OCR Announces $4.3 Million Civil Monetary Penalty for University of Texas MD Anderson Cancer Center

The Department of Health and Human Services’ Office for Civil Rights has announced its fourth largest HIPAA violation penalty has been issued to The University of Texas MD Anderson Cancer Center (MD Anderson). MD Anderson has been ordered to pay $4,348,000 in civil monetary penalties to resolve the HIPAA violations related to three data breaches experienced in 2012 and 2013.

MD Anderson is an academic institution and a cancer treatment and research center based at the Texas Medical Center in Houston, TX. Following the submission of three breach reports in 2012 and 2013, OCR launched an investigation to determine whether the breaches were caused as a result of MD Anderson having failed to comply with HIPAA Rules.

The breaches in question were the theft of an unencrypted laptop computer from the home of an MD Anderson employee and the loss of two unencrypted USB thumb drives, each of which contained the electronic protected health information (ePHI) of its patients. In total, the PHI of 34,883 patients was exposed and could potentially have been viewed by unauthorized individuals.

The investigation revealed that MD Anderson had conducted a risk analysis, as is required by HIPAA. That risk analysis revealed the use of unencrypted devices posed a serious threat to the confidentiality, integrity, and availability of ePHI. To address the risk, in 2006 MD Anderson developed policies that required all portable storage devices to be encrypted.

However, even though policies called for the use of encryption, encryption was not implemented until March 24, 2011. When encryption was implemented, it was not implemented on all portable devices in its inventory. MD Anderson reported to OCR that by January 25, 2013, it had only encrypted 98% of its computers. If MD Anderson had implemented encryption on all portable electronic devices containing ePHI, the three breaches would have been prevented.

Preventable Data Breaches Experienced by MD Anderson

The laptop was stolen from the home of Dr. Randall Millikan on April 30, 2012. Dr. Millikan confirmed that the ePHI on the device were not encrypted, the laptop was not password protected, and the ePHI could potentially have been viewed by family members at his home as a result, as well as by the individual who stole the laptop.

The USB devices were lost on or around July 12, 2012 and December 2, 2013. The first contained an Excel file containing the ePHI of 2,264 individuals. The device was lost by a summer intern on her way home from work. The second USB drive was lost by a visiting researcher from Brazil at some point over the Thanksgiving weekend. The device was usually left in the tray on her desk. Neither device was encrypted or password protected.

Between 2010 and 2011, MD Anderson’s Information Security Program and Annual Reports stated clearly that the storage of ePHI on mobile media was a key risk area that had not yet been mitigated, which was also detailed in its risk analysis for fiscal year 2011. That risk analysis determined that employees were downloading ePHI onto portable storage devices for use outside the institution. The failure to address the risk was a violation of 45 C.F.R. § 164.312(a)(2)(iv) and its own policies.

Penalties for HIPAA Violations

When financial penalties are deemed appropriate, OCR usually negotiates with the covered entity and a settlement is agreed; however, MD Anderson disagreed with OCR’s decision and maintained the financial penalty was unreasonable. Specifically, MD Anderson claimed that it was not obligated to use encryption as the data on the devices were used for research purposes, and that the research was not subject to HIPAA’s nondisclosure requirements. A covered entity has the right to contest penalties for HIPAA violations. Consequently, the matter was referred to an Administrative Law Judge.

OCR proposed penalties for HIPAA violations under the tier of ‘reasonable cause’. OCR wrote in its Notice of Proposed Determination, “Reasonable cause is “an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.”

The penalty amounts in such cases are a minimum of $1,000 for each violation up to a maximum of $1.5 million per calendar year.


Penalty Structure for HIPAA Violations

OCR determined penalties were appropriate for calendar year 2011 (283 days from March 24 to December 31), calendar year 2012 (366 days from January 1 to December 31) and calendar year 2013 (25 days from January 1 to January 25), and applied the maximum penalty of $1.5 million for each of those calendar years.

Administrative Law Judge Steven T. Kessell granted summary judgement in favor of OCR to remedy MD Anderson’s noncompliance with 45 C.F.R. § 164.312(a) – Technical Safeguards; encryption – and 45 C.F.R. § 164.502(a) – Uses and Disclosure of PHI; impermissible disclosure of ePHI.

