HIPAA News for Small and Mid-Sized Practices

OCR Issues Guidance for Providers and Individuals Following Supreme Court Decision on Roe v. Wade

President Biden and U.S. Department of Health and Human Services (HHS) Secretary Xavier Becerra recently called on HHS agencies to take action to protect access to sexual and reproductive health care, which includes abortion, pregnancy complications, and other related care, following the decision of the Supreme Court in Dobbs vs. Jackson Women’s Health Organization. The Supreme Court overruled Roe v. Wade and Planned Parenthood v. Casey and took away the right of women to have a safe and legal abortion.

Yesterday, the HHS Office for Civil Rights (OCR) issued new guidance for healthcare providers and patients seeking access to reproductive health care services to ensure patient privacy is protected. The guidance explains that the federal Health Insurance Portability and Accountability Act (HIPAA) requires individuals’ private medical information, which includes information about abortion and other sexual and reproductive health care, is required to be kept private and confidential. That information is classed as protected health information (PHI) under HIPAA and healthcare providers are not required to disclose PHI to third parties.

The guidance also explains the extent to which private medical information is protected on personal cell phones and tablets and includes advice for protecting individuals’ privacy when using period trackers and other health information apps. Concern has been raised by women that health apps on smartphones, such as period trackers, threaten privacy as they disclose geolocation data. That information could potentially be abused by individuals seeking to deny them access to medical care.

“How you access health care should not make you a target for discrimination,” explained HHS Secretary Xavier Becerra. “HHS stands with patients and providers in protecting HIPAA privacy rights and reproductive health care information.” Becerra is encouraging anyone who believes their privacy rights have been violated to file a complaint with OCR and explained that protecting access to health care, which includes abortion care and other forms of sexual and reproductive health care, is now an enforcement priority for OCR.

The guidance for healthcare providers explains that the HIPAA Privacy Rule allows HIPAA-covered entities, which includes healthcare providers, to disclose an individual’s PHI without obtaining authorization from that individual for the purposes of healthcare, payment, and healthcare operations, but other disclosures – to law enforcement officials for example – are only permitted in narrow circumstances, tailored to protect the individual’s privacy and support their access to health care, which includes abortion care. HIPAA-covered entities and their business associates are reminded that they can use and disclose PHI without an individual’s signed authorization, but only for reasons expressly permitted or required by the Privacy Rule. The guidance also explains the restrictions on disclosures of PHI under the HIPAA Privacy Rule when required by law, for law enforcement purposes, and to avert a serious threat to health or safety.

Separate guidance has been issued for individuals about protecting the privacy and security of their health information when using their personal cell phones or tablets. It is important for individuals to understand that most health apps, including period trackers, are not covered by the HIPAA Privacy or Security Rules. That means any personal healthcare data entered, collected, or transmitted by those apps or is stored on smartphones or tablets, is not protected and there are no restrictions on disclosures of that information.

The guidance explains best practices to adopt when using these health apps that will decrease the personal information collected by the apps and limit the potential for disclosures of personal information – including geolocation data – without the individual’s knowledge. The guidance explains how to turn off the location services on Apple and Android devices, and offers advice on selecting apps, browsers, and search engines that prioritize privacy and security.

Information on individuals’ rights to reproductive healthcare is available here.

The post OCR Issues Guidance for Providers and Individuals Following Supreme Court Decision on Roe v. Wade appeared first on HIPAA Journal.

OCR Encourages Healthcare Organizations to Conduct a Gap Analysis

In its April 2018 cybersecurity newsletter, OCR draws attention to the benefits of performing a gap analysis in addition to a risk analysis. The latter is required to identify risks and vulnerabilities that could potentially be exploited to gain access to ePHI, while a gap analysis helps healthcare organizations and their business associates determine the extent to which an entity is compliant with specific elements of the HIPAA Security Rule.

The Risk Analysis

HIPAA requires covered entities and their business associates to perform a comprehensive, organization-wide risk analysis to identify all potential risks to the confidentiality, integrity, and availability of ePHI – 45 CFR § 164.308(a)(1)(ii)(A).

If a risk analysis is not performed, healthcare organizations cannot be certain that all potential vulnerabilities have been identified. Vulnerabilities would likely remain that could be exploited by threat actors to gain access to ePHI.

