HIPAA News

May 2019 Healthcare Data Breach Report

In April, more healthcare data breaches were reported than in any other month to date. The high level of data breaches has continued in May, with 44 data breaches reported. Those breaches resulted in the exposure of almost 2 million individuals’ protected health information.

Healthcare data breaches by month 2014-2019

On average, 2018 saw 29.5 healthcare data breaches reported to the HHS’ Office for Civil Rights each month – a rate of more than one a day.

From January 2019 to May 2019, an average of 37.2 breaches have been reported each month. Up until May 31, 2019, 186 healthcare data breaches had been reported to OCR, which is more than half (52%) the number of breaches reported last year.

It remains to be seen whether the increase in data breaches is just a temporary blip or whether 40+ healthcare data breaches a month will become the new norm.

Healthcare records exposed by month 2017-2019

May saw a 186% increase in the number of exposed records compared to April. Across the 44 breaches, 1,988,376 healthcare records were exposed or compromised in May. So far this year, more than 6 million healthcare records have been exposed, which is more than half of the number of records exposed in 2018.

Healthcare records exposed by year 2014-2019

In terms of the number of records exposed, May would have been similar to April were it not for a massive data breach at the healthcare clearinghouse Inmediata Health Group. The breach was the largest of the year to date and resulted in the exposure of 1,565,338 records.

A web page which was supposed to only be accessible internally had been misconfigured and the page could be accessed by anyone over the internet.

 

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 Inmediata Health Group, Corp. Healthcare Clearing House 1,565,338 Unauthorized Access/Disclosure
2 Talley Medical Surgical Eyecare Associates, PC Healthcare Provider 106,000 Unauthorized Access/Disclosure
3 The Union Labor Life Insurance Company Health Plan 87,400 Hacking/IT Incident
4 Encompass Family and internal medicine group Healthcare Provider 26,000 Unauthorized Access/Disclosure
5 The Southeastern Council on Alcoholism and Drug Dependence Healthcare Provider 25,148 Hacking/IT Incident
6 Cancer Treatment Centers of America® (CTCA) at Southeastern Regional Medical Center Healthcare Provider 16,819 Hacking/IT Incident
7 Takai, Hoover, and Hsu, P.A. Healthcare Provider 16,542 Unauthorized Access/Disclosure
8 Hematology Oncology Associates, PC Healthcare Provider 16,073 Hacking/IT Incident
9 Acadia Montana Treatment Center Healthcare Provider 14,794 Hacking/IT Incident
10 American Baptist Homes of the Midwest Healthcare Provider 10,993 Hacking/IT Incident

Causes of May 2019 Healthcare Data Breaches

Hacking/IT incidents were the most numerous in May with 22 reported incidents. In total, 225,671 records were compromised in those breaches. The average breach size was 10,258 records with a median of 4,375 records.

There were 18 unauthorized access/disclosure incidents in May, which resulted in the exposure of 1,752,188 healthcare records. The average breach size was 97,344 records and the median size was 2,418 records.

8,624 records were stolen in three theft incidents. The average breach size 2,875 records and the median size was 3,578 records. There was one loss incident involving 1,893 records.

causes of May 2019 healthcare data breaches

Location of Breached PHI

Email continues to be the most common location of breached PHI. 50% of the month’s breaches involved at least some PHI stored in email accounts. The main cause of these types of breaches is phishing attacks.

Network servers were the second most common location of PHI. They were involved in 11 breaches, which included hacks, malware infections and ransomware attacks.  Electronic medical records were involved in 7 breaches, most of which were unauthorized access/disclosure breaches.

Location of breached PHi (may 2019)

May 2019 Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type in May with 34 breaches. 5 breaches were reported by health plans and 4 breaches were reported by business associates of HIPAA-covered entities. A further two breaches had some business associate involvement. One breach involved a healthcare clearinghouse.

May 2019 healthcare data breaches by covered entity type

May 2019 Healthcare Data Breaches by State

May saw healthcare data breaches reported by entities in 17 states.  Texas was the worst affected state in May with 7 reported breaches. There were 4 breaches reported by covered entities and business associates in California and 3 breaches were reported in each of Indiana and New York.

