HIPAA News

Hurricane Florence: OCR Issues Guidance on Appropriate Sharing of Health Information

On Wednesday, September 12, 2018, President Trump approved a request for a federal emergency declaration in the state of Virginia and made FEMA resources available for the state.

The Secretary of the U.S. Department of Health and Human Services, Alex Azar, has also declared a Public Health Emergency in Virginia, North Carolina, and South Carolina.

The Secretarial declaration eases certain HIPAA restrictions and helps Centers for Medicare & Medicaid Services’ (CMS) beneficiaries and their healthcare providers prepare for the possible impact of Hurricane Florence and provides greater flexibility to meet emergency health needs.

During severe disasters and public emergencies healthcare providers face increased challenges and may struggle to continue to meet all requirements of the HIPAA Privacy Rule.

In emergency situations, such as during hurricanes, the HIPAA Privacy Rule still applies; however, Alex Azar’s declaration of a Public Health Emergency means certain provisions of the Privacy Rule have been relaxed under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b) of the Social Security Act.

During the period of the Public Health Emergency, sanctions and penalties against healthcare providers are waived for the following provisions of the HIPAA Privacy Rule.

  • 45 CFR 164.510(b) – The requirement to obtain authorization from a patient to speak with family members or friends involved in the patient’s care
  • 45 CFR 164.510(a) – The requirement to honor requests to opt out of the facility directory
  • 45 CFR 164.520 – The requirement to distribute a notice of privacy practices
  • 45 CFR 164.522(a) – The patient’s right to request privacy restrictions
  • 45 CFR 164.522(b) – The patient’s right to request confidential communications

Sanctions and penalties for healthcare organizations have not been waived for all other requirements of the HIPAA Privacy, Security, and Breach Notification Rules.

The waiver only exists in the areas covered by the public health emergency declaration for the period identified in the declaration, and only when hospitals have initiated their disaster protocol. The waiver only lasts for 72 hours following the declaration of the emergency.

When the Presidential or Secretarial declaration terminates, the waiver no longer applies, even to those patients still in the care of a hospital and even if the 72-hour time period has not elapsed.

The HHS’ Office for Civil Rights has responded to the declaration by issuing guidance on appropriate sharing of health information in emergency situations, confirming how the HIPAA Privacy Rule applies to healthcare providers in the disaster emergency zone.

OCR has also made a HIPAA Emergency Preparedness Decision Tool available to help healthcare providers determine how the HIPAA Privacy Rule applies.

The post Hurricane Florence: OCR Issues Guidance on Appropriate Sharing of Health Information appeared first on HIPAA Journal.

HHS Secretary Alex Azar Promises Reforms to Federal Health Privacy Rules

At a July 27 address at The Heritage Foundation, Secretary of the Department of Health and Human Services (HHS), Alex Azar, explained that the HHS will be undertaking several updates to health privacy regulations over the coming months, including updates to the Health Insurance Portability and Accountability Act (HIPAA) and 45 CFR Part 2 (Part 2) regulations.

The process is expected to commence in the next couple of months. Requests for information on HIPAA and Part 2 will be issued, following which action will be taken to reform both sets of rules to remove obstacles to value-based care and support efforts to combat the opioid crisis. Rule changes are also going to be made to remove some of the barriers to data sharing which are currently hampering efforts by healthcare providers to expand the use of electronic health technology.

These requests for information are part of a comprehensive review of current regulations that are hampering the ability of doctors, hospitals, and payers to improve the quality healthcare services and coordination of care while helping to reduce healthcare costs.

That process has already commenced with the Centers for Medicare & Medicaid Services (CMS) already having proposed one of the most fundamental changes to Medicare in recent years – A change to how physicians are paid for basic evaluation visits.

At present there are currently five tiers of payments for visits, with payments increasing for visits of increasing complexity. While this system makes sense, in practice in involves a considerable administrative burden on physicians, requiring them to justify why they are claiming for a visit at a higher tier. The CMS has proposed reducing the five tiers to two. That simple change is expected to save physicians more than 50 hours a year – more than a week’s work – with that time able to be diverted to providing better care to patients.