While HIPAA does not specify the methodology that should be used when conducting risk analyses, OCR explained in its newsletter that risk analyses must contain certain elements:

  • A comprehensive assessment of all risks to all ePHI, regardless of where the data is created, received, maintained, or transmitted, or the source or location of ePHI.
  • All locations and information systems where ePHI is created, received, maintained, or transmitted must be included in the risk analysis, so an inventory should be created that includes all applications, mobile devices, communications equipment, electronic media, networks, and physical locations in addition to workstations, servers, and EHRs.
  • The risk analysis should cover technical and non-technical vulnerabilities, the latter includes policies and procedures, with the former concerned with software flaws, weaknesses in IT systems, and misconfigured information systems and security solutions.
  • The effectiveness of current controls must be assessed and documented, including all security solutions such as AV software, endpoint protection systems, encryption software, and the implementation of patch management processes.
  • The likelihood that a specific threat will exploit a vulnerability and the impact should a vulnerability be exploited must be assessed and documented.
  • The level of risk should be determined for any specific threat or vulnerability. With a risk level assigned, it will be easier to determine the main priorities when mitigating risks through the risk management process.
  • The risk analysis must be documented in sufficient detail to demonstrate that a comprehensive, organization-wide risk analysis has been conducted, and that the risk analysis was accurate and covered all locations, devices, applications, policies, and procedures involving ePHI. OCR will request this documentation in the event of an investigation or compliance audit.
  • A risk analysis is not a one-time event to ensure compliance with the HIPAA Security Rule – It must part of an ongoing process for continued compliance. The process must be regularly reviewed and updated, and risk analyses should be performed regularly. HIPAA does not stipulate how frequently a full or partial risk analysis should be performed. OCR suggests risk analyses are most effective when integrated into business processes.

Once a risk analysis has been performed, all risks and vulnerabilities identified must be addressed through a HIPAA-compliant security risk management process – 45 CFR § 164.308(a)(1)(ii)(B) – to reduce those risks to a reasonable and appropriate level.

Guidance on conducting an organization-wide risk analysis can be found on this link (HHS)

The Gap Analysis

A gap analysis is not a requirement of HIPAA Rules, although it can help healthcare organizations confirm that the requirements of the HIPAA Security Rule have been satisfied.

A gap analysis can be used as a partial assessment of an organizations compliance efforts or could cover all provisions of the HIPAA Security Rule.  Several gap analyses could be performed, each assessing a different set of standards and implementation specifications of the HIPAA Security Rule.

The gap analysis can give HIPAA-covered entities and their business associates an overall view of their compliance efforts, can help them discover areas where they are yet compliant with HIPAA Rules, and identify any gaps in the controls that have already been implemented.

Note that a gap analysis is not equivalent to a risk analysis, as it does not cover all possible risk to the confidentiality, integrity, and availability of ePHI as required by 45 C.F.R. §164.308(a)(1)(ii)(A).

OCR offers the following example of a simple gap analysis:

Source: OCR

The post OCR Encourages Healthcare Organizations to Conduct a Gap Analysis appeared first on HIPAA Journal.

How to Defend Against Insider Threats in Healthcare

One of the biggest data security challenges is how to defend against insider threats in healthcare. Insiders are responsible for more healthcare data breaches than hackers, making the industry unique.

Verizon’s Protected Health Information Data Breach Report highlights the extent of the problem. The report shows 58% of all healthcare data breaches and security incidents are the result of insiders.

Healthcare organizations also struggle to detect insider breaches, with many breaches going undetected for months or even years. One healthcare employee at a Massachusetts hospital was discovered to have been accessing healthcare records without authorization for 14 years before the privacy violations were detected, during which time the records of more than 1,000 patients had been viewed.

Healthcare organizations must not only take steps to reduce the potential for insider breaches, they should also implement technological solutions, policies, and procedures that allow breaches to be detected rapidly when they do occur.

What are Insider Threats?

Before explaining how healthcare organizations can protected against insider threats, it is worthwhile covering the main insider threats in healthcare.

An insider threat is one that comes from within an organization. That means an individual who has authorization to access healthcare resources, which includes EMRs, healthcare networks, email accounts, or documents containing PHI. Resources can be accessed with malicious intent, but oftentimes mistakes are made that can equally result in harm being caused to the organization, its employees, or its patients.

Insider threats are not limited to employees. Any individual who is given access to networks, email accounts, or sensitive information in order to complete certain tasks could deliberately or accidentally take actions that could negatively affect an organization. That includes business associates, subcontractors of business associates, researchers, volunteers, and former employees.