2 breaches were reported by entities base in Connecticut, Florida, Georgia, Maryland, Minnesota, North Carolina, Ohio, Oregon, Washington, and Puerto Rico. One breach was reported in each of Colorado, Illinois, Kentucky, Michigan, Missouri, Montana, and Pennsylvania.

HIPAA Enforcement Actions in May 2019

OCR agreed two settlements with HIPAA covered entities in May and closed the month with fines totaling $3,100,000.

Touchstone Medical Imaging agreed to settle its HIPAA violation case for $3,000,000. The Franklin, TN-based diagnostic medical imaging services company was investigated after it was discovered that an FTP server was accessible over the internet in 2014.

The settlement resolves 8 alleged HIPAA violations including the lack of a BAA, insufficient access rights, a risk analysis failure, the failure to respond to a security incident, a breach notification failure, a media notification failure, and the impermissible disclosure of the PHI of 307,839 individuals.

Medical Informatics Engineering settled its case with OCR and agreed to pay a financial penalty of $100,000 to resolve alleged HIPAA violations uncovered during the investigation of its 2015 breach of 3.5 million patient records. Hackers had gained access to MIE servers for 19 days in May 2015.

OCR determined there had been a failure to conduct a comprehensive risk analysis and, as a result of that failure, there was an impermissible disclosure of 3.5 million individuals’ PHI.

It did not end there for MIE. MIE also settled a multi-state lawsuit filed by 16 state attorneys general. A multi-state investigation uncovered several HIPAA violations. MIE agreed to pay a penalty of $900,000 to resolve the case.

The post May 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

House Overturns Ban on HHS Funding HIPAA National Patient Identifier Development

One of the requirements of the HIPAA Administrative Simplification Rules was the development of a national identifier for all patients. Such an identifier would be used by all healthcare organizations to match patients with health records from multiple sources and would improve the reliability of health information and ensure it could be shared quickly and efficiently.

That national patient identifier has failed to materialize. For the past two decades, the Department of Health and Human Services has been prohibited from using funds to develop or promote a unique patient identifier system out of concerns over privacy and security of patient data.

Just as was the case in 1996, the benefits of using national patient identifiers remain and the need for such a system is greater than ever. Many hospitals, healthcare and health IT groups have been urging Congress to lift the HHS ban due to the benefits that would come from using a national identifier.

They argue it would make it much easier to match medical information from multiple sources with the correct patient and the potential for errors would be greatly reduced. Together with the cost savings, adoption of a national patient identifier would improve the quality of care provided to patients and patient safety.

Now, 20 years after the ban was put in place, it is closer to being lifted. The U.S. House of Representatives recently voted on several amendments to a $99.4 billion HHS appropriations bill. The amendment calling for the lifting of the ban was proposed by Rep. Bill Foster (D-Ill.) and was passed on Wednesday 12, June in a 246 to 178 vote. Until now, neither chamber in Congress has ever voted to lift the ban.

“For the last 21 years, this misguided policy has been in place, and thousands of Americans have died due to getting the wrong drug to the wrong patient or due to incorrect or incomplete electronic medical records, all arising from the inability to simply and correctly merge health records from different systems,” said Rep. Foster.

The passing of the amendment is the first step toward a national identifier being developed, but there are plenty of hurdles to overcome before the ban is finally lifted. The appropriations bill must first be passed, and the senate would need to give its approval, then the president would need to sign the bill into law.

Even though the benefits of a national patient identifier are clear, many privacy advocates believe the privacy and security risks are too great and that adoption of a national identifier would result in loss of control of patient data and more frequent, larger, and more damaging healthcare data breaches.

The post House Overturns Ban on HHS Funding HIPAA National Patient Identifier Development appeared first on HIPAA Journal.

HHS To Apply New Caps on Financial Penalties for HIPAA Violations to Reflect Level of Culpability

Body:

The Department of Health and Human Services has issued a notification of enforcement discretion regarding the civil monetary penalties that are applied when violations of HIPAA Rules are discovered and will be reducing the maximum financial penalty for three of the four penalty tiers.