The CMS has also submitted a request for information of issues with Stark’s Law, which prevents physicians from referring patients to other physicians/practices with which they have a financial relationship, except in certain situations. Requests for information on HIPAA, Part 2, and the Anti-Kickback Statute will follow.

Healthcare providers that wish to voice their concerns about issues with HIPAA, Part 2, and the Anti-Kickback Statute should consider preparing comments and suggestions for policy updates to address those issues, ready for submission when the HHS issues its requests for information.

The post HHS Secretary Alex Azar Promises Reforms to Federal Health Privacy Rules appeared first on HIPAA Journal.

Investigation Launched Over Snapchat Photo Sharing at M.M. Ewing Continuing Care Center

Employees of a Canandaigua, NY nursing home have been using their smartphones to take and share images and videos of at least one resident and share the content with others via Snapchat – a violation of HIPAA and a serious violation of patient privacy.

The privacy breaches occurred at Thompson Health’s M.M. Ewing Continuing Care Center and involved multiple employees. Thompson Health has already taken action and has fired several workers over the violations. Now the New York Department of Health and the state attorney general’s office have got involved and are conducting investigations.

The state attorney general’s Deputy Press Secretary, Rachel Shippee confirmed to the Daily Messenger that an investigation has been launched, confirming “The Medicaid Fraud Control Unit’s mission includes the protection of nursing home residents from abuse, neglect and mistreatment, including acts that violate a resident’s rights to dignity and privacy.”

Thompson Health does not believe the images/videos were shared publicly and sharing was restricted to a group of employees at the care center. Thompson Health is contacting the families of the residents impacted by the breach to offer an apology.

This is not the first time that Thomson Health has discovered an employee had taken pictures and videos without people’s knowledge. In January, a camera was discovered in a unisex bathroom at Thompson Hospital. When the camera was taken down it was discovered that the memory card had been removed. The matter was reported to law enforcement although the employee responsible has not been identified.

M.M. Ewing Continuing Care Center is far from the only nursing home to discover that residents have been photographed and videoed without consent with videos and images shared on social media networks.

An investigation into the sharing of images of abuse of nursing home residents was launched by ProPublica in 2015. The investigation revealed the practice was commonplace, with several nursing home employees discovered to have performed similar acts. The investigation revealed there had been 22 cases of photo sharing on Snapchat and other social media platforms and 35 cases in total since 2012.

More recently, a nursing assistant at the Parkside Manor assisted-living facility in Kenosha, WI., was discovered to have taken photos of an Alzheimer’s patient and posted the images of SnapChat. When the violation was discovered, the nursing assistant was fired for the HIPAA breach.

The high number of cases involving these types of HIPAA violations prompted the CMS to take action in 2016. The CMS sent a memo to state health departments reminding them of their responsibilities to ensure nursing home residents were not subjected to any form of abuse, including mental abuse such as the taking of demeaning and degrading photos and videos and having the multimedia content shared on social media networks.

The post Investigation Launched Over Snapchat Photo Sharing at M.M. Ewing Continuing Care Center appeared first on HIPAA Journal.

Unencrypted Hospital Pager Messages Intercepted and Viewed by Radio Hobbyist

Many healthcare organizations have now transitioned to secure messaging systems and have retired their outdated pager systems.

Healthcare organizations that have not yet made the switch to secure text messaging platforms should take note of a recent security breach that saw pages from multiple hospitals intercepted by a ‘radio hobbyist’ in Missouri.

Intercepting pages using software defined radio (SDR) is nothing new. There are various websites that explain how the SDR can be used and its capabilities, including the interception of private communications. The risk of PHI being obtained by hackers using this tactic has been well documented.  All that is required is some easily obtained hardware that can be bought for around $30, a computer, and some free software.