The consequences of insider breaches can be severe. Healthcare organizations can receive heavy fines for breaches of HIPAA Rules and violations of patient privacy, insider breaches can damage an organization’s reputation, cause a loss of patient confidence, and leave organizations open to lawsuits.

According to the CERT Insider Threat Center, insider breaches are twice as costly and damaging as external threats. To make matters worse, 75% of insider threats go unnoticed.

Insider threats in healthcare can be split into two main categories based on the intentions of the insider: Malicious and non-malicious.

Malicious Insider Threats in Healthcare

Malicious insider threats in healthcare are those which involve deliberate attempts to cause harm, either to the organization, employees, patients, or other individuals. These include the theft of protected health information such as social security numbers/personal information for identity theft and fraud, the theft of data to take to new employers, theft of intellectual property, and sabotage.

Research by Verizon indicates 48% of insider breaches are conducted for financial gain, and with healthcare data fetching a high price on the black market, employees can easily be tempted to steal data.

A 2018 Accenture survey conducted on healthcare employees revealed one in five would be prepared to access and sell confidential data if the price was right. 18% of the 912 employees surveyed said they would steal data for between $500 and $1,000.

Alarmingly, the survey revealed that almost a quarter (24%) of surveyed healthcare employees knew of someone who had stolen data or sold their login credentials to an unauthorized outsider.

Disgruntled employees may attempt to sabotage IT systems or steal and hold data in case they are terminated. However, not all acts of sabotage are directed against employers. One notable example comes from Texas, where a healthcare worker used hospital devices to create a botnet that was used to attack a hacking group.

Non-Malicious Insider Threats in Healthcare

The Breach Barometer reports from Protenus/databreaches.net break down monthly data breaches by breach cause, including the number of breaches caused by insiders. All too often, insiders are responsible for more breaches than outsiders.

Snooping on medical records is all too common. When a celebrity is admitted to hospital, employees may be tempted to sneak a look at their medical records, or those of friends, family members, and ex-partners. The motivations of the employees are diverse. The Verizon report suggests 31% of insider breaches were employees accessing records out of curiosity, and a further 10% were because employees simply had access to patient records.

Other non-malicious threats include the accidental loss/disclosure of sensitive information, such as disclosing sensitive patient information to others, sharing login credentials, writing down login credentials, or responding to phishing messages.

The largest healthcare data breach in history – the theft of 78 million healthcare records from Anthem Inc.- is believed to have been made possible because of stolen credentials.

The failure to ensure PHI is emailed to the correct recipient, the misdirection of fax messages, or leaving portable electronic devices containing ePHI unattended causes many breaches each year. The Department of Health and Human Services’ Office for Civil Rights’ breach portal or ‘Wall of Shame’ is littered with incidents involving laptops, portable hard drives, smartphones, and zip drives that have stolen after being left unattended.

How to Defend Against Insider Threats in Healthcare

The standard approach to mitigating insider threats can be broken down into four stages: Educate, Deter, Detect, and Investigate.

Educate: The workforce must be educated on allowable uses and disclosures of PHI, the risk associated with certain behaviors, patient privacy, and data security.

Deter: Policies must be developed to reduce risk and those policies enforced. The repercussions of HIPAA violations and privacy breaches should be clearly explained to employees.

Detect: Healthcare organizations should implement technological solutions that allow them to detect breaches rapidly and access logs should be regularly checked.

Investigate: When potential privacy and security breaches are detected they must be investigated promptly to limit the harm caused. When the cause of the breach is determined, steps should be taken to prevent a recurrence.

Some of the specific steps that can be taken to defend against insider threats in healthcare are detailed below:

Perform Background Checks

It should be standard practice to conduct a background check before any individual is employed. Checks should include contacting previous employers, Google searches, and a check of a potential employee’s social media accounts.

HIPAA training

All healthcare employees should be made aware of their responsibilities under HIPAA. Training should be provided as soon as possible, and ideally before network or PHI access is provided. Employees should be trained on HIPAA Privacy and Security Rules and informed of the consequences of violations, including loss of employment, possible fines, and potential criminal penalties for HIPAA violations.

