HIPAA News

ONC Offers Help for Covered Entities on Medical Record Access for Patients

Posted by HIPAA Journal

The Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule requires covered entities to give medical record access for patients on request. Patients should be able to obtain a copy of their health records in paper or electronic form within 30 days of submitting the request.

Last year, the Department of Health and Human Services’ Office for Civil Rights (OCR) issued guidance for covered entities on providing patients with access to their medical records. A series of videos was also released to raise awareness of patients’ rights under HIPAA to access their records. In theory, providing access to medical records should be a straightforward process. In practice, that is often not the case.

Patients often have difficulty accessing their electronic health data with many healthcare organizations unable to easily provide health records electronically. Patient portals often provide information for patients, although the information available via patient portals can be incomplete or inaccurate. When patients need to obtain their health information to give to other healthcare providers, they can find it difficult to find the information they need.

The Office of the National Coordinator for Health Information Technology (ONC) has recently published a report detailing some of the problems faced by healthcare providers when providing medical record access for patients. The report offers useful tips for healthcare organizations to help them provide medical record access for patients quickly and easily.

For the report- Improving the Health Records Request Process for PatientsONC spoke to 17 consumers to find out about the challenges they faced when attempting to gain access to their medical records. The report includes three examples of patients and caregivers that have experienced difficulties when attempting to exercise their right to access medical data. The personas are fictional, although the challenges faced by those personas were taken from real world examples.

ONC also looked at the medical record release forms used by 50 large healthcare systems across 32 states and spoke to stakeholders and health system professionals about the challenges faced when trying to provide patients with copies of their health records. ONC discovered the process of providing electronic copies of health records is often hampered by inefficient systems and limited resources.

The research has allowed ONC to develop tips to help healthcare providers create a streamlined, transparent, and electronic records request process. Making the suggested changes will allow health systems to improve the process of providing access to health data. Patients will then suffer less frustration and be able to obtain their records faster, allowing them to coordinate their care more effectively and have greater control over their health and wellbeing.

The post ONC Offers Help for Covered Entities on Medical Record Access for Patients appeared first on HIPAA Journal.

AMIA Urges HHS to Provide More Information on Common Rule Updates

Posted by HIPAA Journal

The Federal Policy for the Protection of Human Subjects, otherwise known as the Common Rule, was first adopted in 1991; however, there have been numerous calls for the policy to be updated.

The purpose of the Common Rule is to provide a framework for protecting human research subjects across the entire federal government. The Common Rule was introduced at a time when research was mainly conducted at medical institutions and universities. At the time, digital data was not in use.

The past 26 years have seen considerable changes to where research is conducted, how much information is now available, how easy it is for information to be shared and for research participants to be identified.

Earlier this year, proposed Common Rule updates were published by the HHS. The Trump administration is reviewing the Common Rule updates, although at this stage it is unclear whether any changes will be made, and if so, when those changes will be implemented.

The updates were subjected to a 40-day regulatory freeze; but more than 150 days have now passed and there has been no further communication to stakeholders on the status of the Common Rule updates. It is unclear whether the proposed effective date of January 19, 2018 will be met.

The American Medical Informatics Association (AMIA) is concerned over the lack of progress and has recently voiced its concerns in a letter to the Department of Health and Human Services and the Office of Management and Budget.

In its letter, AMIA strongly encourages federal officials to keep the original effective date due to the pressing need for changes to the Common Rule, although AMIA has recommended moving the compliance date forward to June 19, 2018 to give researchers more time “to harmonize old and new provisions”.

The lack of any further information is a concern. AMIA suggests an official announcement should be made about the Common Rule updates immediately.

In the letter, AMIA says, “Over the last several years, a paradigm shift has occurred in the nature, scope and frequency of research involving human subjects, their biospecimens, and their data. Combined with rapid adoption of electronic health records (EHRs) by care providers and dramatic improvements in computing technology, we believe the final revisions to the Common Rule are necessary to improve discovery of new health insights and advance healthcare transformation.”

The Common Rule updates include new protections for individuals who choose to take part in research studies, but the updates will also reduce administrative burdens, particularly for low-risk research studies. For example, exemptions have been included when low risk studies are conducted by HIPAA-covered entities. This would also allow more secondary research of EHR data. The administrative burden is further reduced by eliminating the need for a continuous review for many studies.