In this case, an IT worker from Johnson County, MO purchased an antenna and connected it to his laptop in order to pick up TV channels. However, he discovered he could pick up much more. By accident, he intercepted pages sent by physicians at several hospitals. The man told the Kansas City Star he intercepted pages containing highly sensitive information including the page below:

“RQSTD RTM: (patient’s name) 19 M Origin Unit: EDOF Admitting: (doctor’s name) Level of Care: 1st Avail Medical Diagnosis: TONSILAR BLEED, ANEMIA, THROMBOCYTOPENIA”

It was not necessary to be in close vicinity of a hospital to intercept the pages and view PHI. Pages were picked up from hospitals and medical centers in Blue Springs, MO; Harrisonville, MO; Liberty, MO; Kansas City, KS; Wichita, KS; and even hospitals further away in Kentucky and Michigan.

Reporters from the Kansas City Star made contact with several of the patients whose information was exposed to confirm the information was correct. Understandably, the patients were shocked to find out that their sensitive information had been obtained by unauthorized individuals, as were the hospitals.

While not all hospitals responded, some of those that did said they are working with their vendors to correct the problem to ensure that pages cannot be intercepted in the future.

Intercepting pages is illegal under the Electronic Communications Protection Act, although hacking healthcare networks or conducting phishing campaigns to obtain protected health information is similarly illegal, yet that does not stop hackers.

HIPAA-covered entities should take note of the recent privacy violations and should consider implementing a secure messaging solution in place of pagers; however, in the meantime they should contact their vendors and explore the options for encrypting pages to prevent ePHI from being intercepted.

The post Unencrypted Hospital Pager Messages Intercepted and Viewed by Radio Hobbyist appeared first on HIPAA Journal.

Overdose Prevention and Patient Safety Act Passed by House

The Overdose Prevention and Patient Safety Act – H.R. 6082 – aims to ease restrictions on the sharing of health records of patients with addictions, aligning 42 CFR Part 2 – Confidentiality of Substance Use Disorder Patient Records – with HIPAA.

Currently, 42 CFR Part 2 only permits the disclosure of health records of patients with substance abuse disorder without written consent to medical staff in emergency situations, to specified individuals for research and program evaluations, or if required to do so by means of a court order.

Under current regulations, a special release form must be signed by a patient authorizing the inclusion of substance abuse disorder information in their medical record.

Preventing doctors from having access to a patient’s entire medical history means decisions could be taken without full understanding of their potential consequences. If details of substance abuse disorder can be accessed, doctors will be able to make more informed decisions which will help them to safely and effectively treat patients.

The Overdose Prevention and Patient Safety Act allows the health records of substance abuse disorder patients to be disclosed without written consent from patients for the purposes of treatment, payment, and healthcare operations, aligning with the HIPAA Privacy Rule.

Additionally, the criminal penalties for violations involving substance abuse disorder records would align with the penalty structure of HIPAA and would not be treated separately.

Privacy protections are also enhanced for patients, which will prohibit the use of SUD information in criminal and civil prosecution cases, will protect against discrimination by prohibiting the sharing of substance abuse discover information with employers and landlords, and would require notifications to be issued in the event of the breach of that information in line with the requirements of the HITECT Act.

The House passed the Overdose Prevention and Patient Safety Act with a vote of 357-57. The Act will now go to the senate chamber for consideration.

The post Overdose Prevention and Patient Safety Act Passed by House appeared first on HIPAA Journal.

OCR Announces $4.3 Million Civil Monetary Penalty for University of Texas MD Anderson Cancer Center

The Department of Health and Human Services’ Office for Civil Rights has announced its fourth largest HIPAA violation penalty has been issued to The University of Texas MD Anderson Cancer Center (MD Anderson). MD Anderson has been ordered to pay $4,348,000 in civil monetary penalties to resolve the HIPAA violations related to three data breaches experienced in 2012 and 2013.

MD Anderson is an academic institution and a cancer treatment and research center based at the Texas Medical Center in Houston, TX. Following the submission of three breach reports in 2012 and 2013, OCR launched an investigation to determine whether the breaches were caused as a result of MD Anderson having failed to comply with HIPAA Rules.

The breaches in question were the theft of an unencrypted laptop computer from the home of an MD Anderson employee and the loss of two unencrypted USB thumb drives, each of which contained the electronic protected health information (ePHI) of its patients. In total, the PHI of 34,883 patients was exposed and could potentially have been viewed by unauthorized individuals.

