interpretation that metadata is regulated under the Health Insurance Portability and Accountability Act has been questioned by an Illinois court in a ruling on a class action lawsuit that was filed against a healthcare provider over the disclosure of patient data via website tracking technologies.

The lawsuit – Marguerite Kurowski and Brenda McClendon v. Rush System for Health d/b/a Rush University System for Health – was filed in District Court for the Northern District of Illinois, Eastern Division and alleged that third-party tracking code had been placed on the defendant’s website and MyChart patient portal which resulted in the plaintiffs’ individually identifiable health information (IIHI) being disclosed to Facebook, Google, and Bidtellect for advertising purposes.

The lawsuit was initially dismissed for the failure to state a claim aside from the request for injunctive relief, then an amended complaint was filed that asserted the same 5 claims plus a further 6. The lawsuit alleged violations of the federal Wiretap Act as amended by the Electronic Communications Privacy Act of 1986, breach of an implied duty of confidentiality, violations of the Illinois Consumer Fraud and Deceptive Business Practices Act, violations of the Illinois Uniform Deceptive Trade Practices Act, intrusion upon seclusion, publication of private facts, trespass to chattels, breach of contract, breach of the duty of good faith and fair dealing, unjust enrichment, and violations of the Illinois Eavesdropping Act.

Rush moved to have the amended lawsuit dismissed and the court granted the motion for all counts aside from the breach of contract and Illinois Eavesdropping Act claims. The lawsuit claimed that per OCR guidance, the disclosure of IIHI to Meta, Google, and Bidtellect was a HIPAA violation; however, in the ruling dismissing the wiretapping claim, the court rejected using the HHS bulletin as a basis for assessing liability under federal wiretapping laws and also questioned whether website metadata actually qualified as IIHI.

“The interpretation of IIHI offered by HHS in its guidance goes well beyond the meaning of what the statute can bear. As just described, IIHI under section 1320d(6) must, in addition to other requirements, “relate to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual,” wrote District Judge, Matthew F. Kennelly. “The type of metadata that Kurowski alleges was transmitted via third-party source code does not in the least bit fit into that category.”

While it is possible that information disclosed in private communications between the plaintiff and the defendant via the website may have been transmitted to third parties and the transmitted information may qualify as IIHI, the plaintiff contended that it was unreasonable to expect her to disclose that type of intimate information she transmitted to the defendant in her complaint. “Kurowski could have requested to file the complaint under seal,” wrote Kennelly. “Kurowski cannot reasonably expect to bring a lawsuit related to the invasion of her medical privacy and completely evade revealing what it is that she alleges Rush disclosed to third parties.”

The post Judge Questions Whether Website Metadata is Regulated by HIPAA appeared first on HIPAA Journal.

Joint Commission Issues Guidance on Ensuring Patient Safety After a Cyberattack

Posted by Steve Alder

The Joint Commission has issued a Sentinel Event Alert offering guidance on preserving patient safety following a cyberattack. Healthcare cyberattacks have been increasing in number and sophistication and it is no longer a case of if a healthcare organization will be attacked but when.

Cyberattacks can cause considerable disruption to healthcare operations and put patient care at risk so it is critical that healthcare organizations do all they can to prevent cyberattacks, such as decreasing the attack surface, updating software and patching promptly, providing phishing awareness training, and implementing a range of cybersecurity solutions. Healthcare organizations must also plan for the worst case scenario and must assume that their defenses will be breached. They must therefore have a tried and tested incident response plan that can be activated immediately in the event of a cyberattack.

When defenses are breached and unauthorized individuals have established a foothold in internal networks, a great deal of the recovery process will be handled by the IT department; however, all hospital staff members must be prepared to operate during such an emergency and must be included in the incident response planning process. A good starting point is the hazards vulnerability analysis (HVA), which is required by the Joint Commission. The HVA must cover human-related hazards, which include cyberattacks. The HVA helps hospitals identify and implement mitigation and preparedness actions to reduce the disruption of services and functions and ensure patient safety in the event of an attack. The Joint Commission also requires a continuity of operations plan, disaster recovery plan, emergency management education and training program, and these must be evaluated annually.