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 increased the penalties for HIPAA violations. The new penalties were based on the level of knowledge a HIPAA covered entity or business associate had about the violation and whether action was voluntarily taken to correct any violations.

The 1st penalty tier applies when a covered entity or business associate is unaware that HIPAA Rules were violated and, by exercising a reasonable level of due diligence, would not have known that HIPAA was being violated.

The 2nd tier applies when a covered entity knew about the violation or would have known had a reasonable level of due diligence been exercised, but when the violation falls short of willful neglect of HIPAA Rules.

The 3rd penalty tier applies when there was willful neglect of HIPAA Rules, but the covered entity corrected the problem within 30 days.

The 4th tier applies when there was willful neglect of HIPAA Rules and no efforts were made to correct the problem in a timely manner.

The maximum penalty across all four tiers was set at $1.5 million for violations of an identical provision in a single calendar year.

On January 25, 2013, the HHS implemented an interim final rule (IFR) and adopted the new penalty structure, but believed at the time that there were inconsistencies in the language of the HITCH Act with respect to the penalty amounts. The HHS determined at the time that the most logical reading of the law was to apply the same maximum penalty cap of $1,500,000 across all four penalty tiers.

The HHS has now reviewed the language of the HITECH Act and believes a better reading of the requirements of the HITECH Act would be for the annual penalty caps to be different in three of the four tiers to better reflect the level of culpability. The minimum and maximum amounts in each tier will remain unchanged.

New Interpretation of the HITECT ACT’s Penalties for HIPAA Violations

Penalty Tier Level of Culpability Minimum Penalty per Violation Maximum Penalty per Violation Old Maximum Annual Penalty New Maximum Annual Penalty
1 No Knowledge $100 $50,000 $1,500,000 $25,000
2 Reasonable Cause $1,000 $50,000 $1,500,000 $100,000
3 Willful Neglect – Corrective Action Taken $10,000 $50,000 $1,500,000 $250,000
4 Willful Neglect – No Corrective Action Taken $50,000 $50,000 $1,500,000 $1,500,000

 

The HHS will publish its notification in the Federal Register on April 30, 2019. The HHS notes that its notification of enforcement discretion creates no legal obligations and no legal rights. Consequently, it is not necessary for it to be reviewed by the Office of Management and Budget.

The new penalty caps will be adopted by the HHS until further notice and will continue to be adjusted annually to account for inflation. The HHS expects to engage in further rulemaking to review the penalty amounts to better reflect the text of the HITECH Act.

The post HHS To Apply New Caps on Financial Penalties for HIPAA Violations to Reflect Level of Culpability appeared first on HIPAA Journal.

Feature of DICOM Image Format Could Be Abused to Fuse Malware with PHI

The DICOM image format, which has been in use for around for 30 years, contains a design ‘flaw’ that could be exploited by hackers to embed malware in image files. Were that to happen, the malware would become permanently fused with protected health information.

The DICOM file format was developed to allow medical images to be easily stored and shared. It eliminated the need for physical films and solved hardware compatibility issues. DICOM is now the standard format used for MRI and CT images and is supported by most medical imaging systems. The file format can be read by a range of devices that are used to view patient image files and diagnostic information.

DICOM images contain a section at the start of the files called a Preamble. This section is used to facilitate access to the metadata within the images and ensure compatibility with image viewers which do not support the DICOM image format. By altering the Preamble section of the file, image viewers treat DICOM images as a file type that they support, such as a jpeg, allowing the file to be opened.

This design feature is part of the reason why the DICOM file format is so useful. However, this feature can also be seen as a flaw. Markel Picado Ortiz, a security researcher at Cylera, discovered the preamble section of the file does not have restrictions on what can be added.

Ortiz has a proof-of-concept exploit for the flaw which allows an arbitrary sequence of executable code to be inserted into the image. Provided that code is less than 128 bytes, it can be inserted without affecting compliance with the DICOM standard, altering the image in any other way, or changing any PHI contained in the file. Ortiz has called the attack method PE/DICOM.