The investigation revealed that MD Anderson had conducted a risk analysis, as is required by HIPAA. That risk analysis revealed the use of unencrypted devices posed a serious threat to the confidentiality, integrity, and availability of ePHI. To address the risk, in 2006 MD Anderson developed policies that required all portable storage devices to be encrypted.

However, even though policies called for the use of encryption, encryption was not implemented until March 24, 2011. When encryption was implemented, it was not implemented on all portable devices in its inventory. MD Anderson reported to OCR that by January 25, 2013, it had only encrypted 98% of its computers. If MD Anderson had implemented encryption on all portable electronic devices containing ePHI, the three breaches would have been prevented.

Preventable Data Breaches Experienced by MD Anderson

The laptop was stolen from the home of Dr. Randall Millikan on April 30, 2012. Dr. Millikan confirmed that the ePHI on the device were not encrypted, the laptop was not password protected, and the ePHI could potentially have been viewed by family members at his home as a result, as well as by the individual who stole the laptop.

The USB devices were lost on or around July 12, 2012 and December 2, 2013. The first contained an Excel file containing the ePHI of 2,264 individuals. The device was lost by a summer intern on her way home from work. The second USB drive was lost by a visiting researcher from Brazil at some point over the Thanksgiving weekend. The device was usually left in the tray on her desk. Neither device was encrypted or password protected.

Between 2010 and 2011, MD Anderson’s Information Security Program and Annual Reports stated clearly that the storage of ePHI on mobile media was a key risk area that had not yet been mitigated, which was also detailed in its risk analysis for fiscal year 2011. That risk analysis determined that employees were downloading ePHI onto portable storage devices for use outside the institution. The failure to address the risk was a violation of 45 C.F.R. § 164.312(a)(2)(iv) and its own policies.

Penalties for HIPAA Violations

When financial penalties are deemed appropriate, OCR usually negotiates with the covered entity and a settlement is agreed; however, MD Anderson disagreed with OCR’s decision and maintained the financial penalty was unreasonable. Specifically, MD Anderson claimed that it was not obligated to use encryption as the data on the devices were used for research purposes, and that the research was not subject to HIPAA’s nondisclosure requirements. A covered entity has the right to contest penalties for HIPAA violations. Consequently, the matter was referred to an Administrative Law Judge.

OCR proposed penalties for HIPAA violations under the tier of ‘reasonable cause’. OCR wrote in its Notice of Proposed Determination, “Reasonable cause is “an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.”

The penalty amounts in such cases are a minimum of $1,000 for each violation up to a maximum of $1.5 million per calendar year.

 

Penalty Structure for HIPAA Violations

OCR determined penalties were appropriate for calendar year 2011 (283 days from March 24 to December 31), calendar year 2012 (366 days from January 1 to December 31) and calendar year 2013 (25 days from January 1 to January 25), and applied the maximum penalty of $1.5 million for each of those calendar years.

Administrative Law Judge Steven T. Kessell granted summary judgement in favor of OCR to remedy MD Anderson’s noncompliance with 45 C.F.R. § 164.312(a) – Technical Safeguards; encryption – and 45 C.F.R. § 164.502(a) – Uses and Disclosure of PHI; impermissible disclosure of ePHI.

“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” said OCR Director Roger Severino. “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.”

The post OCR Announces $4.3 Million Civil Monetary Penalty for University of Texas MD Anderson Cancer Center appeared first on HIPAA Journal.

OCR Encourages Healthcare Organizations to Conduct a Gap Analysis

In its April 2018 cybersecurity newsletter, OCR draws attention to the benefits of performing a gap analysis in addition to a risk analysis. The latter is required to identify risks and vulnerabilities that could potentially be exploited to gain access to ePHI, while a gap analysis helps healthcare organizations and their business associates determine the extent to which an entity is compliant with specific elements of the HIPAA Security Rule.

The Risk Analysis

HIPAA requires covered entities and their business associates to perform a comprehensive, organization-wide risk analysis to identify all potential risks to the confidentiality, integrity, and availability of ePHI – 45 CFR § 164.308(a)(1)(ii)(A).

