HIPAA Compliance News

Are You Blocking Ex-Employees’ PHI Access Promptly?

Posted by HIPAA Journal

A recent study commissioned by OneLogin has revealed many organizations are not doing enough to prevent data breaches by ex-employees.

Access to computer systems and applications is a requirement while employed, but many organizations are failing to block access to systems promptly when employees leave the company, even though ex-employees pose a significant data security risk.

Blocking access to networks and email accounts when an employee is terminated or otherwise leaves the company is one of the most basic security measures, yet all too often the process is delayed.

500 IT employees who had some responsibility for security in their organization were interviewed for the study and approximately half of respondents said they do not immediately terminate ex-employees’ network access rights. 48% said it takes longer than a day to delete ex-employees’ login credentials.

A quarter of respondents said it can take up to a week to block access, while one in five respondents said it can take up to a month to deprovision ex-employees. That gives them plenty of time to gain access to systems and steal information. Almost half of respondents were aware of ex-employees who still had access to company systems, while 44% of respondents lacked confidence that ex-employees had been removed from their networks.

Deprovisioning ex-employees can be a labor-intensive task and IT departments are under considerable time pressure. It is all too easy to postpone the task and concentrate on other more pressing issues. Automatic provisioning technology can reduce the time burden and improve security, but many organizations continue to perform the task manually. Whether automatic or manual, deprovisioning should take place promptly – as soon as the individual is terminated or employment ceases.

How serious is the threat from ex-employees? 20% of respondents said they had experienced at least one data breach by an ex-employee, while approximately half of those individuals said more than 1 in 10 data breaches experienced by their organization was due to an ex-employee.

For healthcare organizations, ex-employees are a significant threat. There have been numerous cases of employees changing companies and taking patient lists with them when they leave. If access is not blocked, there is nothing to stop data being stolen.

Further, if policies are not introduced to cover the deprovisioning of employees or if those policies are not strictly adhered to, organizations are at risk of receiving a HIPAA violation penalty – See Administrative Safeguards § 164.308 (3)(ii)(B).

The post Are You Blocking Ex-Employees’ PHI Access Promptly? appeared first on HIPAA Journal.

Funding for ONC Office of the Chief Privacy Officer to be Withdrawn in 2018

Posted by HIPAA Journal

The cuts to the budget of the Office of the National Coordinator for Health Information Technology (ONC) mean the agency must make some big changes, one of which will be the withdrawal of funding for the Office of the Chief Privacy Officer. ONC National Coordinator Don Rucker, M.D., has confirmed that the office will be closed out in fiscal year 2018.

Deven McGraw, the Deputy Director for Health Information Privacy, has been serving as Acting Chief Privacy Officer until a permanent replacement for Lucia Savage is found, following her departure in January. It is now looking highly unlikely that a permanent replacement will be sought.

One of the key roles of the Chief Privacy Officer is to ensure that privacy and security standards are addressed and health data is appropriately protected. The Chief Privacy Officer also advises the National Coordinator for Health IT on privacy and security policies covering electronic health information. However, Rucker does not believe it is necessary for the ONC to have an office dedicated to privacy and security as other agencies in the HHS could assist and take on additional tasks.

The HITECH Act required ONC to appoint a Chief Privacy Officer; however, an alternative is for ONC to request personnel from other HHS agencies. Faced with a $22 million cut in its operating budget, ONC will turn to the HHS’ Office for Civil Rights to assist with privacy functions with the ONC only maintaining ‘limited support’ for the position of Chief Privacy Officer.

The Chief Privacy Officer has been instrumental in improving understanding of HIPAA Rules with respect to privacy since the HITECH Act was passed. Many healthcare organizations have impeded the flow of health information due to a misunderstanding of the HIPAA Privacy Rule. The Chief Privacy Officer has helped to explain that HIPAA Rules do not prevent the exchange of health information – They only ensure information is shared securely and the privacy of patients is preserved. These outreach efforts are likely to be impacted by the loss of the Office of the Chief Privacy Officer.

Rucker explained that discussions are now taking place between ONC and OCR to determine how these and other tasks will be performed, but explained that privacy and security are implicit in all aspects of the work performed by ONC and that will not change.

Cutbacks are inevitable with the trimming of the ONC’s budget but Rucker has explained that the HHS will continue to ensure privacy and security issues are dealt with and efforts to improve understanding of the HIPAA Privacy and Security Rules will also continue.

The post Funding for ONC Office of the Chief Privacy Officer to be Withdrawn in 2018 appeared first on HIPAA Journal.

Is Dropbox HIPAA Compliant?