“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” said OCR Director Roger Severino. “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.”

The post OCR Announces $4.3 Million Civil Monetary Penalty for University of Texas MD Anderson Cancer Center appeared first on HIPAA Journal.

The HIPAA Conduit Exception Rule and Transmission of PHI

The HIPAA Conduit Exception Rule is a source of confusion for many HIPAA covered entities, but it is essential that this aspect of HIPAA is understood. Failure to correctly classify a service provider as a conduit or a business associate could see HIPAA Rules violated and a significant financial penalty issued for noncompliance.

The HIPAA Omnibus Final Rule and Business Associates

On January 25, 2013, the HIPAA Omnibus Final Rule was issued. The HIPAA Omnibus Final Rule introduced a swathe of updates to HIPAA Rules, including the incorporation of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

HIPAA Omnibus Final Rule included an update to the definition of a business associate. Prior to January 25, 2013, a business associate was a person or entity that creates, receives, or transmits protected health information (PHI) on behalf of a covered entity. The Omnibus rule added ‘maintains’ to that definition. That meant companies that store electronic information – or physical records – are considered business associates. The Omnibus Rule also confirmed that most data transmission service providers are also classed as business associates.

What is the HIPAA Conduit Exception Rule?

The HIPAA Conduit Exception Rule is detailed in the HIPAA Privacy Rule, but was defined in the HIPAA Omnibus Final Rule. The Rule allows HIPAA-covered entities to use certain vendors without having to enter into a business associate agreement. The HIPAA Conduit Exception Rule is narrow and excludes an extremely limited group of entities from having to enter into business associate agreements with covered entities. The Rule applies to entities that transmit PHI but do not have access to the transmitted information and do not store copies of data. They simply act as conduits through which PHI flows.

HIPAA Conduit Exception Rule covers organizations such as the US Postal Service and certain other private couriers such as Fed-Ex, UPS, and DHL as well as their electronic equivalents. Companies that simply provide data transmission services, such as internet Service Providers (ISPs), are considered conduits.

The HIPAA Conduit Exception Rule is limited to transmission-only services for PHI. If PHI is stored by a conduit, the storage must be transient in nature, and not persistent.

It does not matter if the service provider says they do not access transmitted information. To be considered a conduit, the service provider must not have access to PHI, must only store transmitted information temporarily, and should not have a key to unlock encrypted data.

Vendors that are often misclassified as conduits are email service providers, fax service providers, cloud service providers, and SMS and messaging service providers. These service providers are NOT considered conduits and all must enter into a business associate agreement with a covered entity prior to the service being used in conjunction with any PHI.

Some service providers claim that they are conduits when they are not, in order to avoid having to sign a business associate agreement. Certain fax service providers have claimed they are conduits, and while they appear at face value to be an electronic equivalent to an organization such as the US Postal Service, they are not covered by the HIPAA Conduit Exception Rule. Fax services do not simply send documents from the sender to the recipient. Faxes are stored, and the storage is not considered transient.

Penalties for Misclassifying a Business Associate as a Conduit

Any vendor that has routine access to PHI is considered a business associate (We have covered the definition of a HIPAA business associate on this page). All business associates must sign a business associate agreement with the HIPAA-covered entity before PHI is provided or access to PHI is granted.

Misclassifying a vendor as a conduit rather than a business associate can result in a significant financial penalty, since PHI will have been disclosed without first entering into a business associate agreement.

The Department of Health and Human Services’ Office for Civil Rights has financially penalized many covered entities that have been discovered to have disclosed PHI to a vendor without obtaining a BAA.

In 2017, the Center for Children’s Digestive Health settled with OCR for $31,000 to resolve business associate agreement failures. In 2016, Care New England Health System settled its HIPAA violation case for $400,000, North Memorial Health Care of Minnesota paid $1,550,000 and Oregon Health & Science University settled for $2,700,000.

The post The HIPAA Conduit Exception Rule and Transmission of PHI appeared first on HIPAA Journal.