If a risk analysis is not performed, healthcare organizations cannot be certain that all potential vulnerabilities have been identified. Vulnerabilities would likely remain that could be exploited by threat actors to gain access to ePHI.

While HIPAA does not specify the methodology that should be used when conducting risk analyses, OCR explained in its newsletter that risk analyses must contain certain elements:

  • A comprehensive assessment of all risks to all ePHI, regardless of where the data is created, received, maintained, or transmitted, or the source or location of ePHI.
  • All locations and information systems where ePHI is created, received, maintained, or transmitted must be included in the risk analysis, so an inventory should be created that includes all applications, mobile devices, communications equipment, electronic media, networks, and physical locations in addition to workstations, servers, and EHRs.
  • The risk analysis should cover technical and non-technical vulnerabilities, the latter includes policies and procedures, with the former concerned with software flaws, weaknesses in IT systems, and misconfigured information systems and security solutions.
  • The effectiveness of current controls must be assessed and documented, including all security solutions such as AV software, endpoint protection systems, encryption software, and the implementation of patch management processes.
  • The likelihood that a specific threat will exploit a vulnerability and the impact should a vulnerability be exploited must be assessed and documented.
  • The level of risk should be determined for any specific threat or vulnerability. With a risk level assigned, it will be easier to determine the main priorities when mitigating risks through the risk management process.
  • The risk analysis must be documented in sufficient detail to demonstrate that a comprehensive, organization-wide risk analysis has been conducted, and that the risk analysis was accurate and covered all locations, devices, applications, policies, and procedures involving ePHI. OCR will request this documentation in the event of an investigation or compliance audit.
  • A risk analysis is not a one-time event to ensure compliance with the HIPAA Security Rule – It must part of an ongoing process for continued compliance. The process must be regularly reviewed and updated, and risk analyses should be performed regularly. HIPAA does not stipulate how frequently a full or partial risk analysis should be performed. OCR suggests risk analyses are most effective when integrated into business processes.

Once a risk analysis has been performed, all risks and vulnerabilities identified must be addressed through a HIPAA-compliant security risk management process – 45 CFR § 164.308(a)(1)(ii)(B) – to reduce those risks to a reasonable and appropriate level.

Guidance on conducting an organization-wide risk analysis can be found on this link (HHS)

The Gap Analysis

A gap analysis is not a requirement of HIPAA Rules, although it can help healthcare organizations confirm that the requirements of the HIPAA Security Rule have been satisfied.

A gap analysis can be used as a partial assessment of an organizations compliance efforts or could cover all provisions of the HIPAA Security Rule.  Several gap analyses could be performed, each assessing a different set of standards and implementation specifications of the HIPAA Security Rule.

The gap analysis can give HIPAA-covered entities and their business associates an overall view of their compliance efforts, can help them discover areas where they are yet compliant with HIPAA Rules, and identify any gaps in the controls that have already been implemented.

Note that a gap analysis is not equivalent to a risk analysis, as it does not cover all possible risk to the confidentiality, integrity, and availability of ePHI as required by 45 C.F.R. §164.308(a)(1)(ii)(A).

OCR offers the following example of a simple gap analysis:

Source: OCR

The post OCR Encourages Healthcare Organizations to Conduct a Gap Analysis appeared first on HIPAA Journal.

Former Berkeley Medical Center Worker Gets 5 Years’ Probation for Identity Theft

In federal court on Monday, Chief U.S. District Judge Gina M. Groh sentenced a former Berkeley Medical Center worker to 5 years’ probation for her role in an identity theft scam. In addition to probation, Angela Dawn Roberts, 42, of Stephenson, VA, must pay $22,000 in restitution.

Angela Dawn Roberts, also known as Angela Dawn Lee, had been working for WVU University Healthcare since 2014.

Roberts was employed to schedule appointments for patients at two medical centers – Berkeley Medical Center and Jefferson Medical Center – which provided her with access to patients’ protected health information.

Roberts copied sensitive information onto paper, including names, birth dates, and Social Security numbers, and in some cases printed copies of identity documents.