Posted by HIPAA Journal

Healthcare organizations can benefit from using Dropbox, but is Dropbox HIPAA compliant? Can the service be used to store and share protected health information?

Is Dropbox HIPAA Compliant?

Dropbox is a popular file hosting service used by many organizations to share files, but what about protected health information? Is Dropbox HIPAA compliant?

Dropbox claims it now supports HIPAA and HITECH Act compliance but that does not mean Dropbox is HIPAA compliant. No software or file sharing platform can be HIPAA compliant as it depends on how the software or platform is used. That said, healthcare organizations can use Dropbox to share or store files containing protected health information without violating HIPAA Rules.

The Health Insurance Portability and Accountability Act requires covered entities to enter into a business associate agreement (BAA) with an entity before any protected health information (PHI) is shared. Dropbox is classed as a business associate so a BAA is required.

Dropbox will sign a business associate agreement with HIPAA-covered entities. To avoid a HIPAA violation, the BAA must be obtained before any file containing PHI is uploaded to a Dropbox account. A BAA can be signed electronically via the Account page of the Admin Console.

Dropbox allows third party apps to be used, although it is important to note that they are not covered by the BAA. If third party apps are used with a Dropbox account, covered entities need to assess those apps separately prior to their use.

Dropbox Accounts Must be Configured Carefully

HIPAA requires healthcare organizations to implement safeguards to preserve the confidentiality, integrity and availability of PHI. It is therefore important to configure a Dropbox account correctly. Even with a signed BAA, it is possible to violate HIPAA Rules when using Dropbox.

To avoid a HIPAA violation, sharing permissions should be configured to ensure files containing PHI can only be accessed by authorized individuals. Sharing permissions can be set to prevent PHI from being shared with any individual outside of a team. Two-step verification should be used as an additional safeguard against unauthorized access.

It should not be possible for any files containing PHI to be permanently deleted. Administrators can disable permanent deletions via the Admin Console. That will ensure files cannot be permanently deleted for the lifetime of the account.

It is also essential for Dropbox accounts to be monitored to ensure that PHI is not being accessed by unauthorized individuals. Administrators should delete individuals when their role changes and they no longer need access to PHI or when they leave the organization. The list of linked devices should also be regularly reviewed. Dropbox allows linked devices to have Dropbox content remotely wiped. That should occur when a user leaves the organization of if a device is lost or stolen.

Dropbox records all user activity. Reports can be generated to show who has shared content and to obtain information on authentication and the activities of account administrators. Those reports should be regularly reviewed.

Dropbox will provide a mapping of its internal practices on request and offers a third-party assurance report that details the controls that the firm has implemented to help keep files secure. Those documents can be obtained from the account management team.

So, is Dropbox HIPAA compliant? Dropbox is secure and controls have been implemented to prevent unauthorized access, but ultimately HIPAA compliance depends on users. If a BAA is obtained and the account is correctly configured, Dropbox can be used by healthcare organizations to share PHI with authorized individuals without violating HIPAA Rules.

The post Is Dropbox HIPAA Compliant? appeared first on HIPAA Journal.

ONC Offers Help for Covered Entities on Medical Record Access for Patients

Posted by HIPAA Journal

The Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule requires covered entities to give medical record access for patients on request. Patients should be able to obtain a copy of their health records in paper or electronic form within 30 days of submitting the request.

Last year, the Department of Health and Human Services’ Office for Civil Rights (OCR) issued guidance for covered entities on providing patients with access to their medical records. A series of videos was also released to raise awareness of patients’ rights under HIPAA to access their records. In theory, providing access to medical records should be a straightforward process. In practice, that is often not the case.

Patients often have difficulty accessing their electronic health data with many healthcare organizations unable to easily provide health records electronically. Patient portals often provide information for patients, although the information available via patient portals can be incomplete or inaccurate. When patients need to obtain their health information to give to other healthcare providers, they can find it difficult to find the information they need.

The Office of the National Coordinator for Health Information Technology (ONC) has recently published a report detailing some of the problems faced by healthcare providers when providing medical record access for patients. The report offers useful tips for healthcare organizations to help them provide medical record access for patients quickly and easily.

For the report- Improving the Health Records Request Process for PatientsONC spoke to 17 consumers to find out about the challenges they faced when attempting to gain access to their medical records. The report includes three examples of patients and caregivers that have experienced difficulties when attempting to exercise their right to access medical data. The personas are fictional, although the challenges faced by those personas were taken from real world examples.