Implement anti-phishing defenses

Phishing is the number one cause of data breaches. Healthcare employees are targeted as it is far easier to gain access to healthcare data if an employee provides login credentials than attempting to find software vulnerabilities to exploit. Strong anti-phishing defenses will prevent the majority of phishing emails from reaching inboxes. Advanced spam filtering software is now essential.

Security awareness training

Since no technological solution will prevent all phishing emails from reaching inboxes, it is essential – from a security and compliance perspective – to teach employees the necessary skills that will allow them to identify phishing attempts and other email/web-based threats.

Employees cannot be expected to know what actions place data and networks at risk. These must be explained if organizations want to eradicate risky behavior. Security awareness training should also be assessed. Phishing simulation exercises can help to reinforce training and identify areas of weakness that can be tackled with further training.

Encourage employees to report suspicious activity

Employees are often best placed to identify potential threats, such as changes in the behavior of co-workers. Employees should be encouraged to report potentially suspicious behavior and violations of HIPAA Rules.

While Edward Snowden did not work in healthcare, his actions illustrate this well. The NSA breach could have been avoided if his requests for co-workers’ credentials were reported.

Controlling access to sensitive information

The fewer privileges employees have, the easier it is to prevent insider breaches in healthcare. Limiting data access to the minimum necessary amount will limit the harm caused in the event of a breach. You should be implementing the principle of least privilege. Give employees access to the least amount of data as possible. This will limit the data that can be viewed or stolen by employees or hackers that manage to obtain login credentials.

Encrypt PHI on all portable devices

Portable electronic devices can easily be stolen, but the theft of a device need not result in the exposure of PHI. If full disk encryption is used, the theft of the device would not be a reportable incident and patients’ privacy would be protected.

Enforce the use of strong passwords

Employees can be told to use strong passwords or long passphrases, but unless password policies are enforced, there will always be one employee that chooses to ignore those policies and set a weak password. You should ensure that commonly used passwords and weak passwords cannot be set.

Use two-factor authentication

Two-factor authentication requires the use of a password for account access along with a security token. These controls prevent unauthorized access by outsiders, as well as limiting the potential for an employee to use another employee’s credentials.

Terminate access when no longer required

You should have a policy in place that requires logins to be deleted when an employee is terminated, a contract is completed, or employees leave to work for another organization. There have been many data breaches caused by delays in deleting data access rights. Data access should not be possible from the second an employee walks out the door for the last time.

Monitor Employee Activity

If employees require access to sensitive data for work purposes it can be difficult to differentiate between legitimate data access and harmful actions. HIPAA requires PHI access logs to be maintained and regularly checked. Since this is a labor-intensive task, it is often conducted far too infrequently. The easiest way to ensure inappropriate accessing of medical records is detected quickly is to implement action monitoring software and other software tools that can detect anomalies in user activity and suspicious changes in data access patterns.

The post How to Defend Against Insider Threats in Healthcare appeared first on HIPAA Journal.

Former Berkeley Medical Center Worker Gets 5 Years’ Probation for Identity Theft

In federal court on Monday, Chief U.S. District Judge Gina M. Groh sentenced a former Berkeley Medical Center worker to 5 years’ probation for her role in an identity theft scam. In addition to probation, Angela Dawn Roberts, 42, of Stephenson, VA, must pay $22,000 in restitution.

Angela Dawn Roberts, also known as Angela Dawn Lee, had been working for WVU University Healthcare since 2014.

Roberts was employed to schedule appointments for patients at two medical centers – Berkeley Medical Center and Jefferson Medical Center – which provided her with access to patients’ protected health information.

Roberts copied sensitive information onto paper, including names, birth dates, and Social Security numbers, and in some cases printed copies of identity documents.

On January 19, 2017, Roberts was suspended following an internal investigation into data theft which was alleged to have occurred on June 27, 2016.

She was fired on January 27, 2017 and was prosecuted for stealing patient health information. Approximately 7,000 patients whose information was accessed by Roberts were notified of the risk of identity theft and fraud as a precaution.

Angela Dawn Roberts admitted stealing the protected health information of 10 patients and pleaded guilty to one count of identity theft. The plea agreement was filed in July.

The stolen information was passed to her co-defendant, Ajarhi Savimbi Roberts. Ajarhi Savimbi Roberts was charged with bank fraud in a 36-count indictment. He pleaded guilty and is scheduled to be sentenced on May 21.

The post Former Berkeley Medical Center Worker Gets 5 Years’ Probation for Identity Theft appeared first on HIPAA Journal.