HHS Sued by CIOX Health Over Unlawful HIPAA Regulations

The Department of Health and Human Services is being sued by CIOX Health, a medical record retrieval company, over updates to HIPAA laws that place restrictions on the amount that can be charged to patients for providing them with copies of their medical records.

CIOX Health claims the HIPAA Omnibus Rule updates in 2013, “unlawfully, unreasonably, arbitrarily and capriciously,” restrict the fees that can be charged by providers and their business associates for providing copies of the health information stored on patients.

Changes to HIPAA Rules not only placed a limit on the fees, but also expanded the types of information that must be provided to patients, on request. Accessing some of that information, in particular health information that is not stored in electronic medical records, is costly. Yet, even though the costs of processing some requests are high, HIPAA limits charges to $6.50 according to the lawsuit.

CIOX Health argues that this flat rate fee is an arbitrary figure that bears no relation to the actual cost of honoring patient requests for copies of their health information, and such a low fee is hurting its business. CIOX Health wants the HHS to reverse the changes made to HIPAA in 2013 and 2016 with respect to how much can be charged and the provision of copies of any type of medical information.

While the flat fee of $6.50 is the maximum that can be charged, it should be noted that the maximum fee only applies if the healthcare provider or company chooses that option. HIPAA does not prevent healthcare organizations from charging more. If they choose not to charge a flat fee, they are permitted to charge patients “actual or average allowable costs for requests for electronic copies of PHI maintained electronically.” The HHS confirmed this in May 2016 in response to questions asked via its web portal.

Tremendous Financial Burdens on Healthcare Providers

In the lawsuit, CIOX Health says, “HHS’s continued application and enforcement of these rules impose tremendous financial and regulatory burdens on healthcare providers and threatens to upend the medical records industry that services them.”

These changes to HIPAA Rules “threaten to bankrupt the dedicated medical-records providers who service the healthcare industry by effectively and quite deliberately mandating that they fulfill a rapidly growing percentage of requests for protected health information at a net loss.”

The changes to the types of health information that must be provided on request now includes medical information in any form whatsoever, including electronic medical records in EHR systems, but also paper records and films that have been transferred to third parties.

In the case of electronic records, they can be located in several different virtual locations, while paper records and films may be stored in several different physical locations. Providing copies of complete record sets requires staff to be sent to each of those locations to retrieve the records, and even accessing multiple virtual locations is a time consuming and costly process. Records must also be verified and compiled, which all takes time.

CIOX Health serves more than 16,000 physician practices and processes tens of millions of requests for copies of medical records every year. The restrictions on charges has potentially hurt its business, according to the lawsuit.

This is not the only legal action that CIOX Health is involved in which is related to providing patients with copies of their medical records. CIOX is the co-defendant in a November 2017 lawsuit that claims more than 60 Indiana hospitals have been failing to provide copies of medical records to patients within 3 days, as required by the HITECH Act, even though they accepted payments and claimed that they were meeting HITECT Act requirements. The defendants are also alleged to have overcharged patients for copies of medical records.

The post HHS Sued by CIOX Health Over Unlawful HIPAA Regulations appeared first on HIPAA Journal.

Kathryn Marchesini Appointed Chief Privacy Officer at ONC

The Office of the National Coordinator for Health IT (ONC) has a new chief privacy officer – Kathryn Marchesini, JD.

The appointment was announced this week by National Coordinator Donald Rucker, M.D. Marchesini will replace Acting Chief Privacy Officer Deven McGraw, who left the position this fall.

The HITECH Act requires a Chief Privacy Officer to be appointed by the ONC. The CPO is required to advise the National Coordinator on privacy, security, and data stewardship of electronic health information and to coordinate with other federal agencies.

Following the departure of McGraw, it was unclear whether the position of CPO would be filled at the ONC. The ONC has had major cuts to its budget, and in an effort to become a much leaner organization, funding for the Office of the Chief Privacy Officer was due to be withdrawn in 2018. However, the decision has been taken to appoint a successor to McGraw.

There are few individuals better qualified to take on the role of CPO. Katheryn Marchesini has extensive experience in the field of data privacy and security, having spent seven years at the Department of Health and Human Services. During her time at the HHS Marchesini assisted with the creation of new federal policies, guidance for HIPAA covered entities on privacy and security, and many HHS health IT privacy initiatives.