The changes also allow researchers to obtain broad consent which will greatly improve availability of biospecimens and patient-reported data for secondary research. Important changes are also made to consent, requiring the most important information to be communicated to participants clearly and concisely in a way that a reasonable person would understand.

The changes will also mean potential research participants are screened more effectively, which will help identify patients who qualify for new treatments and ensure those individuals learn about their options.

AMIA President and CEO Douglas B. Fridsma, said, “Patients expect researchers to leverage their data for improved care in responsible ways. The updated Common Rule enables and encourages better transparency so that new discoveries are possible.”

Peter J. Embi, MD, MS, President and CEO Regenstrief Institute, Inc., said, “It is critical that we adopt these changes for the sake of our national research enterprise,” Embi went on to explain, “We need to know that important aspects of the finalized Common Rule will proceed as planned. Without such a clear signal, the revised Common Rule’s new benefits will be delayed, leaving in place a 26-year old rule that doesn’t serve the needs of research participants or the research community.”

The post AMIA Urges HHS to Provide More Information on Common Rule Updates appeared first on HIPAA Journal.

Delayed Breach Notification Sees CoPilot Fined $130,000 by NY AG

Posted by HIPAA Journal

A data breach that occurred in October 2015 should have seen affected individuals notified within 2 months, yet it took CoPilot Provider Support Services Inc., until January 2017 to issue breach notifications.

An administration website maintained by CoPilot was accessed by an unauthorized individual on October 26, 2015. That individual also downloaded the data of 221,178 individuals. The stolen data included names, dates of birth, phone numbers, addresses, and medical insurance details.

The individual suspected of accessing the website and downloading data was a former employee. CoPilot contacted the FBI in February 2016 to receive help with the breach investigation and establish the identity of the unauthorized individual.

However, notifications were not sent by CoPilot until January 18, 2017. CoPilot says the delay was due to the time taken for the FBI to investigate the breach; however, since CoPilot was aware that reimbursement-related records had been stolen, notifications should have been sent sooner. Further, law enforcement did not instruct CoPilot to delay the issuing of breach notifications as doing so would not have impeded the investigation.

There is some debate as to whether CoPilot is a HIPAA covered entity. CoPilot has previously said it is not covered by HIPAA Rules, although a breach report was sent to the Department of Health and Human Services’ Office for Civil Rights. If CoPilot is a HIPAA covered entity, it would be necessary for breach notifications to be sent within 60 days of the discovery of the breach.

OCR is investigating and trying to determine whether CoPilot is classed as a business associate and therefore must comply with HIPAA Rules. If OCR determines CoPilot is a HIPAA-covered entity, the decision may be taken to issue a financial penalty for the delayed breach notifications. Earlier this year, OCR fined Presense Health $475,000 for delaying breach notifications for three months. A fine for CoPilot would likely be considerably higher considering the number of individuals impacted by the breach and the length of the delay.

HIPAA fines may or may not result from the notification delay, but the New York attorney general has now taken action. On Thursday last week, Eric Schneiderman announced that CoPilot has been fined $130,000 for the breach notification delay, not for a breach of HIPAA Rules but for a breach of General Business Law § 899-aa. The law requires businesses to send timely breach notifications to individuals impacted by a data breach. In addition to the fine, CoPilot is required to improve its notification and legal compliance program.

Announcing the fine, Schneiderman said, “Healthcare services providers have a duty to protect patient records as securely as possible and to provide notice when a breach occurs,” explaining that “Waiting over a year to provide notice is unacceptable.”

The financial penalty sends a message to all businesses that unnecessary breach notification delays will not be tolerated. Schneiderman said “My office will continue to hold businesses accountable to their responsibility to protect customers’ private information.”

The post Delayed Breach Notification Sees CoPilot Fined $130,000 by NY AG appeared first on HIPAA Journal.

OCR’s Wall of Shame Under Review by HHS

Posted by HIPAA Journal

Since 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its website. The data breach list is commonly referred to as OCR’s ‘Wall of Shame’.

The data breach list only provides a brief summary of data breaches, including the name of the covered entity, the state in which the covered entity is based, covered entity type, date of notification, type of breach, location of breach information, whether a business associate was involved and the number of individuals affected.

The list includes all reported data breaches, including those which occurred due to no fault of the healthcare organization. The list is not a record of HIPAA violations. Those are determined during OCR investigations of breaches.