By altering the Preamble of a file, a hacker could insert executable code that masquerades as a DICOM file. The DICOM image would become an executable file, yet it would not have a file extension associated with executable files. Headers could also be added that make the file appear to be another file format, such as an executable.

Any hacker that were to use this method of incorporating malicious code would also benefit from HIPAA regulations. Files containing PHI are usually ignored by anti-malware solutions for compliance reasons. Even if they did, it would be unlikely they would detect the presence of any code in the preamble section of the files.

Detecting the malware would therefore prove difficult. Malicious code could remain undetected, but worse, the infected files would be stored within the healthcare provider’s protected environment. The file may also be shared with other healthcare providers would be unaware the files had been infected with malware.

Since the malware contains executable code, it could download other malware onto the network or give an attacker a launch pad to conduct further attacks. Files could be given worm-like properties that allow malware to be propagated throughout the network.

The potential uses of this flaw are numerous. “This [flaw] enables new and existing malware to evolve into more potent variants, optimized for successful compromise of healthcare organizations, by using the infected patient data to hide, protect and spread itself – three of the primary functions that determine the effectiveness of a malware campaign,” said Ortiz.

Were the malware to be identified, healthcare organizations would have a problem with removing the malware. The hybrid file that is created could not have the malware removed without permanently deleting the file, which would result in the permanent loss of the image and patients’ PHI. Healthcare providers may have to keep the infected file due to HIPAA regulations.

“The fusion of fully-functioning executable malware with HIPAA-protected patient information adds regulatory complexities and clinical implications to automated malware protection and typical incident response processes in ways that did not previously need to be considered,” explained Ortiz.

Unfortunately, since the flaw is present in the DICOM standard itself, it is not possible to issue a patch to correct the flaw. The solution would be for the DICOM standard to be changed to place restrictions on what can be incorporated into the Preamble, but that may prove to be a challenge and would also involve altering a feature of DICOM files that makes them so useful.

Anti-malware solutions could be developed to check for the presence of malicious code inside DICOM images, but that does not solve the issue of what is done with the files if they are determined to contain malware.

While the flaw is serous, in order for it to be exploited, an attacker would first need to have permissions to access the system on which DICOM images are stored and would also need to have permissions to execute commands. Valid Active Directory credentials would therefore be required. That said, there have been many cases of credentials being compromised that have given hackers access to healthcare networks. The flaw could also be exploited by a malicious insider with access to the network.

All healthcare organizations can do to protect against the flaw in the short term is to adopt standard cybersecurity best practices to prevent access to the network being gained, such as changing default credentials, securing the perimeter, and scanning for and addressing vulnerabilities. Network segregation will help to prevent the spread of any malware and intrusion detection systems could detect an attack before DICOM images could be changed.

What is clear is that correcting the flaw and preventing abuse is going to be a major challenge and one that will not easily be solved.

The post Feature of DICOM Image Format Could Be Abused to Fuse Malware with PHI appeared first on HIPAA Journal.

Healthcare Organizations Found Not to be In Conformance with NIST CSF and HIPAA Rules

A recent study conducted by the consultancy firm CynergisTek has revealed healthcare organizations are not in conformance with NIST Cybersecurity Framework (CSF) controls and the HIPAA Privacy and Security Rules.

For the study, CynergisTek analyzed the results of assessments at almost 600 healthcare organizations against NIST CSF and the HIPAA Privacy and Security Rules.

The NIST CSF is a voluntary framework, but the standards and best practices help organizations manage cyber risks. Healthcare organizations that are not in conformance with CSF controls face a higher risk of experiencing a cyberattack or data breach. On average, healthcare organizations were only in conformance with 47% of NIST CSF controls. Conformance has only increased by 2% in the past year.

Assisted living organizations had the highest level of conformance with NIST CSF (95%), followed by payers (86%), and accountable care organizations (73%). Business associates of HIPAA covered entities only had an average conformance level of 48%. Physician groups had the lowest level of conformance (36%).

Out of the five core functions of the NIST CSF – Identify, detect, protect, respond, and recover – conformance was lowest for detect.