Verizon PHI Breach Report Confirms Healthcare Has Major Problem with Insider Breaches

Verizon has released its annual Protected Health Information Breach Report which delves deep into the main causes of breaches, why they occur, the motivations of internal and external threat actors, and the main threats to the confidentiality, integrity, and availability of PHI.

For the report, Verizon analyzed 1,368 healthcare data breaches and incidents where protected health information (PHI) was exposed but not necessarily compromised. The data came from 27 countries, although three quarters of the breached entities were based in the United States where there are stricter requirements for reporting PHI incidents.

In contrast to all other industry sectors, the healthcare industry is unique as the biggest security threat comes from within. Insiders were responsible for almost 58% of all breaches with external actors confirmed as responsible for just 42% of incidents.

The main reason for insider breaches is financial gain. PHI is stolen to commit identity theft, credit card fraud, insurance fraud, and tax fraud. Verizon determined that 48% of all internal incidents were conducted for financial gain. 31% involved accessing medical data out of curiosity or for fun, 10% of incidents were attributed to easy access to data, with 3% of incidents occurring due to a grudge and a further 3% for espionage. External attacks are primarily conducted for financial gain – extortion and the theft and sale of data.

Verizon also looked at the actions that lead to PHI incidents and data branches, with the most common problem being errors. Errors were behind 33.5% of incidents within this category, which included the misdelivery of emails and mailings, errors made disposing of PHI, publishing errors, loss of PHI, misconfigurations, programming mistakes and data entry errors. The main incident cause was misdelivery of documents, which accounted for 20% of all incidents in the error category.

The second biggest breach category is misuse, accounting for 29.5% of all incidents. 66% of incidents in this category were attributed to privilege abuse – accessing records without authorization. Data mishandling was behind 21.6% of incidents and possession abuse – the misuse of access to physical records – was behind 16.9% of incidents in the misuse category.

The physical category includes theft of records and devices, snooping, tampering, disabled controls, and surveillance. 16.3% of all healthcare PHI incidents were placed in this category, with theft accounting for 95.2% of all incidents. The theft of laptops was the main incident type. Almost half (47%) of laptop theft incidents involved the devices being taken from employees’ vehicles. The use of encryption would prevent the majority of these incidents from exposing PHI.

Hacking may make the headlines, but it accounted for relatively few breaches – just 14.8% of all healthcare PHI incidents were placed in this category. The main cause of breaches in the hacking category was the use of stolen credentials (49.3% of incidents), with credentials often stolen via phishing attacks. Brute force attacks taking advantage of weak passwords were behind 20.9% of incidents. 17.9% of hacking breaches involved the use of backdoors.

Malware was involved in 10.8% of all PHI incidents. While there were a wide range of malware types and variants used in attacks, by far the biggest category was ransomware, which accounted for 70.5% of attacks.

Social attacks accounted for 8% of all incidents. This category involves attacks on employees. Phishing was involved in 69.9% of incidents in this category, followed by pretexting (11.7%), and bribery (7.8%). Pretexting is the next stage on from phishing, when access to email accounts is used to send further emails – BEC attacks for example.

Verizon offers three suggestions which in the short term will help to reduce the number of PHI related incidents and data breaches.

Full disk encryption should be deployed on all portable electronic devices used to store PHI. This simple measure would prevent PHI from being accessed in the event of loss or theft of an electronic device.

The routine monitoring of medical record access – a requirement of HIPAA – will not prevent breaches, but it will reduce the severity of insider incidents and allow healthcare organizations to take corrective action quickly. When employees are aware that records are routinely monitored it can also act as a deterrent and reduce theft and unauthorized access incidents.

The final course of action is to implement solutions to combat ransomware and malware. While defenses can and should involve the use of spam filters and web filters, simple measures can also be taken such as not allowing laptops to access the Internet if they are used to store large quantities of PHI.

The post Verizon PHI Breach Report Confirms Healthcare Has Major Problem with Insider Breaches appeared first on HIPAA Journal.

South Dakota Enacts Data Breach Notification Law as Congress Considers Federal Breach Notice Bill

South Dakota has been slow to introduce legislation to improve protections for consumers affected by breaches of their personal information. Laws have already been introduced in 48 states that require individuals and companies that store personal information to issue notifications to breach victims when that information is compromised.