Making brief details of the data breaches available to the public is an ‘unnecessarily punitive’ measure, according to Rep. Michael Burgess (R-Texas), who recently criticized OCR about its data breach list.

Burgess was informed at a cybersecurity hearing last week that HHS secretary Tom Price is currently reassessing the website and how the information is made public.

While the publication of information is under review, the publication of breach summaries is a requirement of the HITECH Act of 2009. Any decision to stop publishing breach summaries on the website would require assistance from Congress. However, it is possible for changes be made to how the information displayed and for how long the information is made available. HITECH Act only requires the information to be published. It does not stipulate the length of time that the covered entity remains on the list.

The reason behind the publication of breach information is to inform the public of data breaches and to provide some information on what has occurred. If there was a time limit placed on the length of time a covered entity remained on the list, it would not be possible for a member of the public to determine whether a breach was an isolated event or one of several suffered by a covered entity.

OCR Director Roger Severino issued a statement confirming the usefulness of the website saying, “The website provides an important source of information to the public, but we recognize that the format has become stale and can and should be improved,” explaining “OCR will continue to evaluate the best options for communicating this information as we meet statutory obligations, educate the regulated community (and the public) on lessons learned, and highlight actions taken in response.”

Burgess told Fierce Healthcare, “I am interested in pursuing solutions that hold hospital systems accountable for maintaining patient privacy without defaming systems that may fall victim to large-scale ransomware attacks, such as WannaCry.”

Of course, in the case of the WannaCry attacks, healthcare organizations may not be blameless. The attacks were only possible as a result of the failure to apply patches promptly. However, in its current form, there would be no indication on the website that a covered entity had experienced a ransomware attack as the breach list does not go into that much detail.

While options are being considered, some privacy advocates argue that the breach portal does not go into nearly enough detail and suggest even more information should be uploaded to the site to better inform the public on exactly what has occurred.

The post OCR’s Wall of Shame Under Review by HHS appeared first on HIPAA Journal.

OCR Reminds Covered Entities of Security Incident Definition and Notification Requirements

Posted by HIPAA Journal

The ransomware attacks and high number of healthcare IT security incidents last month has prompted the Department of Health and Human Services’ Office for Civil Rights to issue a reminder to covered entities about HIPAA Rules covering security breaches.

In its May 2017 Cyber Newsletter, OCR explains what constitutes a HIPAA security incident, preparing for such an incident and how to respond when perimeters are breached.

HIPAA requires all covered entities to implement technical controls to safeguard the confidentiality, integrity and availability of electronic protected health information (ePHI). However, even when covered entities have sophisticated, layered cybersecurity defenses and are fully compliant with HIPAA Security Rule requirements, cyber-incidents may still occur. Cybersecurity defenses are unlikely to be 100% effective, 100% of the time.

Prior to the publication of OCR guidance on ransomware attacks last year, there was some confusion about what constituted a security incident and reportable HIPAA breach. Many healthcare organizations had experienced ransomware attacks, yet failed to report those incidents to OCR or notify patients that their ePHI may have been accessed.

OCR has reminded covered entities in its newsletter of the HIPAA definition of a security incident. The HIPAA Security Rule (45 CFR 164.304) describes a security incident as “an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”

OCR has taken the opportunity to remind covered entities that they need to prepare for those incidents. Policies and procedures should be developed that kick into action immediately following the discovery of a security incident or data breach.

If covered entities react quickly to security incidents and data breaches it is possible to minimize the impact and reduce legal liability and operational and reputational harm. Contingency plans should exist for a range of security incidents and emergency situations. OCR says “policies, procedures, and plans should provide a roadmap for implementing the entity’s incident response capabilities.”

When a breach occurs, the HIPAA Breach Notification Rule requirements must be followed. The HIPAA Breach Notification Rule (45 CFR 164.402) requires OCR to be notified of a breach and notifications to be sent to patients in the event of “an impermissible acquisition, access, use, or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information.”

Each month, Databreaches.net tracks healthcare data breach incidents, with the Protenus Breach Barometer report showing the time taken for covered entities to report their breaches to OCR. The past few reports show some improvement, with covered entities reporting their breaches more promptly. That said, there have been several cases where data breach notifications have been submitted late and patients have had their notification letters delayed.

OCR reminds covered entities that the HIPAA deadline for reporting security incidents and sending notifications to patients/health plan members is 60 days* from the discovery of the breach.

