Latest HIPAA News

OCR Imposes 2nd Largest Ever HIPAA Penalty of $6.85 Million on Premera Blue Cross

The Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed a $6.85 million HIPAA penalty on Premera Blue Cross to resolve HIPAA violations discovered during the investigation of a 2014 data breach involving the electronic protected health information of 10.4 million individuals.

Mountainlake Terrace, WA-based Premera Blue Cross is the largest health plan in the Pacific Northwest and serves more than 2 million individuals in Washington and Alaska. In May 2014, an advanced persistent threat group gained access to Premera’s computer system where they remained undetected for almost 9 months. The hackers targeted the health plan with a spear phishing email that installed malware. The malware gave the APT group access to ePHI such as names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information.

The breach was discovered by Premera Blue Cross in January 2015 and OCR was notified about the breach in March 2015. OCR launched an investigation into the breach and discovered “systemic noncompliance” with the HIPAA Rules.

OCR determined that Premera Blue Cross had failed to:

  • Conduct a comprehensive and accurate risk analysis to identify all risks to the confidentiality, integrity, and availability of ePHI.
  • Reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level.
  • Implement sufficient hardware, software, and procedural mechanisms to record and analyze activity related to information systems containing ePHI, prior to March 8, 2015.
  • Prevent unauthorized access to the ePHI of 10,466,692 individuals.

Due to the nature of the HIPAA violations and scale of the breach, OCR determined a financial penalty was appropriate. Premera Blue Cross agreed to settle the HIPAA violation case with no admission of liability. In addition to the financial penalty, Premera Blue Cross has agreed to adopt a robust corrective action plan to address all areas of noncompliance discovered during the OCR investigation. Premera Blue Cross will also be closely monitored by OCR for two years to ensure compliance with the CAP.

“If large health insurance entities don’t invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will. This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months,” said Roger Severino, OCR Director.

“We are pleased to have reached an agreement with the federal Office for Civil Rights to resolve legal inquiries into the 2014 cyberattack on our data network,” said Premera Blue Cross in a statement. “The commitments we have agreed to are consistent with our ongoing focus on protecting personal customer information.”

Last year, Premera Blue Cross agreed to settle a $10 million HIPAA violation lawsuit over the breach. The health plan had been investigated by 30 state attorneys general who determined Premera Blue Cross had not met its obligations under HIPAA and Washington’s Consumer Protection Act. In 2019, Premera Blue Cross also agreed to settle a $74 million lawsuit filed on behalf of individuals whose ePHI was exposed in the breach.

The latest penalty is the second largest HIPAA penalty imposed on a covered entity or business associate by OCR to resolve HIPAA violations, behind the $16 million financial penalty imposed on Anthem Inc. over its 2015 data breach involving the ePHI of 79 million individuals.

The fine is the 11th HIPAA violation penalty to be announced by OCR in 2020 and the 8th to be announced this month. So far in 2020, OCR has been paid $10,786,500 to resolve HIPAA violations discovered during investigations of data breaches and HIPAA complaints.

The post OCR Imposes 2nd Largest Ever HIPAA Penalty of $6.85 Million on Premera Blue Cross appeared first on HIPAA Journal.

Business Associate Fined $2.3 Million for Breach of 6 Million Records and Multiple HIPAA Failures

The Department of Health and Human Services’ Office for Civil Rights has announced its 10th HIPAA violation fine of 2020. This is the 7th financial penalty to resolve HIPAA violations that has been announced in as many days.

The latest financial penalty is the largest to be imposed in 2020 at $2.3 million and resolves a case involving 5 potential violations of the HIPAA Rules, including a breach of the electronic protected health information (ePHI) of 6,121,158 individuals.

CHSPSC LLC is Tennessee-based management company that provides services to many subsidiary hospital operator companies and other affiliates of Community Health Systems, including legal, compliance, accounting, operations, human resources, IT, and health information management services. The provision of those services requires access to ePHI, so CHSPSC is classed as a business associate and is required to comply with the HIPAA Security Rule.