The Sentinel Event Alert provides recommendations on these processes specific to cyberattacks:

  • Evaluate HVA findings and prioritize hospital services that must remain operational and safe during extended downtime.
  • Form a downtime planning committee to develop preparedness actions and mitigations. The planning committee should include representation from all stakeholders.
  • Develop downtime plans, procedures, and resources and ensure they are regularly updated.
  • Designate response teams – An interdisciplinary team should be created that can be mobilized following a cyberattack.
  • Train team leaders, teams, and all staff on operating procedures during downtimes. Develop drills and exercises to ensure staff members are familiar with downtime resources.
  • Establish situational awareness with effective communication throughout the organization and with patients and families.
  • Following a cyberattack, regroup, evaluate, and make necessary improvements to the incident response plan and improve protections for systems to address the specific failures that allowed the attack to succeed.

“Cyberattacks cause a variety of care disruptions – leading to patient harm and severe financial repercussions,” said David W. Baker, MD, MPH, FACP, the Joint Commission’s executive vice president for healthcare quality evaluation and improvement. “Taking action now can help prepare healthcare organizations to deliver safe patient care in the event of future cyberattacks. The recommendations in the Sentinel Event Alert, as well as The Joint Commission’s related requirements on establishing and following a continuity of operations plan, disaster recovery plan and more, can help healthcare organizations successfully respond to a cyber emergency.”

The post Joint Commission Issues Guidance on Ensuring Patient Safety After a Cyberattack appeared first on HIPAA Journal.

July 2023 Healthcare Data Breach Report

Posted by Steve Alder

There was a 15.2% fall in reported data breaches in July with 56 breaches of 500 or more records reported to the HHS’ Office for Civil Rights (OCR), which makes July an average month for data breaches. Over the past 12 months, 57 breaches have been reported each month on average; however, July was not an average month in terms of the number of compromised records.

There was a 261% month-over-month increase in breached records in July, with 18,116,982 records breached across the 56 reported incidents. The incredibly high total was due to a major data breach at HCA Healthcare that saw the records of 11,270,000 individuals compromised.

The figures this month bring the running breach total for 2023 up to 395 incidents, across which the records of 59,569,604 individuals have been exposed or stolen. The average breach size for 2023 is 150,809 records and the median breach size is 4,209 records. Over the past 12 months, more than 81.76 million records have been breached across 683 incidents.

Largest Healthcare Data Breaches Reported in July

HCA Healthcare is a Nashville, TN-based health system that operates 182 hospitals and around 2,300 sites of care. Hackers gained access to an external electronic storage facility that was used by a business associate for automating the formatting of email messages, such as reminders sent to patients about scheduling appointments. While the breach was one of the largest ever reported, the data stolen in the attack was limited. HCA Healthcare said the data compromised was limited to name, city, state, zip code, email, telephone number, date of birth, gender, service date, location, and, in some instances, the date of the next appointment.