This is a deadline, not a recommendation. Many covered entities delay issuing notifications until day 59. OCR points out that the HIPAA Breach Notification Rule requires notifications to be issued “without reasonable delay.”

If you missed the email newsletter, you can download a copy on this link: https://www.hhs.gov/sites/default/files/may-2017-ocr-cyber-newsletter.pdf

*Breaches impacting fewer than 500 individuals can be reported to OCR annually, with the deadline 60 days after the end of the year when the breach was discovered. Breaches impacting 500 or more individuals must be reported to OCR within 60 days of the discovery of the breach. Individuals must be notified of a breach of PHI or ePHI within 60 days of the discovery of the breach, regardless of how many individuals have been impacted by the breach.

The post OCR Reminds Covered Entities of Security Incident Definition and Notification Requirements appeared first on HIPAA Journal.

How Secure Is Your Laptop?

Posted by admin

Laptop

Let’s just say if your laptop has access to confidential patient information, it might make sense to have your i’s dotted and your t’s crossed when it comes to laptop security. MSPmentor reported this week that a Pennsylvania provider was fined $2.5 million dollars when a laptop containing patient information was stolen and hacked into, causing their second data breach. The first breach occurred in 2012 and little information was released. Make sure your IT security is doing everything they can to protect all of your patients on all of your devices. For the full article visit MSP Mentor’s website here.

For daily HIPPA News visit our HIPAA News sidebar at https://hipaanews.net

If you would like to receive an email update every time HIPAA news posts a blog, sign up on our website at https://hipaanews.net 

OCR Settlement Highlights Importance of Obtaining Signed Business Associate Agreements

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has sent another warning to HIPAA-covered entities about the need to obtain signed, HIPAA-compliant business associate agreements with all vendors prior to disclosing any protected health information.

Yesterday, OCR announced it has agreed to settle potential violations of the Health Insurance Portability and Accountability Act with The Center for Children’s Digestive Health (CCDH); a small 7-center pediatric subspecialty practice based in Park Ridge, Illinois.

On August 13, 2015, OCR conducted a HIPAA compliance review of CCDH following an investigation of FileFax Inc., which was contracted by CCDH to store inactive patient records. The FileFax investigation revealed the company had not signed a business associate agreement prior to being provided with patients’ PHI.

The subsequent compliance review of CCDH similarly revealed that no signed business associate agreement existed. CCDH had therefore impermissibly disclosed patients’ PHI to FileFax in violation of HIPAA Rules.

CCDH had provided paper records relating to 10,728 patients without officially advising FileFax, by means of a BAA, of the firm’s responsibilities to safeguard patients’ data. CCDH also received no HIPAA-compliant assurances that appropriate safeguards had been implemented to ensure the confidentiality, integrity, and availability of PHI prior to the disclosure.

FileFax had been storing documents containing the PHI of patients of CCDH since 2003, yet the earliest business associate agreement produced by CCDH and FileFax was dated October 12, 2015.

CCDH has agreed to pay OCR $31,000 to resolve the potential HIPAA violations and will adopt a corrective action plan that involves updating policies and procedures, conducting staff training on those policies and procedures and ensuring one or more employees are made responsible for ensuring HIPAA-compliant business associate agreements are obtained from all business associates.

HIPAA-covered entities are permitted to disclose the PHI of patients to their business associates; however, before any PHI is disclosed, the covered entity must enter into a contract with the business associate. The contract must explain the responsibilities the business associate has to ensure PHI is secured and safeguards are implemented to prevent unauthorized disclosures. The business associate must also be advised of the allowable uses and disclosures of PHI and must agree not to use or disclose any PHI unless required to do so under the terms of the contract or if required to do so by law.

The business associate must also be advised of the requirement to notify the covered entity in the event that any PHI is accidentally or deliberately accessed or disclosed along with the timescale for doing so. The business associate must also be advised that the failure to comply with HIPAA Rules can result in financial penalties being issued.

Further information on HIPAA Rules concerning business associate agreements can be viewed on this link.

2017 HIPAA Settlements

Last year, OCR issued one civil monetary penalty and agreed to settle potential HIPAA violations with 12 covered entities to resolve HIPAA violations – More than any other year since the HIPAA Enforcement Rule was introduced.