On April 10, 2014, CHSPSC suffered a cyberattack by an advanced persistent threat group known as APT18. Using compromised admin credentials, the hackers remotely accessed CHSPSC’s information systems via its virtual private network (VPN) solution. CHSPSC failed to detect the intrusion and was notified by the Federal Bureau of Investigation on April 18, 2014 that its systems had been compromised.

During the time the hackers had access to CHSPSC systems, the ePHI of 6,121,158 individuals was exfiltrated. The data had been provided to CHSPSC through 237 covered entities that used CHSPSC’s services. The types of information stolen in the attack included the following data elements: name, sex, date of birth, phone number, social security number, email, ethnicity, and emergency contact information.

OCR launched an investigation into the breach and uncovered systemic noncompliance with the HIPAA Security Rule. While it may not always be possible to prevent cyberattacks by sophisticated threat actors, when an intrusion is detected action must be taken quickly to limit the harm caused. Despite being notified by the FBI in April 2014 that its systems had been compromised, the hackers remained active in its systems for 4 months, finally being eradicated in August 2014. During that time, CHSPSC failed to prevent unauthorized access to ePHI, in violation of 45 C.F.R. §164.502(a), and the hackers continued to steal ePHI.

The failure to respond to a known security incident between April 18, 2014 and June 18, 2014 and mitigate harmful effects of the security breach, document the breach, and its outcome, was in violation of 45 C.F.R.§164.308(a)(6)(ii).

OCR investigators found CHSPSC had failed to conduct an accurate and thorough security risk analysis to identify the risks to the confidentiality, integrity, and availability of ePHI, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A).

Technical policies and procedures permitting access to information systems containing ePH maintained by CHSPSC only by authorized individuals and software programs had not been implemented, in violation of 45 C.F.R. § 164.312(a).

Procedures had not been implemented to ensure information system activity records such as logs and system security incident tracking reports were regularly reviewed, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(D).

“The health care industry is a known target for hackers and cyberthieves.  The failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable,” said OCR Director Roger Severino. A sizeable financial penalty was therefore appropriate.

CHSPSC chose not to contest the case and agreed to pay the financial penalty and settled with OCR. The settlement also requires CHSPSC to adopt a robust and extensive corrective action plan to address all areas of noncompliance, and CHSPSC will be closely monitored by OCR for 2 years.

The post Business Associate Fined $2.3 Million for Breach of 6 Million Records and Multiple HIPAA Failures appeared first on HIPAA Journal.

Systemic Noncompliance with HIPAA Results in $1.5 Million Financial Penalty for Athens Orthopedic Clinic

The HHS’ Office for Civil Rights has announced a settlement has been reached with Athens Orthopedic Clinic PA to resolve multiple violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules.

OCR conducted an investigation into a data breach reported by the Athens, GA-based healthcare provider on July 29, 2016.  Athens Orthopedic Clinic had been notified by Dissent of Databreaches.net on June 26, 2026 that a database containing the electronic protected health information (ePHI) of Athens Orthopedic Clinic patients had been listed for sale online by a hacking group known as The Dark Overlord. The hackers are known for infiltrating systems, stealing data, and issuing ransom demands, payment of which are required to prevent the publication/sale of data.

Athens Orthopedic Clinic investigated the breach and determined that the hackers gained access to its systems on June 14, 2016 using vendor credentials and exfiltrated data from its EHR system. The records of 208,557 patients were stolen in the attack, including names, dates of birth, Social Security numbers, procedures performed, test results, clinical information, billing information, and health insurance details.

OCR accepts that it is not possible to prevent all cyberattacks, but when data breaches occur as a result of the failure to comply with the HIPAA Rules, financial penalties are appropriate.

“Hacking is the number one source of large health care data breaches. Health care providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers,” said OCR Director Roger Severino.

The OCR investigation into the breach revealed systemic noncompliance with the HIPAA Rules. Athens Orthopedic Clinic had not conducted an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(B).

Security procedures had not been implemented to reduce the potential risks to ePHI to a reasonable and appropriate level, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A).