Even though conformance with the HIPAA Security Rule has been mandatory for the past 14 years, many healthcare organizations were found to be falling short. On average, healthcare organizations were found to be in conformance with 72% of HIPAA Security Rule requirements, which was 2% lower than last year. Critical access hospitals fared the worst with an average of 67% conformance.

Even when organizations were complying with HIPAA Rules, significant security gaps were identified, which clearly demonstrated compliance does not necessarily equate to security.

Compliance with the requirements of the HIPAA Privacy Rule was better, but there is still significant room for improvement. On average, healthcare organizations were complying with 77% of HIPAA Privacy Rule provisions. Many organizations had missing policies and procedures and improper postings. More than 60% of assessments revealed gaps in the maintenance of written policies and procedures related to the use and release of protected health information.

Conformance with the HIPAA Privacy Rule increased year over year for payers and physician groups, but declined for hospitals and health systems, falling from 94% in 2017 to 72% in 2018. CynergisTek explained this fall as most likely being due to higher numbers of assessments being performed on hospitals and health systems in 2018.

CynergisTek also found that insider breaches continue to be a major challenge for healthcare organizations. Insiders were responsible for 28% of healthcare data breaches in 2018 and, on average, those breaches took 255 days to detect. 74% of cases involved employees accessing the health records of household members, 10% involved accessing the records of VIPs that were treated at the hospital. 8% of cases involved accessing the health records of co-workers and 8% involved accessing neighbors’ health records.

Business associates were found to be a major security risk. They were involved in 20% of healthcare data breaches in 2018. CynergisTek found that in many cases, healthcare organizations were not proactively assessing their vendors, even those that are medium to high risk. The most common business associate failures were related to risk assessments, governance, and access management.

The post Healthcare Organizations Found Not to be In Conformance with NIST CSF and HIPAA Rules appeared first on HIPAA Journal.

CMS Launches Review Program to Assess Compliance with the HIPAA Administrative Simplification Rules

The HHS’ Centers for Medicare and Medicaid Services (CMS) has launched a compliance review program to assess whether HIPAA covered entities are complying with the HIPAA Administrative Simplification Rules for electronic healthcare transactions. The compliance reviews will commence in April 2019.

The HIPAA Administrative Simplification Rules

The HIPAA Administrative Simplification Rules were introduced to improve efficiency and the effectiveness of the health system in the United States. They require healthcare organizations to adopt national standards for healthcare transactions that are conducted electronically, including the use of standard code sets and unique health identifiers, in addition to complying with the requirements of the HIPAA Privacy and Security Rules.

The HHS’ Office for Civil Rights is responsible for enforcing the HIPAA Privacy, Security, and Breach Notification Rules. The CMS is responsible for administering and enforcing the rules covering transaction and code sets standards, the employer identifier standard, and the national provider identifier standard, as detailed in 45 CFR Parts 160, 162, and 164. The CMS-administered standards are required to be adopted whenever there is an exchange of health information. If the standards are not adopted, healthcare information cannot be exchanged efficiently.

The CMS Compliance Review Program

Starting in April 2019, the CMS will conduct compliance reviews on 9 randomly selected health plans and healthcare clearinghouses, including those that deal with Medicare and Medicaid and those that do not.

The compliance reviews will assess whether HIPAA -covered entities are in compliance with the standards set for:

  • Transaction formats;
  • Code sets; and
  • Unique identifiers

If covered entities selected for a review are found not to be in compliance with the HIPAA Administrative Simplification Rules, they will be provided with a corrective action plan to address any violations and will be given the opportunity to make changes and achieve compliance.

Any covered entity that fails to make the necessary changes and achieve compliance with the HIPAA Administrative Simplification standards will be subjected to “escalating enforcement actions”, which could include civil monetary penalties.

The 2019 CMS Compliance Review Program follows on from a pilot review program conducted in 2018 on three health plans and three healthcare clearinghouses that volunteered to participate. A separate program will take place in 2019 in which providers will also be able to volunteer for compliance reviews.

After the latest round of 9 compulsory compliance reviews have been completed, the CMS will conduct an ongoing campaign involving periodic reviews of randomly selected covered entities to assess compliance with the HIPAA Administrative Simplification Rules.