ONC also looked at the medical record release forms used by 50 large healthcare systems across 32 states and spoke to stakeholders and health system professionals about the challenges faced when trying to provide patients with copies of their health records. ONC discovered the process of providing electronic copies of health records is often hampered by inefficient systems and limited resources.

The research has allowed ONC to develop tips to help healthcare providers create a streamlined, transparent, and electronic records request process. Making the suggested changes will allow health systems to improve the process of providing access to health data. Patients will then suffer less frustration and be able to obtain their records faster, allowing them to coordinate their care more effectively and have greater control over their health and wellbeing.

The post ONC Offers Help for Covered Entities on Medical Record Access for Patients appeared first on HIPAA Journal.

OCR Draws Attention to Risks from File Sharing Tools and Cloud Computing

Posted by HIPAA Journal

File sharing and collaboration tools offer many benefits to HIPAA-covered entities, although the tools can also introduce risks to the privacy and security of electronic health information.  Many companies use these tools, including healthcare organizations, yet they can easily lead to the exposure or disclosure of sensitive data.

The Department of Health and Human Services’ Office for Civil Rights has recently issued a reminder to covered entities and business associates of the potential risks associated with file sharing and collaboration tools, explaining the risks these services can introduce and how covered entities can use these services and remain in compliance with HIPAA Rules.

While file sharing tools and cloud computing services may incorporate all the necessary protections to ensure data is secured and cannot be accessed by unauthorized individuals, over the past few years there have been numerous cases where human error has resulted in misconfigurations. Those errors have led to data breaches.

A Metalogix survey conducted by the Ponemon Institute revealed that one in two companies that uses the file sharing tool SharePoint had a confirmed data breach within SharePoint in the last 24 months. That doesn’t mean that SharePoint should not be used, nor that healthcare organizations should avoid other cloud and file sharing tools. If these cloud services and tools are to be used, covered entities and business associates must conduct a thorough risk analysis to identify potential risks to the confidentiality, integrity and availability of ePHI. Risk management policies must then be adopted to ensure those risks are reduced to an acceptable level.

Misconfigurations should be detected during a risk analysis, although OCR also recommends that organizations conduct vulnerability scans. Scans should help covered entities identity potential vulnerabilities such as misconfigurations of software, obsolete software or missed patches. The recent ransomware attacks (WannaCry and NotPetya) have shown that missed patches and/or obsolete software can enable cybercriminals to gain access to networks and install malware.

OCR also points out that covered entities and business associates must enter into a business associate agreement with cloud service providers prior to services/tools being implemented.

OCR draws attention to guidance released last year on cloud computing services. The guidance helps covered entities wishing to utilize cloud computing services to implement the solutions while complying with HIPAA Rules.

The guidance can be downloaded from OCR via this link.

The post OCR Draws Attention to Risks from File Sharing Tools and Cloud Computing appeared first on HIPAA Journal.

World’s Largest Data Breach Settlement Agreed by Anthem

Posted by HIPAA Journal

The largest data breach settlement in history has recently been agreed by the health insurer Anthem Inc. Anthem experienced the largest healthcare data breach ever reported in 2015, with the cyberattack resulting in the theft of 78.8 million records of current and former health plan members. The breach involved names, addresses, Social Security numbers, email addresses, birthdates and employment/income information.

A breach on that scale naturally resulted in many class-action lawsuits, with more than 100 lawsuits consolidated by a Judicial Panel on Multidistrict Litigation. Now, two years on, Anthem has agreed to settle the litigation for $115 million. If approved, that makes this the largest data breach settlement ever – Substantially higher than $18.5 million settlement agreed by Target after its 41 million-record breach and the $19.5 million paid to consumers by Home Depot after its 50-million record breach in 2014.

After experiencing the data breach, Anthem offered two years of complimentary credit monitoring services to affected plan members. The settlement will, in part, be used to pay for a further two years of credit monitoring services. Alternatively, individuals who have already enrolled in the credit monitoring services previously offered may be permitted to receive a cash payment of $36 in lieu of the additional two years of cover or up to $50 if funds are still available. The settlement also includes a $15 million fund to cover out-of-pocket expenses incurred by plaintiffs, which will be decided on a case-by-case basis for as long as there are funds available.

Anthem has also agreed to set aside ‘a certain level of funding’ to make improvements to its cybersecurity defenses and systems, including the use of encryption to secure data at rest. Anthem will also be making changes to how it archives sensitive data and will be implementing stricter access controls. While the settlement has been agreed, Anthem has not admitted any wrongdoing.