From September 30, 2015 to December 15, 2016, Athens Orthopedic Clinic failed to implement appropriate hardware, software, and procedures for recording and analyzing information system activity, in violation of 45 C.F.R. §§ 164.312(b).

It took until August 2016 for HIPAA policies and procedures to be maintained, in violation of 45 C.F.R. § 164.530(i) and (j), and prior to August 7, 2016, the clinic had not entered into business associate agreements with three of its vendors, in violation of 45 C.F.R. § 164.308(b)(3).

Prior to January 15, 2018, Athens Orthopedic Clinic had not provided HIPAA Privacy Rule training to the entire workforce, in violation of 45 C.F.R. § 164.530(b).

As a result of the compliance failures, Athens Orthopedic Clinic failed to prevent unauthorized access to the ePHI of 208,557 patients, in violation of 45 C.F.R. §164.502(a)).

In addition to the financial penalty, Athens Orthopedic Clinic has agreed to adopt a corrective action plan covering all aspects of noncompliance discovered during the OCR investigation. The clinic settled the case with no admission of liability.

This is the sixth HIPAA settlement to be announced by OCR in September and the 9th HIPAA penalty of 2020. Earlier this month, OCR announced five settlements had been reached with HIPAA-covered entities under its HIPAA Right of Access initiative for failing to provide patients with a copy of their health information.

The post Systemic Noncompliance with HIPAA Results in $1.5 Million Financial Penalty for Athens Orthopedic Clinic appeared first on HIPAA Journal.

Hospital Ransomware Attack Results in Patient Death

Ransomware attacks on hospitals pose a risk to patient safety. File encryption results in essential systems crashing, communication systems are often taken out of action, and clinicians can be prevented from accessing patients’ medical records.

Highly disruptive attacks may force hospitals to redirect patients to alternate facilities, which recently happened in a ransomware attack on the University Clinic in Düsseldorf, Germany. One patient who required emergency medical treatment for a life threatening condition had to be rerouted to an alternate facility in Wuppertal, approximately 20 miles away. The redirection resulted in a one-hour delay in receiving treatment and the patient later died. The death could have been prevented had treatment been provided sooner.

The attack occurred on September 10, 2020 and completely crippled the clinic’s systems. Investigators determined that the attackers exploited a vulnerability in “widely used commercial add-on software” to gain access to the network. As the encryption process ran, hospital systems started to crash and medical records could not be accessed.

The medical clinic was forced to de-register from emergency care, postponed appointments and outpatient care, and all patients were advised not to visit the medical clinic until the attack was remediated. A week later and normal function at the hospital has still not resumed, although the hospital is now starting to restart essential systems.

According to a recent Associated Press report, 30 servers at the hospital were affected. A ransom demand was found on one of the encrypted servers. The hospital alerted law enforcement which made contact with the attackers using the information in the ransom note.

It would appear that the attackers did not intend on attacking the hospital, as the ransom note was addressed to Heinrich Heine University in Düsseldorf, to which the medical clinic is affiliated. Law enforcement officials made contact with the attackers using the information in the ransom note and told the attackers that the hospital had been affected and patient safety was at risk.

The attackers supplied the keys to decrypt files and made no further attempts to extort money. No further contact has been possible with the attackers. Law enforcement is continuing to investigate and it is possible that charges of manslaughter could be brought against the attackers.

Until now there have been no confirmed cases of ransomware attacks on healthcare facilities resulting in the death of a patient, but when attacks cripple hospital systems and patients are prevented from receiving treatment for life threatening conditions, such tragic events are sadly inevitable.

Several ransomware gangs have publicly stated that they will not conduct attacks on medical facilities, and if hospital systems are affected, keys to decrypt files will be provided free of charge. However, even if keys are provided to decrypt files, recovery from an attack is not a quick process. Other ransomware operations have made no such concessions and continue to attack healthcare facilities.

The post Hospital Ransomware Attack Results in Patient Death appeared first on HIPAA Journal.

HHS Releases Updated Security Risk Assessment Tool

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that a new version of its Security Risk Assessment (SRA) Tool has now been released.