On January 19, 2017, Roberts was suspended following an internal investigation into data theft which was alleged to have occurred on June 27, 2016.

She was fired on January 27, 2017 and was prosecuted for stealing patient health information. Approximately 7,000 patients whose information was accessed by Roberts were notified of the risk of identity theft and fraud as a precaution.

Angela Dawn Roberts admitted stealing the protected health information of 10 patients and pleaded guilty to one count of identity theft. The plea agreement was filed in July.

The stolen information was passed to her co-defendant, Ajarhi Savimbi Roberts. Ajarhi Savimbi Roberts was charged with bank fraud in a 36-count indictment. He pleaded guilty and is scheduled to be sentenced on May 21.

The post Former Berkeley Medical Center Worker Gets 5 Years’ Probation for Identity Theft appeared first on HIPAA Journal.

Virtua Medical Group Fined $418,000 for Violations of HIPAA and New Jersey Law

Virtua Medical Group – A network of physicians affiliated to over 50 medical practices in New Jersey – has been financially penalized by the New Jersey Attorney General’s Office for failing to protect the privacy of more than 1,650 patients whose medical information was accessible online without the need for any authentication.

The electronic protected health information was exposed as a result of a misconfigured server. The error occurred at a business associate of the medical group – Best Medical Transcription – which had been provided with audio files to transcribe medical notes.

Best Medical Transcription was contracted to transcribe dictations of medical notes, reports, and letters from three New Jersey medical practices: Virtua Pain and Spine Specialists in Voorhees, Virtua Gynecological Oncology Specialists, and Virtua Surgical Group in Hainesport.

The transcribed notes were uploaded to a password-protected FTP website; however, in January 2016 during a software upgrade on the FTP server, the password protection was accidentally removed allowing patient data to be accessed by anyone without the need for authentication.

Further, the content of the FTP server was indexed by search engines and could be found by typing in search terms contained in the notes. For example, typing in a patient’s name would allow the information to be found, which happened on at least one occasion. A patient found portions of her medical records online after performing a Google search.

The types of information exposed included names, medical diagnoses, and prescriptions of as many as 1,654 patients who had previously received medical services at one of the three medical centers.

When the privacy breach was discovered, Best Medical Transcription reinstated the password protection on the FTP server, although caches of the information remained accessible online and could still be found by performing a Google search.  The password was reinstated on January 15, 2016, although a week later, Virtua Medical Group received a call from a patient whose daughter’s medical records were still accessible online.

At that point, while Best Medical Transcription was aware of the lack of password and a potential breach, it had not notified Virtua Medical Group that data had been exposed. The investigation by Virtua Medical Group revealed 462 patients’ records had been indexed by the search engines. Virtua Medical Group submitted individual requests to Google to have the information taken down and patients were notified about the breach in March.

An investigation into the breach by the New Jersey Division of Consumer Affairs revealed there had been multiple failures to comply with Health Insurance Portability and Accountability Act (HIPAA) requirements. While the breach affected a business associate of Virtua Medical Group, it was the medical group that was penalized.

The Division of Consumer Affairs alleged there had been a failure to conduct a comprehensive risk analysis to identify threats to the confidentiality, integrity, and availability of ePHI and insufficient security protections had been implemented to reduce risk.

A security awareness and training program had not been implemented for the entire workforce, there were unacceptable delays in identifying and responding to the breach, no procedures had been established and implemented to create retrievable exact copies of the ePHI maintained on the FTP site, no written log of the number of times the FTP site was accessed had been maintained, and there had been an impermissible disclosure of patients’ ePHI.

Those errors and oversights constituted violations of the HIPAA Privacy and Security Rules and the New Jersey Consumer Fraud Act.

In addition to the financial penalty of $407,184 and $10,632 to reimburse attorney’s fees and investigation costs, Virtua Medical Group has agreed to implement a robust corrective action plan which includes hiring a third-party security professional to perform a comprehensive risk analysis relating to the storage, transmission and receipt of ePHI and to perform further risk assessments every two years.

The post Virtua Medical Group Fined $418,000 for Violations of HIPAA and New Jersey Law appeared first on HIPAA Journal.