Most recently, Marchesini served as senior health information technology and privacy advisor at the HHS’ Office for Civil Rights and as senior advisor on privacy and precision medicine at the ONC. Marchesini also served as Division Director for Privacy at the ONC between 2014 and 2016, Acting Chief Privacy Officer at the ONC for four months in 2014, and Senior Policy Analyst and Privacy Team Leader at the ONC between October 2012 and June 2014.

Prior to joining the HHS, Marchesini worked as a legal associate with two law firms, as a management analyst at Deloitte Consulting, and economics assistant at FERC.

Announcing the appointment, Donald Rucker said, “[Marhesini] brings to her new roles a wealth of experience as a Senior Advisor and Deputy Director for Privacy at ONC where she advised staff and stakeholders about privacy and security implications surrounding electronic health information, technology, and health research.” The appointment has also been welcomed by Deven McGraw.

The post Kathryn Marchesini Appointed Chief Privacy Officer at ONC appeared first on HIPAA Journal.

2017 HIPAA Enforcement Summary

Our 2017 HIPAA enforcement summary details the financial penalties paid by healthcare organizations to resolve HIPAA violation cases investigated by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general.

2017 saw OCR continue its aggressive pursuit of financial settlements for serious violations of HIPAA Rules. There have been 9 HIPAA settlements and one civil monetary penalty in 2017.

In total, OCR received $19,393,000 in financial settlements and civil monetary penalties from covered entities and business associates to resolve HIPAA violations discovered during the investigations of data breaches and complaints.

Last year, there were 12 settlements reached with HIPAA-covered entities and business associates, and one civil monetary penalty issued. In 2016, OCR received $25,505,300 from covered entities to resolve HIPAA violation cases.

Summary of 2017 HIPAA Enforcement by OCR

Listed below are the 2017 HIPAA enforcement activities of OCR that resulted in financial penalties for HIPAA-covered entities and their business associates.

Covered Entity Amount Type Violation Type
Memorial Healthcare System $5,500,000 Settlement Insufficient ePHI Access Controls
Children’s Medical Center of Dallas $3,200,000 Civil Monetary Penalty Impermissible Disclosure of ePHI
Cardionet $2,500,000 Settlement Impermissible Disclosure of PHI
Memorial Hermann Health System $2,400,000 Settlement Careless Handling of PHI
21st Century Oncology $2,300,000 Settlement Multiple HIPAA Violations
MAPFRE Life Insurance Company of Puerto Rico $2,200,000 Settlement Impermissible Disclosure of ePHI
Presense Health $475,000 Settlement Delayed Breach Notifications
Metro Community Provider Network $400,000 Settlement Lack of Security Management Process
St. Luke’s-Roosevelt Hospital Center Inc. $387,000 Settlement Unauthorized Disclosure of PHI
The Center for Children’s Digestive Health $31,000 Settlement Lack of a Business Associate Agreement

OCR’s 2017 HIPAA enforcement activities have revealed covered entities are continuing to fail to comply with HIPAA Rules in key areas: Safeguarding PHI on portable devices, conducting an organization-wide risk analysis, implementing a security risk management process, and entering into HIPAA-compliant business associate agreements with all vendors.

Throughout 2016 and 2017, many covered entities have failed to issue breach notifications promptly. In 2017, OCR took action for this common HIPAA violation and agreed its first HIPAA settlement solely for delaying breach notifications to patients.

HIPAA Desk Audits Revealed Widespread HIPAA Violations

In late 2016, OCR commenced the much-delayed second phase of its HIPAA-compliance audit program. The first stage involved desk audits of 166 HIPAA-covered entities – 103 audits on the Privacy and Breach Notification Rules, and 63 audits on the Security Rule. 41 desk audits were conducted on business associates on the Breach Notification and Security Rules.

While the full results of the compliance audits have not been released, this fall OCR announced preliminary findings from the compliance audits.