This year looks set to see even more HIPAA enforcement actions. The Center for Children’s Digestive Health HIPAA settlement is the sixth financial penalty in less than four months, bringing the total amount of HIPAA fines in 2017 to $11,806,000.  The other HIPAA settlements agreed between OCR and covered entities in 2017 are:

  • Metro Community Provider Network – $400,000
  • Memorial Healthcare System – $5.5 million
  • Children’s Medical Center of Dallas- $3.2 million
  • MAPFRE Life Insurance Company of Puerto Rico – $2.2 million
  • Presense Health – $475,000

The post OCR Settlement Highlights Importance of Obtaining Signed Business Associate Agreements appeared first on HIPAA Journal.

$400,000 HIPAA Breach Penalty In Denver, Colorado

Posted by admin

MSP Mentor recently posted an article stating a network of public health clinics in the Denver, Colorado have been fined $400,000 for HIPAA data breaches. The breaches occurred through phishing (aka email hacking), gaining electronic health records of over 3,000 patients.

“Investigators from the U.S. Department of Health and Human Services Office of Civil Rights (OCR) found that MCPN violated the HIPAA Security Rule by failing to do proper risk assessments or implement adequate cybersecurity measures and procedures.” To view the entire article, visit here.

For daily HIPPA News visit our HIPAA News sidebar at https://hipaanews.net

If you would like to receive an email update every time HIPAA news posts a blog, sign up on our website at https://hipaanews.net 

 

 

$400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has taken action against a Denver, CO-based federally-qualified health center (FQHC) for security management process failures that contributed to the organization experiencing a data breach in 2011.

Metro Community Provider Network (MCPN) has agreed to pay OCR $400,000 and adopt a robust corrective action plan to resolve all HIPAA compliance issues identified during the OCR investigation.

The incident that triggered the OCR investigation was a phishing attack that occurred on December 5, 2011. A hacker sent phishing emails to (MCPN) personnel, the responses to which enabled that individual to gain access to employees’ email accounts. Those accounts contained the electronic protected health information of 3,200 patients.

OCR investigates all breaches of more than 500 patient records to determine whether healthcare organizations have experienced a breach as a direct result of violations of HIPAA Rules. OCR notes that MCPN took the necessary action following the breach to prevent further phishing attacks from being successful; however, OCR investigators uncovered multiple violations of HIPAA Rules.

Phishing attacks on healthcare organizations are to be expected and it would be unreasonable to expect healthcare organizations to be able to reduce the risk of a successful phishing attack to zero. However, HIPAA-covered entities must take steps to identify potential risks and to take action to reduce risks to an appropriate level.

One of the fundamental elements of the HIPAA Security Rule is the risk analysis. The purpose of the risk analysis is to identify risks to the confidentiality, integrity, and availability of electronic protected health information. If a risk analysis is not conducted, HIPAA-covered entities will not be able to determine with any degree of certainty whether all risks have been identified. Appropriate measures to reduce those risks to acceptable levels would therefore be unlikely to be implemented.

While OCR confirmed that MCPN had conducted a risk analysis, it had not been performed until mid-February 2012, more than two months after the phishing attack had occurred. Further, that risk analysis and all subsequent risk analyses performed by MCPN did not meet the minimum requirements of the HIPAA Security Rule.

The lack of a risk analysis meant MCPN failed to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI that the organization held. MCPN also failed to implement a risk management plan to address risks identified in the risk analysis.

OCR also determined that MCPN had failed to implement appropriate security measures to reduce risks to a reasonable and acceptable level and policies and procedures to prevent, detect, contain, and correct security violations had also not been implemented.

When deciding an appropriate settlement, OCR took into consideration MCPN’s status as a FQHC and its financial position to ensure MCPN could maintain sufficient financial standing to continue to provide ongoing patient care. The HIPAA settlement could have been considerably higher.

This is the first HIPAA settlement announced since the appointment of Roger Severino as Director of OCR. Severino issued a statement about the settlement explaining “Patients seeking health care trust that their providers will safeguard and protect their health information…Compliance with the HIPAA Security Rule helps covered entities meet this important obligation to their patient communities.”

This is the fifth HIPAA settlement of 2017. OCR has previously agreed to settle potential violations of the Health Insurance Portability and Accountability with the following HIPAA-covered entities in 2017:

  • Memorial Healthcare System – $5.5 million
  • Children’s Medical Center of Dallas- $3.2 million
  • MAPFRE Life Insurance Company of Puerto Rico – $2.2 million
  • Presense Health – $475,000

The post $400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures appeared first on HIPAA Journal.