Last week, South Dakota residents were given similar protections to those in place in neighboring states. On March 21, 2018, South Dakota attorney general Marty Jackley issued a statement confirming SB 62 had been signed by Governor Daugaard and will take effect on July 1, 2018.

The bipartisan bill requires entities that experience a breach of personal information to issue notifications to affected state residents within 60 days of discovery of the breach – The same time frame as HIPAA.

Personal information is classed as the full name or first initial and last name of a state resident in combination with either a government ID number, Social Security number, driver’s license number, credit/debit card number (with an associated code that allows the card to be used), employment ID number (with authentication information), and health information (the same definition as HIPAA 45 CFR 160.103). A notification must also be issued to the state attorney general if the breach impacts more than 250 state residents, also within 60 days of discovery of the breach.

In contrast to many states, there is a risk of harm exception in the South Dakota data breach notification law. If a breached entity “reasonably determines that the breach will not likely result in harm to the affected person,” notifications do not need to be issued.

Delaying breach notifications could attract a fine up to $10,000 per day plus state attorneys’ fees, with a fine of $10,000 possible for each violation.

Now that the South Dakota data breach notification law has been enacted, Alabama is the only state that has not yet introduced state-level data breach notification regulations. That is likely to change soon as data breach legislation is currently under consideration by the House of Representatives following the unanimous passing of the Alabama Data Breach Notification Act of 2018 by the Alabama Senate earlier this month.

State Attorneys General Oppose Federal Data Breach Notification Regulations

Just as the patchwork of data breach notification regulations approaches completion, federal regulations are being considered that could see those state level laws rendered obsolete. A discussion draft of the Data Acquisition and Technology Accountability and Security Act was issued in February, which if signed into law, would apply to “any person, partnership, corporation, trust, estate, cooperative, association, or other entity that accesses, maintains, or stores personal, or handles personal information.”

The Data Acquisition and Technology Accountability and Security Act would require security safeguards to be implemented to protect personal information stored by any entity included in the above definition. Data breach notifications would need to be issued if, following a risk assessment, the breached entity determines there is a “reasonable risk that the breach of data security has resulted in or will result in identity theft, fraud, or economic loss to the consumers to whom the personal information involved in the incident relates.” The notifications would need to be issued without unreasonable delay.

The discussion draft of the bill has attracted criticism from state attorneys general who have already enacted their own laws to protect residents in their respective states. A bipartisan group of 32 (20 Democrats / 12 Republicans) state attorneys general, led by Illinois attorney general Lisa Madigan, sent a joint letter to the House Financial Services Committee on March 19 opposing the Data Acquisition and Technology Accountability and Security Act.

The proposed Data Acquisition and Technology Accountability and Security Act preempts state regulations and appears to place credit reporting agencies such as Equifax outside the scope of state regulation. While the above definition of entities appears to be comprehensive, a notable exception is any entity covered by the Gramm-Leach-Bliley Act – Namely financial institutions and credit reporting agencies.

Further, the proposed bill would see protections for consumers lessened in most states, since the breach reporting requirements in the Data Acquisition and Technology Accountability and Security Act are far less stringent. Not only does the DATAS Act allow a breached entity to determine the level of risk to consumers – and whether data breach notifications are required – breached entities would have much longer to issue notifications. Those notifications could even be issued after consumers have experienced identity theft and fraud due to a breach of their personal information.

The post South Dakota Enacts Data Breach Notification Law as Congress Considers Federal Breach Notice Bill appeared first on HIPAA Journal.

Research Suggests Healthcare Data Breaches Cause 2,100 Deaths a Year

A researcher at Vanderbilt University has conducted a study that suggests mortality rates at hospitals increase following a data breach as a result of a drop in the standard of care. The researcher estimates healthcare data breaches may cause as many as 2,100 deaths a year in the United States.

The study was conducted by Owen Graduate School of Management researcher, Dr. Sung Choi. The findings of the study were presented at a recent cyberrisk quantification conference at Philadelphia’s Drexel University LeBow College of Business.

Cyberattacks can have a direct impact on patient care, which has been clearly highlighted on numerous occasions over the past 12 months. Ransomware and wiper malware attacks have crippled information systems and have forced healthcare providers to cancel appointments, while the lack of access to patient health records can cause treatment delays. Notable attacks that caused major disruption were the NotPetya wiper and WannaCry ransomware attacks last year, with the latter causing major problems for the National Health Service in the UK.