Covered entities were given a rating from 1 to 5 for the completeness of compliance efforts on each control and implementation specification. A rating of 1 signifies full compliance with goals and objectives of the standards and implementation specifications that were audited. A rating of 5 indicates there was no evidence that the covered entity had made a serious attempt to comply with HIPAA Rules.

Preliminary Findings of HIPAA Compliance Audits on Covered Entities

Listed below are the findings from the HIPAA compliance audits. A rating of 5 being the worst possible score and 1 being the best.

Preliminary HIPAA Compliance Audit Findings (2016/2017)
HIPAA Rule Compliance Controls Audited Covered Entities Given Rating of 5 Covered Entities Given Rating of 1
Breach Notification Rule (103 audits) Timeliness of Breach Notifications 15 67
Breach Notification Rule (103 audits) Content of Breach Notifications 9 14
Privacy Rule (103 audits) Right to Access PHI 11 1
Privacy Rule (103 audits) Notice of Privacy Practices 16 2
Privacy Rule (103 audits) Electronic Notice 15 59
Security Rule (63 audits) Risk Analysis 13 0
Security Rule (63 audits) Risk Management 17 1


Almost a third of covered entities failed to issue breach notifications promptly and next to no covered entities were found to be fully compliant with the HIPAA Privacy and Security Rules.

OCR has delayed the full compliance reviews until 2018. While some organizations will be randomly selected for a full review – including a site visit – OCR has stated that poor performance in the desk audits could trigger a full compliance review. Financial penalties may be deemed appropriate, especially when there has been no attempt to comply with HIPAA Rules.

Attorneys General Fines for Privacy Breaches

The HITECH Act gave state attorneys general the authority to pursue financial penalties for HIPAA violations and assist OCR with the enforcement of HIPAA Rules. Relatively few state attorneys general exercise this right. Instead they choose to pursue cases under state laws, even if HIPAA Rules have been violated.

Notable 2017 settlements with healthcare organizations and business associates of HIPAA covered entities have been listed below.

Covered Entity State Amount Individuals affected Reason
Cottage Health System California $2,000,000 More than 54,000 Failure to Safeguard Personal Information
Horizon Healthcare Services Inc., New Jersey $1,100,000 3.7 million Failure to Safeguard Personal Information
SAManage USA, Inc. Vermont $264,000 660 Exposure of PHI on Internet
CoPilot Provider Support Services, Inc. New York $130,000 221,178 Late Breach Notifications
Multi-State Billing Services Massachusetts $100,000 2,600 Failure to Safeguard Personal Information

The post 2017 HIPAA Enforcement Summary appeared first on HIPAA Journal.

New Bill Aims to Change HIPAA Rules for Healthcare Clearinghouses

A new bill (H.R. 4613) has been introduced to the U.S House of Representatives by Congresswoman Cathy McMorris Rodgers (R-Washington) that proposes changes to the Health Information Technology for Economic and Clinical Health (HITECH) Act and HIPAA Rules for healthcare clearinghouses.

The Ensuring Patient Access to Healthcare Records Act of 2017 is intended to modernize the role of healthcare clearinghouses in healthcare, promote access to and the leveraging of health information, and enhance treatment, quality improvement, research, public health and other functions.

Healthcare clearinghouses are entities that transform data from one format to another, converting non-standard data to standard data elements or vice versa. Healthcare clearinghouses are considered HIPAA-covered entities, although in some cases they can be business associates. The bill – Ensuring Patient Access to Healthcare Records Act of 2017 – would see all healthcare clearinghouses treated as covered entities.

Healthcare clearinghouses gather health data from a wide range of sources, therefore they could hold a complete set of records for each patient. If patients are allowed to obtain copies of their health records from healthcare clearinghouses, it could make it easier for patients treated by multiple providers to obtain a full set of their health records.

“Whether it’s because of a move to a new state, switching providers, an unexpected visit to the emergency room, or a new doctor, patients must track down their own records from numerous different sources based on what they can or cannot remember. It shouldn’t be this burdensome,” said Rodgers. “Our bill gives patients the ability to see a snapshot of their health records at just a simple request, allowing them to make better, more informed healthcare decisions in a timely manner.”