Anthem Spokesperson Jill Becher explained that while data were stolen in the attack, Anthem has not uncovered evidence to suggest any of the information stolen in the cyberattack was used to commit fraud or was sold on. Becher also said, “We are pleased to be putting this litigation behind us, and to be providing additional substantial benefits to individuals whose data was or may have been involved in the cyberattack and who will now be members of the settlement class.”

While the decision to settle has been made, the settlement must now be approved by the U.S. District judge in California presiding over the case. District Judge Lucy Koh will hear the case on August 17, 2017.

The post World’s Largest Data Breach Settlement Agreed by Anthem appeared first on HIPAA Journal.

Delayed Breach Notification Sees CoPilot Fined $130,000 by NY AG

Posted by HIPAA Journal

A data breach that occurred in October 2015 should have seen affected individuals notified within 2 months, yet it took CoPilot Provider Support Services Inc., until January 2017 to issue breach notifications.

An administration website maintained by CoPilot was accessed by an unauthorized individual on October 26, 2015. That individual also downloaded the data of 221,178 individuals. The stolen data included names, dates of birth, phone numbers, addresses, and medical insurance details.

The individual suspected of accessing the website and downloading data was a former employee. CoPilot contacted the FBI in February 2016 to receive help with the breach investigation and establish the identity of the unauthorized individual.

However, notifications were not sent by CoPilot until January 18, 2017. CoPilot says the delay was due to the time taken for the FBI to investigate the breach; however, since CoPilot was aware that reimbursement-related records had been stolen, notifications should have been sent sooner. Further, law enforcement did not instruct CoPilot to delay the issuing of breach notifications as doing so would not have impeded the investigation.

There is some debate as to whether CoPilot is a HIPAA covered entity. CoPilot has previously said it is not covered by HIPAA Rules, although a breach report was sent to the Department of Health and Human Services’ Office for Civil Rights. If CoPilot is a HIPAA covered entity, it would be necessary for breach notifications to be sent within 60 days of the discovery of the breach.

OCR is investigating and trying to determine whether CoPilot is classed as a business associate and therefore must comply with HIPAA Rules. If OCR determines CoPilot is a HIPAA-covered entity, the decision may be taken to issue a financial penalty for the delayed breach notifications. Earlier this year, OCR fined Presense Health $475,000 for delaying breach notifications for three months. A fine for CoPilot would likely be considerably higher considering the number of individuals impacted by the breach and the length of the delay.

HIPAA fines may or may not result from the notification delay, but the New York attorney general has now taken action. On Thursday last week, Eric Schneiderman announced that CoPilot has been fined $130,000 for the breach notification delay, not for a breach of HIPAA Rules but for a breach of General Business Law § 899-aa. The law requires businesses to send timely breach notifications to individuals impacted by a data breach. In addition to the fine, CoPilot is required to improve its notification and legal compliance program.

Announcing the fine, Schneiderman said, “Healthcare services providers have a duty to protect patient records as securely as possible and to provide notice when a breach occurs,” explaining that “Waiting over a year to provide notice is unacceptable.”

The financial penalty sends a message to all businesses that unnecessary breach notification delays will not be tolerated. Schneiderman said “My office will continue to hold businesses accountable to their responsibility to protect customers’ private information.”

The post Delayed Breach Notification Sees CoPilot Fined $130,000 by NY AG appeared first on HIPAA Journal.

OCR’s Wall of Shame Under Review by HHS

Posted by HIPAA Journal

Since 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its website. The data breach list is commonly referred to as OCR’s ‘Wall of Shame’.

The data breach list only provides a brief summary of data breaches, including the name of the covered entity, the state in which the covered entity is based, covered entity type, date of notification, type of breach, location of breach information, whether a business associate was involved and the number of individuals affected.

The list includes all reported data breaches, including those which occurred due to no fault of the healthcare organization. The list is not a record of HIPAA violations. Those are determined during OCR investigations of breaches.

Making brief details of the data breaches available to the public is an ‘unnecessarily punitive’ measure, according to Rep. Michael Burgess (R-Texas), who recently criticized OCR about its data breach list.

Burgess was informed at a cybersecurity hearing last week that HHS secretary Tom Price is currently reassessing the website and how the information is made public.

While the publication of information is under review, the publication of breach summaries is a requirement of the HITECH Act of 2009. Any decision to stop publishing breach summaries on the website would require assistance from Congress. However, it is possible for changes be made to how the information displayed and for how long the information is made available. HITECH Act only requires the information to be published. It does not stipulate the length of time that the covered entity remains on the list.