Choi explained that data breaches can be a distraction for physicians and the after affects of breaches can last for years. HIPAA covered entities face investigations and litigation which Choi suggests could result in disruption to medical services and delays in providing treatment. The cost of mitigating attacks, including purchasing additional security solutions and dealing with the fallout from data breaches can see resources diverted away from patient care.

For the study, Choi compared mortality rates at hospitals before and immediately after a data breach had occurred. One of the metrics used to assess a potential fall in the quality of care was the percentage of heart attack patients who died within 30 days of admission to hospital.

Choi notes that the control group and breached hospitals had similar mortality rates, although after a data breach, the mortality rate for the control group remained the same but increased at hospitals that had experienced a breach. Choi’s analysis showed there was a 0.23% increase in the mortality rate one year following a data breach and an increase of 0.36% two years after a breach. That equates to 2,160 deaths a year.

Choi also noted that the time taken to administer electrocardiographs was longer for newly admitted patients after a hospital had experienced a data breach.

The study was presented just a few days before the Department of Health and Human Services’ Office for Civil Rights issued a reminder to HIPAA covered entities about the need to develop contingency plans for emergencies such as cyberattacks and ransomware incidents. OCR explained that HIPAA Rules on contingency planning help to ensure a fast recovery from a natural disaster, cyberattack, or other emergency situation.

This research suggests that the development of an effective contingency plan and a rapid response to data breaches can save lives.

The post Research Suggests Healthcare Data Breaches Cause 2,100 Deaths a Year appeared first on HIPAA Journal.

HIPAA Rules on Contingency Planning

In its March 2018 cybersecurity newsletter, OCR explained HIPAA Rules on contingency planning and urged healthcare organizations to plan for emergencies to ensure a return to normal operations can be achieved in the shortest possible time frame.

A contingency plan is required to ensure that when disaster strikes, organizations know exactly what steps must be taken and in what order.

Contingency plans should cover all types of emergencies, such as natural disasters, fires, vandalism, system failures, cyberattacks, and ransomware incidents. The steps that must be taken for each scenario could well be different, especially in the case of cyberattacks vs. natural disasters. The plan should incorporate procedures to follow for specific types of disasters.

Contingency planning is not simply a best practice. It is a requirement of the HIPAA Security Rule. Contingency planning should not be considered a onetime checkbox item necessary for HIPAA compliance. It should be an ongoing process with plans regularly checked, updated, and tested to ensure any deficiencies are identified and addressed.

What are the HIPAA Rules on Contingency Planning?

HIPAA Rules on contingency planning are concerned with ensuring healthcare organizations return to normal operations as quickly as possible and the confidentiality, integrity, and availability of PHI is safeguarded.

HIPAA Rules on contingency planning can be found in the Security Rule administrative safeguards -45 CFR § 164.308(a)(7)(ii)(A-E).

  • Develop and Implement a Data Backup Plan – 308(a)(7)(ii)(A)
  • Develop a Disaster Recovery Plan – 308(a)(7)(ii)(B)
  • Develop and Emergency Mode Operation Plan – 308(a)(7)(ii)(C)
  • Develop and Implement Procedures for Testing and Revision of Contingency Plans – 308(a)(7)(ii)(D)
  • Perform an Application and Data Criticality Analysis – 308(a)(7)(ii)(E)

A data backup plan ensures that when disaster strikes, PHI is not lost or destroyed. A viable copy of all ePHI must be created that allows exact copies of ePHI to be restored, which includes all forms of ePHI such as medical records, diagnostic images, test results, case management information, and accounting systems.  It is a good best practice to adopt a 3-2-1 approach for backups: Create three copies of data, store them on at least two different media, and have one copy stored securely offsite. Backups must also be tested to ensure the recovery of data is possible.

A disaster recovery plan should establish the procedures that must be followed to restore access to data, including how files should be restored from backups. A copy of the plan should be readily available and stored in more than one location.

The emergency mode operation plan must ensure critical business processes continue to maintain the security of ePHI when operating in emergency mode, for example when there is a technical failure or power outage.

All elements of the contingency plan must be regularly tested and revised as necessary. OCR recommends conducting scenario-based walkthroughs and live tests of the complete plan.

Covered entities should “assess the relative criticality of specific applications and data in support of other contingency plan components.” All software applications that are used to store, maintain, or transmit ePHI must be assessed to determine the level of criticality to business functions as it will be necessary to prioritize each when data is restored.