While the bill could improve data access for patients, it has been suggested that patients are unlikely to benefit. Healthcare clearinghouses may have longitudinal health records from multiple sources, but in many cases, they only have claims data rather than a full set of clinical data. Even if patients could be provided with copies, it may not prove to be particularly useful.

Patients can choose which healthcare providers they use, but since a healthcare clearinghouse is not chosen by patients, they are unlikely to know which healthcare clearinghouses actually hold their data. Patients rarely have any dealings with healthcare clearinghouses.

The bill would “allow the use of claims, eligibility, and payment data to produce reports, analyses, and presentations to benefit Medicare, and other similar health insurance programs, entities, researchers, and health care providers, to help develop cost saving approaches, standards, and reference materials and to support medical care and improved payment models.”

This is not the first time that the Ensuring Patient Access to Healthcare Records Act has been introduced. None of the previous versions of the bill have made it to the floor and have attracted considerable criticism. In his Healthcare Blog, Adrian Gropper, MD expressed concern over a previous version of the bill (Senate bill S.3530).

“Extending Covered Entity status to data brokers seems like a quantitative shift and possibly a benefit to patients. But the deceptive part is that unlike today’s Covered Entities (hospitals, pharmacies, and insurance companies), data brokers do not have to compete for the patient’s business,” said Gropper. “By giving the infrastructure business the right to use and sell our data without consent or even transparency, we are enabling a true panopticon – an inescapable surveillance system for our most valuable personal data.”

The post New Bill Aims to Change HIPAA Rules for Healthcare Clearinghouses appeared first on HIPAA Journal.

Data Security and Breach Notification Act Introduced in Senate

The Senate is to vote on a national data breach notification bill – the Data Security and Breach Notification Act – that aims to standardize breach notification requirements across all states. Currently there is a patchwork of data breach notification laws across the United States, each with different reporting requirements. If passed, the Data Security and Breach Notification Act would replace state laws.

While there is a clear need for national standards to ensure all consumers are equally protected regardless of where they live, all previous attempts to introduce nationwide standards for data breach notifications have failed.

The Data Security and Breach Notification Act was introduced by Sen. Bill Nelson (D-FL), with the bill co-sponsored by Sen. Richard Blumenthal (D-CT) and Sen. Tammy Baldwin (D-WI).

Sen. Nelson first introduced the bill in 2015, and introduced a revised version a year later, both of which failed. Announcing the bill, Nelson highlighted the recent Uber data breach, which saw the names, phone numbers, and email addresses of more than 57 million customers and the names and driver’s license details of 600,000 U.S drivers exposed. Uber became aware of the breach in 2016, negotiated with the hackers and paid them $100,000 to destroy the stolen data, and attempted to coverup the breach. Details of the breach were only recently made public.

Following the announcement of the Uber breach, the massive Equifax breach, and other major breaches that have resulted in considerable harm to U.S. consumers, it is hoped that this time around the bill will progress.

Sen. Baldwin said, “The recent data breaches, from Uber to Equifax, will have profound, long-lasting impacts on the integrity of many Americans’ identities and finances, and it is simply unacceptable that millions of them may still not know that they are at risk, nor understand what they can and should do to help limit the potential damage.”

If passed, the Data Security and Breach Notification Act would require notifications of data breaches to be issued to state authorities and breach victims within 30 days of the discovery of a breach.

The breach reporting requirements of the Data Security and Breach Notification Act are tougher than those in most states, as are the penalties for concealing a data breach. Executives of companies that knowingly conceal and fail to report a data breach would face up to five years in jail.

Financial institutions covered by, and in compliance with, the Gramm-Leach-Bliley Act will be deemed to be in compliance with the Data Security and Breach Notification Act, as will organizations that comply with Section 13401 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, or 1173(d) 19 of title XI, part C of the Social Security Act, with respect to data covered by section 13401 of the HITECH Act or the HIPAA Security Rule.

The bill also calls for the Federal Trade Commission (FTC) to develop a new set of security standards that business can follow to help prevent data breaches.

“We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers,” said, Sen. Nelson. “Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal.  When it comes to doing what’s best for consumers, the choice is clear.”

The post Data Security and Breach Notification Act Introduced in Senate appeared first on HIPAA Journal.