The reason behind the publication of breach information is to inform the public of data breaches and to provide some information on what has occurred. If there was a time limit placed on the length of time a covered entity remained on the list, it would not be possible for a member of the public to determine whether a breach was an isolated event or one of several suffered by a covered entity.

OCR Director Roger Severino issued a statement confirming the usefulness of the website saying, “The website provides an important source of information to the public, but we recognize that the format has become stale and can and should be improved,” explaining “OCR will continue to evaluate the best options for communicating this information as we meet statutory obligations, educate the regulated community (and the public) on lessons learned, and highlight actions taken in response.”

Burgess told Fierce Healthcare, “I am interested in pursuing solutions that hold hospital systems accountable for maintaining patient privacy without defaming systems that may fall victim to large-scale ransomware attacks, such as WannaCry.”

Of course, in the case of the WannaCry attacks, healthcare organizations may not be blameless. The attacks were only possible as a result of the failure to apply patches promptly. However, in its current form, there would be no indication on the website that a covered entity had experienced a ransomware attack as the breach list does not go into that much detail.

While options are being considered, some privacy advocates argue that the breach portal does not go into nearly enough detail and suggest even more information should be uploaded to the site to better inform the public on exactly what has occurred.

The post OCR’s Wall of Shame Under Review by HHS appeared first on HIPAA Journal.

OCR Issues Guidance on the Correct Response to a Cyberattack

Posted by HIPAA Journal

Last week, the Department of Health and Human Services’ Office for Civil Rights issued new guidance to covered entities on the correct response to a cyberattack. OCR issued a quick response checklist and accompanying infographic to explain the correct response to a cyberattack and the sequence of actions that should be taken.

Responding to an ePHI Breach

Preparation is key. Organizations must have response and mitigation procedures in place and contingency plans should exist that can be implemented immediately following the discovery a cyberattack, malware or ransomware attack.

The first stage of the response is to take immediate action to prevent any impermissible disclosure of electronic protected health information. In the case of a network intrusion, unauthorized access to the network – and data – must be blocked and steps taken to prevent data from being exfiltrated.

Healthcare organizations may have staff capable of responding to such an incident, although third party firms can be contracted to assist with the response. Smaller healthcare organizations may have little choice but to call in external experts to investigate a breach and ensure access to data has been effectively blocked.

OCR has reminded covered entities that a third-party cybersecurity firm brought in to assist with response and mitigation would be classed as a business associate. Therefore, prior to access to systems being provided, a HIPAA-compliant business associate agreement must be signed by the cybersecurity firm. Failing to obtain a signed BAA prior to access to systems being provided would be a violation of HIPAA Rules and classed as an impermissible disclosure of ePHI.

Cyberattacks Should be Reported to Law Enforcement

A cyberattack is a crime, therefore law enforcement should be notified. Covered entities should alert the FBI and/or Secret Service to any cyberattack or ransomware incident and notify state and local law enforcement. Details of the incident should be provided, although covered entities should not disclose any protected health information, unless otherwise permitted by the HIPAA Privacy Rule (45 C.F.R. § 164.512(f)).

Covered entities have been advised that law enforcement may request breach reporting be delayed when the announcement of a breach may impede an investigation or could otherwise harm national security. Requests by law enforcement should state the duration of the delay and should be honored, while oral requests should result in a delay of no more than 30 days from the original request. (45 C.F.R. § 164.412)

Sharing Threat Indicators

After law enforcement has been notified, covered entities should report cyber threat indicators to federal and information sharing and analysis organizations (ISAOs). The Department of Homeland Security and the HHS Assistant Secretary for Preparedness and Response should be provided with threat indicators, although covered entities should not disclose any protected health information in their reports.

Notifying Affected Individuals and OCR

Covered entities are advised that threat indicator information is not passed to OCR by other federal agencies. Covered entities must therefore submit a separate breach notice to OCR as soon as possible, and certainly no later than 60 days following the discovery of the breach if the incident impacts 500 or more individuals (unless otherwise instructed by law enforcement).

Covered entities can notify OCR of a breach impacting fewer than 500 individuals within 60 days of the end of the calendar year in which the breach was discovered.

According to the guidance, “OCR presumes all cyber-related security incidents where protected health information was accessed, acquired, used, or disclosed are reportable breaches unless the information was encrypted by the entity at the time of the incident.”

In all cases, individuals impacted by a security breach must be notified without unnecessary delay and no later than 60 days following the discovery of a breach.

OCR’s checklist and infographic can be downloaded using the links below:

OCR’s Cyber Security Checklist

Cybersecurity Infographic

The post OCR Issues Guidance on the Correct Response to a Cyberattack appeared first on HIPAA Journal.