These will be in addition to the normal procedure for enforcing compliance, which currently operates on a complaint basis.

Organizations can use the web-based Administrative Simplification Enforcement and Testing Tool (ASETT) to test transactions to determine whether they are compliant and to submit complaints about HIPAA Administrative Simplification Rules violations.

The post CMS Launches Review Program to Assess Compliance with the HIPAA Administrative Simplification Rules appeared first on HIPAA Journal.

$1.6 Million Settlement Agreed with Texas Department of Aging and Disability Services Over 2015 Data Breach

The Department of Health and Human Services’ Office for Civil Rights has agreed to settle a HIPAA violation case with the Texas Department of Aging and Disability Services (DADS) to resolve HIPAA violations discovered during the investigation of a 2015 data breach that exposed the protected health information of 6,617 Medicaid recipients.

The breach was caused by an error in a web application which made ePHI accessible over the internet for around 8 years. DADS submitted a breach report to OCR on June 11, 2015.

OCR launched an investigation into the breach to determine whether there had been any violation of HIPAA Rules. On July 2015, OCR notified DADS that the investigation had revealed there had been multiple violations of HIPAA Rules.

DADS was deemed to have violated the risk analysis provision of the HIPAA Security Rule – 45 C.F.R. § 164.308(a)(1)(ii)(A) – by failing to conduct a comprehensive, organization-wide risk analysis to identify potential risks to the confidentiality, integrity, and availability of ePHI.

There had also been a failure to implement appropriate technical policies and procedures for systems containing ePHI to only allow authorized individuals to access those systems, in violation of 45 C.F.R. § 164.308(a)(4) and 45 C.F.R. § 164.312(a)(1).

Appropriate hardware, software, and procedural mechanisms to record and examine information system activity had not been implemented, which contributed to the duration of exposure of ePHI – A violation of 5 C.F.R. § 164.312(b).

As a result of these violations, there was an impermissible disclosure of ePHI, in violation of 45 C.F.R. § 164.502(a).

The severity of the violations warranted a financial penalty and corrective action plan. Both were presented to the State of Texas and DADS was given the opportunity to implement the measures outlined in the CAP to address the vulnerabilities to ePHI.

The functions and resources that were involved in the breach have since been transferred to the Health and Human Services Commission (HHSC), which will ensure the CAP is implemented.

The State of Texas presented a counter proposal for a settlement agreement to OCR which will see the deduction of $1,600,000 from sums owed to HHSC from the CMS. The settlement releases HHSC from any further actions related to the breach and HHSC has agreed not to contest the settlement or CAP.

The settlement has yet to be announced by OCR, but it has been approved by the 86th Legislature of the State of Texas. This will be the first 2019 HIPAA settlement between OCR and a HIPAA covered entity.

The post $1.6 Million Settlement Agreed with Texas Department of Aging and Disability Services Over 2015 Data Breach appeared first on HIPAA Journal.

February 2019 Healthcare Data Breach Report

Healthcare data breaches continued to be reported at a rate of more than one a day in February. February saw 32 healthcare data breaches reported, one fewer than January.

Healthcare data breaches by month

The number of reported breaches may have fell by 3%, but February’s breaches were far more severe. More than 2.11 million healthcare records were compromised in February breaches – A 330% increase from the previous month.

Records exposed in Healthcare data breaches by month

Causes of Healthcare Data Breaches in February 2019

Commonly there is a fairly even split between hacking/IT incidents and unauthorized access/disclosure incidents; however, in February, hacking and IT incidents such as malware infections and ransomware attacks dominated the healthcare data breach reports.

75% of all reported breaches in February (24 incidents) were hacking/IT incidents and those incidents resulted in the theft/exposure of 96.25% of all records that were breached. All but one of the top ten healthcare data breaches in February were due to hacks and IT incidents.

There were four unauthorized access/disclosure incidents and 4 cases of theft of physical or electronic PHI. The unauthorized access/disclosure incidents involved 3.1% of all compromised records and 0.65% of records were compromised in the theft incidents.