The SRA tool was developed by the Office of the National Coordinator for Health Information Technology (ONC) in collaboration with OCR to help small- to medium-sized healthcare providers comply with the security risk assessment requirements of the HIPAA Security Rule and the Centers for Medicare and Medicaid Service (CMS) Electronic Health Record (EHR) Incentive Program.

A security risk assessment is conducted to identify all risks to the confidentiality, integrity, and availability of protected health information (PHI). The risk assessment should identify any unaddressed risks, which can then be addressed by implementing appropriate physical, technical, and organizational safeguards.

HIPAA compliance audits and investigations of data breaches have revealed healthcare providers often struggle with the risk assessment. Risk assessment failures are one of the most common reasons why HIPAA penalties are issued.

ONC and OCR last updated the SRA Tool in October 2018, when changes were made to improve usability and make the tool apply more broadly to the risks to the confidentiality, integrity, and availability of PHI.

“The tool diagrams the HIPAA Security Rule safeguards and provides enhanced functionality to document how your organization implements safeguards to mitigate, or plans to mitigate, identified risks,” explained ONC.

Further enhancements have now been made based on feedback received from healthcare providers that have used the SRA Tool, including improvements to navigation throughout the assessment sections, new options for exporting reports, and enhanced user interface scaling.

The latest version (v3.2) of the SRA Tool is available for Windows and Mac OS on this link.

ONC and OCR will be hosting a webinar on September 17 at 10:30 AM E.T. to introduce the new SRA tool and to provide an overview of the improvements that have been made. You can register for the webinar on this link.

The post HHS Releases Updated Security Risk Assessment Tool appeared first on HIPAA Journal.

HIPAA Right of Access Failures Result in Five OCR HIPAA Fines

The Department of Health and Human Services’ Office for Civil Rights has announced five settlements have been reached to resolve HIPAA violations discovered during the investigation of complaints from patients who had experienced problems obtaining a copy of their health records.

The HIPAA Privacy Rule gives individuals the right to have timely access to their health records at a reasonable cost. If an individual chooses to exercise their rights under HIPAA and submit a request for a copy of their health records, a healthcare provider must provide those records without reasonable delay and within 30 days of receiving the request.

After receiving multiple complaints from individuals who had been prevented from obtaining a copy of their health records, OCR launched its HIPAA right of access initiative in 2019 and made compliance with the HIPAA right of access one of its enforcement priorities.

Two settlements were reached with HIPAA covered entities in 2019 over HIPAA right of access failures. Bayfront Health St Petersburg and Korunda Medical, LLC were each ordered to pay a financial penalty of $85,000 to settle the case and adopt a corrective action plan to ensure that access requests were processed in a timely manner in the future.

The latest 5 settlements were agreed with Beth Israel Lahey Health Behavioral Services, Housing Works, Inc., All Inclusive Medical Services, Inc., King MD, and Wise Psychiatry, PC. The financial penalties ranged from $3,500 to $70,000, with OCR considering several factors when determining an appropriate penalty.

The settlements are intended to send a message to healthcare organizations that compliance with the HIPAA right of access is not optional. When complaints are received alleging non-compliance, they will be investigated, and a financial penalty may be deemed appropriate.

“Patients can’t take charge of their health care decisions, without timely access to their own medical information,” said OCR Director Roger Severino. “Today’s announcement is about empowering patients and holding health care providers accountable for failing to take their HIPAA obligations seriously enough.”

Beth Israel Lahey Health Behavioral Services

Beth Israel Lahey Health Behavioral Services (BILHBS) is the largest provider of mental health and substance use disorder services in eastern Massachusetts. In April 2019, OCR received a complaint alleging BILHBS had failed to respond to a request from a personal representative seeking a copy of her father’s medical records. The complainant requested the records in February 2019, but they had still not been provided two months later.

In response to the OCR investigation, the patient received her father’s medical records in October 2019. OCR determined there had potentially been a violation of the HIPAA Right of Access. BILHBS agreed to settle the case for $70,000 and has adopted a corrective action plan and will be monitored by OCR for one year.