The second largest breach, reported by the Centers for Medicare and Medicaid Services (CMS) as affecting 1,362,470 Medicare recipients, was more severe due to the types of data compromised. The breach occurred at a CMS contractor, Maximus Federal Services, Inc. (Maximus). Maximus was one of hundreds of organizations to fall victim to the mass exploitation of a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution. Progress Software identified the vulnerability and issued a patch on May 31, 2023; however, the vulnerability had already been exploited by the Clop hacking group. The total number of victims of this breach has yet to be determined; however, Kon Briefing has been tracking the breach reports and reports that at least 734 organizations had the vulnerability exploited and between 42.7 million and 47.6 million records were stolen in the attack. Clop did not encrypt data, just stole files and issued ransom demands, payment of which was required to prevent the release or sale of the stolen data. In July, 26 breaches of 10,000 or more records were reported to OCR, 11 of which were due to the exploitation of the MOVEit vulnerability. All but two of the 26 breaches were due to hacking incidents.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Breach
HCA Healthcare TN Business Associate 11,270,000 Hacking/IT Incident Hacking Incident – External, electronic storage facility used by a business associate
Centers for Medicare & Medicaid Services MD Health Plan 1,362,470 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion (Maximus)
Florida Health Sciences Center, Inc. dba Tampa General Hospital FL Healthcare Provider 1,313,636 Hacking/IT Incident Hacking incident – Ransomware attack
Pension Benefit Information, LLC MN Business Associate 1,209,825 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Allegheny County PA Healthcare Provider 689,686 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
United Healthcare Services, Inc. Single Affiliated Covered Entity CT Health Plan 398,319 Hacking/IT Incident Hacking incident
Johns Hopkins Medicine MD Healthcare Provider 310,405 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Harris County Hospital District d/b/a Harris Health System TX Healthcare Provider 224,703 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Precision Anesthesia Billing LLC FL Business Associate 209,200 Hacking/IT Incident Hacking incident – Ransomware attack
Fairfax Oral and Maxillofacial Surgery VA Healthcare Provider 208,194 Hacking/IT Incident Hacking incident
The Chattanooga Heart Institute TN Healthcare Provider 170,450 Hacking/IT Incident Hacking incident – Data theft confirmed
Phoenician Medical Center, Inc AZ Healthcare Provider 162,500 Hacking/IT Incident Hacking incident – Data theft confirmed
UT Southwestern Medical Center TX Healthcare Provider 98,437 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Hillsborough County, Florida (County Government) FL Healthcare Provider 70,636 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Family Vision of Anderson, P.A. SC Healthcare Provider 62,631 Hacking/IT Incident Hacking incident – Ransomware attack
Jefferson County Health Center IA Healthcare Provider 53,827 Hacking/IT Incident Hacking incident – Data theft confirmed (Karakurt threat group)
New England Life Care, Inc. ME Healthcare Provider 51,854 Hacking/IT Incident Hacking incident
Care N’ Care Insurance Company, Inc. TX Health Plan 33,032 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion (TMG Health Inc)
Synergy Healthcare Services GA Business Associate 25,772 Hacking/IT Incident Hacking incident
Rite Aid Corporation PA Healthcare Provider 24,400 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Life Management Center of Northwest Florida, Inc. FL Healthcare Provider 19,107 Hacking/IT Incident Hacking incident
Saint Francis Health System OK Healthcare Provider 18,911 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Pennsylvania Department of Human Services PA Healthcare Provider 16,390 Unauthorized Access/Disclosure Hacking incident – Unauthorized access to a system test website
The Vitality Group, LLC IL Business Associate 15,569 Hacking/IT Incident Hacking incident – MOVEit Transfer data theft/extortion
Wake Family Eye Care NC Healthcare Provider 14,264 Hacking/IT Incident Hacking incident – Ransomware attack
East Houston Med and Ped Clinic TX Healthcare Provider 10,000 Unauthorized Access/Disclosure Storage unit sold that contained boxes of patient records

Causes of July 2023 Data Breaches

Hacking incidents dominated the breach reports in July, with 49 incidents reported to OCR involving 18,083,328 records. The average breach size was 369,048 records and the median breach size was 9,383 records. The majority of these incidents were data theft and extortion incidents, where hackers gained access to networks, stole data, and issued ransom demands. Many hacking groups are now choosing not to encrypt files and are concentrating on data theft and extortion. When claiming responsibility for the MOVEit attacks, a spokesperson for the Clop group said they could have encrypted data but chose not to.

There were 7 unauthorized access/disclosure incidents reported involving the PHI of 33,654 individuals. The average breach size was 4,808 records and the median breach size was 1,541 records. Three of those incidents involved unauthorized access to paper records and three were email-related data breaches. There were no reported breaches involving the loss, theft, or impermissible disclosure of physical records or devices containing electronic PHI.

Where did the Data Breaches Occur?