Lawsuits Filed for Alleged HIPAA and HITECH Act Violations

Two lawsuits have been filed against healthcare organizations over alleged HIPAA and HITECH Act violations.

60 Hospitals Named in Lawsuit Alleging HITECH Act Violations

A recently unsealed complaint, filed in a U.S. District Court in Indiana in 2016, seeks more than $1 billion in damages from 60 hospitals that received HITECH Act meaningful use incentive payments for transitioning to electronic health records, yet failed to meet the requirements of the HITECH Act with respect to providing patients, and their legal representatives, with copies of health records promptly on request.

In order to receive incentive payments, one of the requirements was for hospitals to attest that for at least 50% of patients, they were able to provide copies of medical records within 3 business days of requests being submitted. When copies of health records are requested, the HITECH Act only permits healthcare organizations to charge for labor costs for supplying copies of records.

Michael Misch and Bradley Colborn, attorneys with Anderson, Agostino & Keller, P.C., of South Bend Indiana, investigated hospitals after growing frustrated with the delay in obtaining copies of health records at their clients’ request, and over the amounts being charged for copies of health records.

The aim of the investigation was to streamline requests, reduce the time taken to obtain copies of health records, and reduce the cost of accessing those records. However, the investigation revealed that many hospitals were failing to meet the requirements of the HITECH Act, even though they had received incentive payments for compliance.

In the complaint, it is alleged that 60 hospitals received payments of $324.4 million in HITECH Act grant funding, yet failed to meet the requirements of the HITECH Act when it came to providing copies of health records of patients. The lawsuit also alleges the hospitals violated the Anti-Kickback Statute and the False Claims Act; falsely claiming compliance with HITECH Act to gain access to public funding.

Patient Sues BJC Health System Over Barnes-Jewish Hospital Breach

A patient whose protected health information was exposed as a result of a security breach at Barnes-Jewish Hospital in St. Louis, MO, has filed a complaint in the St. Louis Circuit Court against the hospital operator, BJC Health System.

Megan L. Rosemann claims BJC Health System allowed unauthorized individuals to gain access to the protected health information of patients and failed to adequately protect patient data. She alleges BJC Health System was negligent and breached its fiduciary duty.

Rosemann claims the exposure of her information places her at an increased risk of identity theft, abuse, and exploitation. The lawsuit names Rosemann as the plaintiff, along with other individuals affected by the breach. Rosemann is seeking a class certification and trial by jury. A jury trial has been scheduled for May 14, 2018.

BJC Healthcare reported the unauthorized accessing of an email account to the Department of Health and Human Services’ Office for Civil Rights on February 26, 2016. The breach impacted 2,393 patients. The case is still marked as under investigation by OCR.

The post Lawsuits Filed for Alleged HIPAA and HITECH Act Violations appeared first on HIPAA Journal.

Tips for Reducing Mobile Device Security Risks

An essential part of HIPAA compliance is reducing mobile device security risks to a reasonable and acceptable level.

As healthcare organizations turn to mobiles devices such as laptop computers, mobile phones, and tablets to improve efficiency and productivity, many are introducing risks that could all too easily result in a data breach and the exposure of protected health information (PHI).

As the breach reports submitted to the HHS’ Office for Civil Rights show, mobile devices are commonly involved in data breaches. Between January 2015 and the end of October 2017, 71 breaches have been reported to OCR that have involved mobile devices such as laptops, smartphones, tablets, and portable storage devices. Those breaches have resulted in the exposure of 1,303,760 patients and plan member records.

17 of those breaches have resulted in the exposure of more than 10,000 records, with the largest breach exposing 697,800 records. The majority of those breaches could have easily been avoided.
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule does not demand encryption for mobile devices, yet such a security measure could have prevented a high percentage of the 71 data breaches reported to OCR.

When a mobile device containing ePHI is lost or stolen, the HIPAA Breach Notification Rule requires the breach to be reported and notifications to be sent to affected individuals. If PHI has been encrypted and a device containing ePHI is lost or stolen, notifications need not be sent as it would not be a HIPAA data breach. A breach report and patient notifications are only required for breaches of unencrypted PHI, unless the key to decrypt data is also obtained.