Summary of Key Elements of Contingency Planning

OCR has provided a summary of the key elements of contingency planning:

  • The primary goal is to maintain critical operations and minimize loss.
  • Define time periods – What must be done during the first hour, day, or week?
  • Establish Plan Activation – What event(s) will cause the activation of the contingency plan?  Who has the authority to activate the contingency plan?
  • Ensure the contingency plan can be understood by all types of employees.
  • Communicate and share the plan and roles and responsibilities with the organization.
  • Establish a testing schedule for the plan to identify gaps.
  • Ensure updates for plan effectiveness and increase organizational awareness.
  • Review the plan on a regular basis and situationally when there are technical, operational, environmental, or personnel changes in the organization.

The post HIPAA Rules on Contingency Planning appeared first on HIPAA Journal.

What is the Civil Penalty for Knowingly Violating HIPAA?

What is the civil penalty for knowingly violating HIPAA Rules? What is the maximum financial penalty for a HIPAA violation and when are fines issued? In this post we answer these questions and explain about the penalties for violating HIPAA Rules

What is HIPAA?

The Health Insurance Portability and Accountability Act – HIPAA – is a federal law that applies to healthcare organizations and healthcare employees. HIPAA requires healthcare organizations to develop policies and procedures to protect the privacy of patients and implement safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI). HIPAA places restrictions on the uses of health data, who can be provides with copies of health information, and gives patients the right to obtain copies of their health data.

HIPAA covered entities are typically healthcare providers, health plans, and healthcare clearinghouses. HIPAA also applies to vendors and suppliers (business associates) that require access to PHI to perform their contracted duties.

As with other federal laws, there are penalties for noncompliance. The financial penalties for HIPAA violations can be severe, especially when HIPAA has been “knowingly” violated – When HIPAA Rules have been consciously violated with intent.

Financial Penalties for Healthcare Organizations Who Knowingly Violating HIPAA

The civil penalty tier system for healthcare organizations is based on the extent to which the HIPAA covered entity was aware that HIPAA Rules were violated. The maximum civil penalty for knowingly violating HIPAA is $50,000 per violation up to a maximum of $1.5 million per violation category.

Penalty Structure for HIPAA Violations


Civil penalties will be dictated by the nature and extent of the violation, the number of individual affected, and the harm that has been caused to those individuals.

Healthcare Employees May Have to Pay a Civil Penalty for Knowingly Violating HIPAA

As with healthcare organizations, healthcare employees can also be fined for violating HIPAA Rules. Civil penalties can be issued to any person who is discovered to have violated HIPAA Rules. The Office for Civil Rights can impose a penalty of $100 per violation of HIPAA when an employee was unaware that he/she was violating HIPAA Rules up to a maximum of $25,000 for repeat violations.

In cases of reasonable cause, the fine rises to $1,000 per violation with a maximum of $100,000 for repeat violations, for willful neglect of HIPAA Rules where the violation was corrected the fine is $10,000 and up to $250,000 for repeat violations and willful neglect with no correction carries a penalty of $50,000 per violation and up to $1.5 million for repeat violations.

Criminal Charges for HIPAA Violations

The Office for Civil Rights enforces HIPAA Rules in conjunction with the Department of Justice and will refer cases of possible criminal violations of HIPAA Rules to the DoJ. Directors, officers, and employees may be deemed to be criminally liable for violations of HIPAA Rules under the principle of corporate criminal liability, and if not directly liable, could be charged with aiding and abetting or conspiracy.

The penalty tiers are based on the extent to which an employee was aware that HIPAA Rules were being violated. At the lowest level, a violation of HIPAA Rules could attract a maximum penalty of $50,000 and/or up to one year imprisonment.

If HIPAA Rules are violated under false pretenses the maximum fine rises to $100,000 and/or up to 5 years imprisonment. The maximum civil penalty for knowingly violating HIPAA Rules is $250,000, such as when healthcare information is stolen with the intent to sell, transfer, or use for personal gain, commercial advantage, or malicious harm. In addition to a fine, the maximum jail term is 10 years.

In addition to the punishment provided, aggravated identity theft carries a prison term of 2 years. When PHI has been stolen and patients have been defrauded, restitution may also need to be paid.

The post What is the Civil Penalty for Knowingly Violating HIPAA? appeared first on HIPAA Journal.