The OCR breach portal lists data breaches by the reporting entity, although that is not necessarily where the data breach occurred. Business associates of HIPAA-covered entities may report their own breaches, they may be reported by the covered entity, or a combination of the two. For instance, Maximus reported its MOVEit Transfer breach as affecting 932 individuals, but many of its clients were affected and the total number of individuals affected was in the millions.

The raw data on the breach portal indicates 37 breaches at healthcare providers, 11 breaches at business associates, 7 at health plans, and one breach at a healthcare clearing house. The charts below are based on where the breach occurred, rather than the reporting entity.

Geographical Distribution of Data Breaches

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 25 states. Texas was the worst affected state with 7 breaches, with Florida and California also badly affected.

State Breaches
Texas 7
Florida 6
California 5
Maryland, Pennsylvania & Tennessee 4
Arizona & North Carolina 3
Connecticut, Illinois & Minnesota 2
Georgia, Idaho, Indiana, Iowa, Kentucky, Maine, Michigan, New Jersey, New York, Ohio, Oklahoma, South Carolina, Virginia & Washington 1

HIPAA Enforcement Activity in July 2023

There were no enforcement actions announced by OCR or state attorneys general in July to resolve HIPAA violations.

The post July 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

OCR’s COVID-19 Telehealth Enforcement Discretion Transition Period Ends

Posted by Steve Alder

At 11.59 pm on August 9, 2023, the transition period for ensuring telehealth services are fully HIPAA-compliant came to an end. Healthcare providers must now ensure that their telehealth services are provided using platforms that are fully compliant with the HIPAA Rules.

The enforcement discretion policy was initiated for telehealth in response to the COVID-19 pandemic. OCR announced that it would not impose sanctions and penalties for HIPAA violations in connection with the good faith provision of telehealth services, provided non-public facing remote communications technologies were used for providing telehealth services. That meant that communications platforms that would not normally be permitted under HIPAA could be used for providing telehealth services, such as platforms provided by vendors who would not sign business associate agreements covering their products.

The enforcement discretion period was in effect for the duration of the COVID-19 Public Health Emergency (PHE); however, when the PHE came to an end, OCR announced there would be a 90-day transition period to give healthcare providers time to ensure their communication tools were made HIPAA-compliant or transition to an alternative communications tool that is fully compliant with the HIPAA Rules. Now that the enforcement discretion period and the transition period are over, healthcare providers must only use fully compliant communications tools for providing telehealth services or risk financial penalties.

OCR has published guidance to help healthcare providers provide audio-only telehealth services and ensure compliance with the HIPAA Rules. The guidance includes answers to commonly asked questions with respect to HIPAA and telehealth and can be viewed on the HHS website.

The post OCR’s COVID-19 Telehealth Enforcement Discretion Transition Period Ends appeared first on HIPAA Journal.

AHA, AMA, BCBSA Urge CMS Not to Adopt Proposed Standards for Healthcare Attachments

Posted by Steve Alder

The HHS’ Centers for Medicare and Medicaid Services (CMS) is being urged not to implement the proposed standards for prior authorization attachments, as detailed in its December 2022 Notice of Proposed Rulemaking (NPR). In a letter to CMS Administrator, Chiquita Brooks-LaSure, the American Hospital Association (AHA), American Medical Association (AMA), and Blue Cross Blue Shield Association (BCBSA) applauded the CMS for its focus on reforming prior authorization to ensure timely access to care for patients while minimizing manual paperwork for all healthcare stakeholders, but expressed their concern that the proposed changes would likely cause widespread industry confusion, be enormously expensive, and would create the same costly burdens that the proposed standards seek to alleviate.

“First, major efforts are underway to automate PA-related data exchange leveraging Health Level 7 (HL7) Fast Healthcare Interoperability Resources (FHIR) implementation guides,” explained the trade groups in the letter. “Secondly, and even more significantly, the Advancing Interoperability and Improving Prior Authorization NPRM (CMS-0057-P) would require federally regulated health plans to offer HL7 FHIR-based application programming interfaces to support electronic PA information exchange. In contrast, the attachments NPRM would require a combination of both X12 and HL7 standards and apply to all health plans under the Health Insurance Portability and Accountability Act (HIPAA) regulatory pathway.”