Housing Works

Housing Works, Inc. is a New York City based non-profit healthcare organization that provides healthcare, homeless services, advocacy, job training, re-entry services, and legal aid support for people living with and affected by HIV/AIDS.

In June 2019, a patient requested a copy of his medical records from Housing Works, Inc. In July 2019, a complaint was filed with OCR alleging Housing Works had not provided those records. OCR investigated and provided technical assistance on the HIPAA right of access and closed the case. However, the complainant was still not provided with a copy of his medical records and filed a second complaint with OCR in August 2019.

OCR reopened the investigation and determined that the failure to provide those records was in violation of the HIPAA right of access and a financial penalty was warranted. Housing Works provided the complainant with his medical records in November 2019. The case was settled for $38,000 and Housing Works agreed to adopt a corrective action plan. OCR will monitor Housing Works for one year.

All Inclusive Medical Services, Inc.

All Inclusive Medical Services, Inc. (AIMS) is a Carmichael, CA-based multi-specialty family medicine clinic that provides a range of services including internal medicine, pain management, and rehabilitation.

In January 2018, a patient requested a copy of her medical records, but AIMS allegedly refused to provide those records. The patient sent a complaint to OCR in April 2018 and an investigation was launched. OCR determined the failure to allow the patient to inspect and receive a copy of her medical records was in violation of the HIPAA right of access. The patient was sent a copy of her records in August 2020.

AIMS was ordered to pay OCR $15,000 to settle the case and adopt a corrective action plan. OCR will monitor AIMS for compliance for 2 years.

King MD

King MD is a small provider of psychiatric services in Virginia. OCR received a complaint in October 2018 from a patient who had not been provided with a copy of her medical records within two months of submitting the request. OCR contacted King MD and provided technical assistance on the HIPAA right of access; however, in February 2019, OCR received a second complaint as King MD had still not provided the patient with her medical records. Those records were finally provided in July 2020.

OCR agreed to settle the case for $3,500. King MD has adopted a corrective action plan and will be monitored by OCR for two years.

Wise Psychiatry, PC.

Wise Psychiatry is a small provider of psychiatric services in Colorado.  In November 2017, a personal representative submitted a request for a copy of her minor son’s medical records. Those records had still not been provided by February 2018 and a complaint was filed with OCR. OCR investigated and provided technical assistance on the HIPAA right of access and closed the case.

A second complaint was received in October 2018 from the same individual who still had not been provided with her son’s records. Those records were finally provided in May 2019 as a result of the OCR investigation. The case was settled for $10,000 and Wise Psychiatry agreed to adopt a corrective action plan and will be monitored by OCR for one year.

The post HIPAA Right of Access Failures Result in Five OCR HIPAA Fines appeared first on HIPAA Journal.

CISA Warns of Ongoing Attacks by Chinese Hacking Groups Targeting F5, Citrix, Pulse Secure, and MS Exchange Flaws

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory warning hackers affiliated with China’s Ministry of State Security (MSS) are conducting targeted cyberattacks on U.S. government agencies and private sector companies.

The attacks have been ongoing for more than a year and often target vulnerabilities in popular networking devices such as Citrix and Pulse Secure VPN appliances, F5 Big-IP load balancers, and Microsoft Exchange email servers. The hacking groups use publicly available information and open source exploit tools in the attacks such as China Chopper, Mimikatz, and Cobalt Strike. The hacking groups, which have varying levels of skill, attempt to gain access to federal computer networks and sensitive corporate data and several attacks have been successful.

The software vulnerabilities exploited by the hackers are all well-known and patches have been released to correct the flaws, but there are many potential targets that have yet to apply the patches and are vulnerable to attack.

Some of the most exploited vulnerabilities include:

CVE-2020-5902 – A vulnerability in the F5 Big-IP Traffic Management Interface which, if exploited, allows threat actors to execute arbitrary system commands, disable services, execute java code, and create/delete files.

CVE-2019-19781– A vulnerability in Citrix VPN appliances which can be exploited to achieve directory traversal.