Causes of Healthcare data breaches in February 2019

Largest Healthcare Data Breaches in February 2019

The largest healthcare data breach reported in February involved the accidental removal of safeguards on a network server, which allowed the protected health information of more than 973,000 patients of UW Medicine to be exposed on the internet. Files were indexed by the search engines and could be found with simple Google searches. Files stored on the network server were accessible for a period of more than 3 weeks.

The second largest data breach was due to a ransomware attack on Columbia Surgical Specialist of Spokane. While patient information may have been accessed, no evidence was found to suggest any ePHI was stolen by the attackers.

The 326,629-record breach at UConn Health was due to a phishing attack that saw multiple employees’ email accounts compromised, and one email account was compromised in a phishing attack on Rutland Regional Medical Center that contained the ePHi of more than 72,000 patients.

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 UW Medicine Healthcare Provider 973,024 Hacking/IT Incident
2 Columbia Surgical Specialist of Spokane Healthcare Provider 400,000 Hacking/IT Incident
3 UConn Health Healthcare Provider 326,629 Hacking/IT Incident
4 Rutland Regional Medical Center Healthcare Provider 72,224 Hacking/IT Incident
5 Delaware Guidance Services for Children and Youth, Inc. Healthcare Provider 50,000 Hacking/IT Incident
6 Rush University Medical Center Healthcare Provider 44,924 Unauthorized Access/Disclosure
7 AdventHealth Medical Group Healthcare Provider 42,161 Hacking/IT Incident
8 Reproductive Medicine and Infertility Associates, P.A. Healthcare Provider 40,000 Hacking/IT Incident
9 Memorial Hospital at Gulfport Healthcare Provider 30,642 Hacking/IT Incident
10 Pasquotank-Camden Emergency Medical Service Healthcare Provider 20,420 Hacking/IT Incident

 

Location of Breached Protected Health Information

Email is usually the most common location of compromised PHI, although in February there was a major rise in data breaches due to compromised network servers. 46.88% of all breaches reported in February involved ePHI stored on network servers, 25% involved ePHI stored in email, and 12.5% involved ePHI in electronic medical records.

Location of breached PHI

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected by data breaches in February 2019 with 24 incidents reported. There were five breaches reported by health plans, and three breaches reported by business associates of HIPAA-covered entities. A further seven breaches had some business associate involvement.

February 2019 healthcare data breaches by covered entity

Healthcare Data Breaches by State

The healthcare data breaches reported in February were spread across 22 states. California and Florida were the worst affected states with three breaches apiece. Two breaches were reported in each of Illinois, Kentucky, Maryland, Minnesota, Texas, and Washington, and one breach was reported in each of Arizona, Colorado, Connecticut, Delaware, Georgia, Kansas, Massachusetts, Mississippi, Montana, North Carolina, Virginia, Wisconsin, and West Virginia.

HIPAA Enforcement Actions in February 2019

2018 was a record year for HIPAA enforcement actions, although 2019 has started slowly. The HHS’ Office for Civil Rights has not issued any fines nor agreed any HIPAA settlements so far in 2019.

There were no enforcement actions by state attorneys general over HIPAA violations in February. The only 2019 penalty to date is January’s $935.000 settlement between California and Aetna.

The post February 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

New HIPAA Regulations in 2019

The Trump Administration’s policy of two regulations out for every new one introduced will limit the number of new HIPAA regulations in 2019. While there may be some new HIPAA regulations in 2019, there will also likely be some easing of HIPAA requirements in 2019.

The most likely areas for HIPAA 2019 changes are the removal of some aspects of HIPAA Rules that are proving unnecessarily burdensome for HIPAA covered entities while providing little benefit to patients and health plan members. These requirements were important when they were introduced but have since been determined to be barriers to the provision of healthcare or the transition to value-based healthcare.

How are New HIPAA Regulations Introduced?

The process of making HIPAA updates is slow. First, the Department of Health and Human Services seeks feedback on aspects of HIPAA regulations which are proving problematic or, due to changes in technologies or practices, are no longer as important as when they were signed into law.