The NPRMs would create conflicting provisions and would establish two different sets of standards and workflows to complete the prior authorization process and federally regulated health plans would be required to crosswalk the two standards for no discernible benefit. That would directly counter the foundational principles of the original HIPAA administrative simplification regulations, which require the adoption of uniform electronic standards to support communication between providers and all health plans. As such, the AHA, AMA, and BCBSA strongly advise against the adoption of the standards for prior authorization attachments.

The post AHA, AMA, BCBSA Urge CMS Not to Adopt Proposed Standards for Healthcare Attachments appeared first on HIPAA Journal.

OCR/FTC Warn Hospitals & Telehealth Companies About Tracking Technologies

Posted by Steve Alder

The Department of Health and Human Services’ Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) have written to 130 hospitals and telehealth providers warning them about the risks of using tracking technologies such as pixels on their websites and web apps which may disclose sensitive health information to third parties in violation of the HIPAA Rules and the FTC Act.

A study published in Health Affairs suggests 98.6% of US nonfederal acute care hospitals have used tracking technologies on their websites, and a 2022 analysis by The Markup found one-third of the top 100 hospitals in the United States were using tracking technologies on their websites that could collect individually identifiable information, including information about health conditions. Following these discoveries, several hospitals and health systems reported breaches of protected health information, some of which involved impermissible disclosures of millions of patient records.

A later study by The Markup found that the technologies were also widely used by telehealth companies. Even companies that are not required to comply with the HIPAA Rules have an obligation to protect personal health information against impermissible disclosure. The FTC has already taken action against entities that are not covered by HIPAA, such as GoodRx, BetterHelp, and Premom, over the use of these tracking technologies for alleged violations of the FTC Act and Health Breach Notification Rule.

In December 2022, OCR issued guidance to HIPAA-regulated entities on HIPAA and tracking technologies. While these tools can provide valuable insights for improving the services provided to patients, these technologies can collect and transmit information protected by HIPAA. Further, these technologies also permit the tracking of users even after they navigate away from the website or mobile app where the tracking technology is used. Any information transmitted to a third party may then be used for a purpose not permitted under the HIPAA Rules, and the collected information may be further disclosed to other third parties.

“When consumers visit a hospital’s website or seek telehealth services, they should not have to worry that their most private and sensitive health information may be disclosed to advertisers and other unnamed, hidden third parties,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies and that we will continue doing everything in our powers to protect consumers’ health information from potential misuse and exploitation.”

“Although online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice the privacy of their health information when using a hospital’s website,” said Melanie Fontes Rainer, OCR Director. “OCR continues to be concerned about impermissible disclosures of health information to third parties and will use all of its resources to address this issue.”

The letters were jointly sent by OCR and the FTC to 130 entities cautioning them about tracking technologies on websites and mobile apps that can potentially disclose sensitive health data. The organizations that were sent the letters are believed to have used or are using tracking technologies such as Pixel from Meta/Facebook and Google

Analytics code to collect and analyze user interactions on websites and web apps. The letters do not mean that an organization has been found to be in violation of violated HIPAA or the FTC Act nor does the failure to receive a letter mean that an organization is in the clear. All organizations that collect personal health information should review their websites and web apps to identify any tracking technologies and ensure they are fully compliant with all relevant laws. If tracking technologies are discovered to have been used on websites or apps that impermissibly disclosed personal health information or protected health information to third parties, then the breaches should be reported in accordance with the HIPAA Breach Notification Rule and FTC Health Breach Notification Rule.

“Both agencies are closely watching developments in this area,” explained the FTC and OCR in the letters. “To the extent you are using the tracking technologies described in this letter on your website or app, we strongly encourage you to review the laws cited in this letter and take actions to protect the privacy and security of individuals’ health information.”

The post OCR/FTC Warn Hospitals & Telehealth Companies About Tracking Technologies appeared first on HIPAA Journal.