Even though HIPAA does not demand the use of encryption, it must be considered. If the decision is taken not to encrypt data, the decision must be documented and an alternative safeguard – or safeguards – must be employed to ensure the confidentiality, integrity, and availability of ePHI. That alternative safeguard(s) must provide a level of protection equivalent to encryption.

Before the decision about whether or not to encrypt data can be made, HIPAA covered entities must conduct an organization-wide risk analysis, which must include all mobile devices. All risks associated with the use of mobile devices must be assessed and mitigated – see 45 C.F.R. § 164.308(a)(1)(ii)(A)–(B).

OCR Reminds Covered Entities of Need to Address Risks Associated with Mobile Devices

In its October 2017 Cybersecurity Newsletter, OCR reminded covered entities of the risks associated with mobile devices that are used to create, receive, maintain, or transmit ePHI. HIPAA covered entities were reminded of the need to conduct an organization-wide risk assessment and develop a risk management plan to address all mobile device security risks identified during the risk analysis and reduce them to an appropriate and acceptable level.

While many covered entities allow the use of mobile devices, some prohibit the use of those devices to create, receive, maintain, or transmit ePHI. OCR reminds covered entities that if such a policy exists, it must be communicated to all staff and the policy must be enforced.

When mobile devices can be used to create, receive, maintain, or transmit ePHI, appropriate safeguards must be implemented to reduce risks to an appropriate and acceptable level. While loss or theft of mobile devices is an obvious risk, OCR draws attention to other risks associated with the devices, such as using them to access or send ePHI over unsecured Wi-Fi networks, viewing ePHI stored in the cloud, or accessing or sharing ePHI via file sharing services.

OCR also remined covered entities to ensure default settings on the devices are changed and how healthcare employees must be informed of mobile device security risks, taught best practices, and the correct way to uses the device to access, store, and transmit ePHI.

OCR offers the following advice to covered entities address mobile security risks and keep ePHI secure at all times.

To access OCR’s guidance – Click here.

OCR’s Tips for Reducing Mobile Device Security Risks

  • Implement policies and procedures regarding the use of mobile devices in the work place – especially when used to create, receive, maintain, or transmit ePHI.
  • Consider using Mobile Device Management (MDM) software to manage and secure mobile devices.
  • Install or enable automatic lock/logoff functionality.
  • Require authentication to use or unlock mobile devices.
  • Regularly install security patches and updates.
  • Install or enable encryption, anti-virus/anti-malware software, and remote wipe capabilities.
  • Use a privacy screen to prevent people close by from reading information on your screen.
  • Use only secure Wi-Fi connections.
  • Use a secure Virtual Private Network (VPN).
  • Reduce risks posed by third-party apps by prohibiting the downloading of third-party apps, using whitelisting to allow installation of only approved apps, securely separating ePHI from apps, and verifying that apps only have the minimum necessary permissions required.
  • Securely delete all PHI stored on a mobile device before discarding or reusing the mobile device.
  • Include training on how to securely use mobile devices in workforce training programs.

Penalties for Failing to Address Mobile Security Risks

The failure to address mobile device security risks could result in a data breach and a penalty for noncompliance with HIPAA Rules. Over the past few years there have been several settlements reached between OCR and HIPAA covered entities for the failure to address mobile device security risks.

These include:

Covered Entity HIPAA Violation Individuals Impacted Penalty
Children’s Medical Center of Dallas Theft of unencrypted devices 6,262 $3.2 million
Oregon Health & Science University Loss of unencrypted laptop / Storage on cloud server without BAA 4,361 $2,700,000
Cardionet Theft of an unencrypted laptop computer 1,391 $2.5 million
Catholic Health Care Services of the Archdiocese of Philadelphia Theft of mobile device 412 $650,000

Addressing Mobile Device Security Risks

Mobile device security risks must be reduced to a reasonable and appropriate level.  Some of the mobile device security risks, together with mitigations, have been summarized in the infographic below. (Click image to enlarge)

mobile device security risks

The post Tips for Reducing Mobile Device Security Risks appeared first on HIPAA Journal.