After considering the comments and feedback, the HHS submits a notice of proposed rulemaking followed by a comment period. Comments received from healthcare industry stakeholders are considered before a final rule change occurs. HIPAA-covered entities are then given a grace period to make the necessary changes before compliance with the new HIPAA regulations becomes mandatory and enforceable.

New HIPAA Regulations in 2019

OCR issued a request for information in December 2018 asking HIPAA covered entities for feedback on aspects of HIPAA Rules that were overly burdensome or obstruct the provision of healthcare, and areas where HIPAA updates could be made to improve care coordination and data sharing.

The period for comments closed on February 11, 2019 and OCR is now considering the responses received. A notice of proposed rulemaking will follow after careful consideration of all comments and feedback, although no timescale has been provided on when the NPRM will be issued. It is reasonable to assume however, that there will be some at least some new HIPAA regulations in 2019.

OCR was specifically looking at making changes to aspects of the HIPAA Privacy Rule that impede the transformation to value-based healthcare and areas where current Privacy Rule requirements limit or discourage coordinated care.

Under consideration are changes to HIPAA restrictions on disclosures of PHI that require authorizations from patients. Those requirements may be loosened as they are considered by many to hamper the transformation to value-based healthcare.

OCR is considering whether the Privacy Rule should be changed to make the sharing of patient data with other providers mandatory rather than simply allowing data sharing. Both the American Hospital Association (AHA) and the American Medical Association (AMA) have voiced their concern about this aspect of the proposed new HIPAA regulations and are against the change. Both organizations are also against any shortening of the timescale for responding to patient requests for copies of their medical records.

OCR is also considering HIPAA changes in 2019 that will help with the fight against the current opioid crisis in the United States. HHS Deputy Secretary Eric Hargan has stated that there have been some complaints about aspects of the HIPAA Privacy Rule that are stopping patients and their families from getting the help they need. There is some debate about whether new HIPAA regulations or changes to the HIPAA Privacy Rule is the right way forward or whether further guidance from OCR would be a better solution.

One likely area where HIPAA will be updated is the requirement for healthcare providers to make a good faith effort to obtain individuals’ written acknowledgment of receipt of providers’ Notice of Privacy Practices. That requirement is expected to be dropped in the next round of HIPAA changes.

What is certain is that new HIPAA regulations are around the corner, but whether there will be any 2019 HIPAA compliance changes remains to be seen. It may take until 2020 for any changes to HIPAA regulations to be rolled out.

Changes to HIPAA Enforcement in 2019

Halfway through 2018, OCR had only agreed three settlements with HIPAA covered entities to resolve HIPAA violations and its enforcement actions were at a fraction of the level in the previous two years. It was starting to look like OCR was easing up on its enforcement of HIPAA Rules. However, OCR picked up pace in the second half of the year and closed 2018 on 10 settlements and one civil monetary penalty – One more penalty than in 2018.

2018 ended up being a record year for HIPAA enforcement. The final total for fines and settlements was $28,683,400, which beat the previous record set in 2016 by 22%.

At HIMSS 2019, Roger Severino gave no indications that HIPAA enforcement in 2019 would be eased. Fines and settlements are likely to continue at the same level or even increase.

Severino did provide an update on the specific areas of HIPAA compliance that the OCR would be focused on in 2019. OCR is planning to ramp up enforcement of patient access rights. The details have yet to be ironed out, but denying patients access to their medical records, failures to provide copies of medical records in a reasonable time frame, and overcharging are all likely to be scrutinized and could result in financial penalties.

OCR will also be continuing to focus on particularly egregious cases of noncompliance – HIPAA-covered entities that have disregarded the duty of care to patients with respect to safeguarding their protected health information. OCR will come down heavy on entities that have a culture of noncompliance and when little to no effort has been put into complying with the HIPAA Rules.

The failure to conduct comprehensive risk analyses, poor risk management practices, lack of HIPAA policies and procedures, no business associate agreements, impermissible PHI disclosures, and a lack of safeguards typically attract financial penalties. OCR is also concerned about the volume of email data breaches. Phishing is a major problem area in healthcare and failures to address email security risks are likely to attract OCR’s attention in 2019.

The post New HIPAA Regulations in 2019 appeared first on HIPAA Journal.