CVE-2019-11510 – A vulnerability in Pulse Secure VPN appliances which can be exploited to gain access to internal networks.

CVE-2020-0688 – A vulnerability in MS Exchange which can be exploited to gain access to Exchange servers and execute arbitrary code.

There is no single action that can be taken to block these threats, but many of the successful attacks have exploited known vulnerabilities. Scans are often conducted within hours or days of a vulnerability being made public. Since many public and private sector organizations do not apply patches promptly, it gives hackers the opportunity to gain access to networks. Applying patches promptly is therefore one of the best forms of defense.

“Maintaining a rigorous patching cycle continues to be the best defense against the most frequently used attacks,” explained CISA in its security advisory. “If critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network.”

Scans are being conducted using tools such as the Shodan search engine to identify potential targets that may be susceptible to attacks. The hackers also leverage the Common Vulnerabilities and Exposure (CVE) and the National Vulnerabilities (NVD) databases to obtained detailed information about vulnerabilities that can be exploited.

“Together, these data sources provide users with the understanding of a specific vulnerability, as well as a list of systems that may be vulnerable to attempted exploits,” explained CISA. “These information sources therefore contain invaluable information that can lead cyber threat actors to implement highly effective attacks.”

Other tactics often used by these threat actors include spear phishing and brute force attempts to guess weak passwords. It is therefore essential to enforce the use of strong passwords, provide phishing awareness training to the workforce, and implement software solutions capable of detecting/blocking phishing attacks.

The post CISA Warns of Ongoing Attacks by Chinese Hacking Groups Targeting F5, Citrix, Pulse Secure, and MS Exchange Flaws appeared first on HIPAA Journal.

Privacy Lawsuit Against UChicago and Google Dismissed by Federal Judge

A potential class action lawsuit filed against the University of Chicago, UChicago Medicine, and Google over an alleged privacy and HIPAA breach has been dismissed by a Federal judge.

The lawsuit was filed in June 2019 in response to an alleged violation of HIPAA Rules related to a data sharing partnership between the University of Chicago Medicine and Google.

In 2017, the University of Chicago Medicine sent the de-identified data of patients to Google as part of an initiative to use medical records to improve predictive analysis of hospitalizations, and by doing so, improve the quality of patient care. The aim of the partnership was to use machine learning techniques to identify when a patient’s health is declining, to allow timely interventions to prevent hospitalization.

The University of Chicago Medicine sent hundreds of thousands of patient records dating from 2009 to 2016 to Google. The data shared with Google was deidentified but contained physicians’ notes and time stamps of dates of service.

The lawsuit was filed by Edelson PC on behalf of lead plaintiff, Matt Dinerstein, a patient of UC Medical Center who had hospital stays on two occasions in 2015.

The lawsuit alleged Mr. Dinerstein’s confidential protected health information was shared with Google without properly de-identifying the data, as free-text notes from doctors and nurses were included in the data along with associated time stamps.  That information had come to light following a 2018 research study which confirmed notes and time stamps were included in the data.

The lawsuit alleged the inclusion of that information meant the data shared with Google was not sufficiently de-identified. Since Google already had a substantial store of information, it is possible that patients could be re-identified, which created a privacy risk for all patients whose information was shared with Google.

The lawsuit also alleged the medical records had value to Mr. Dinerstein and had been stolen, although no claim was made that Google had tried to re-identify patients. The lawsuit also claimed Mr. Dinerstein was owed a reasonable royalty for the use of his protected health information.

UC Medical Center and Google filed motions to dismiss the lawsuit on August 3, 2019 claiming all data sent to Google under the partnership had been transmitted via secure channels in a manner compliant with the HIPAA Rules. The motions also stated neither HIPAA nor the Illinois Medical Patient Rights Act include a private right of action.

On September 4, 2020, Federal Judge Rebecca Pallmeyer of the United States District Court Northern District of Illinois Eastern Division, rejected Mr. Dinerstein’s claims and dismissed the lawsuit.

“Even if Mr. Dinerstein has a property interest in medical information, his allegations do not support an interference that the value of that property has been diminished by the University’s or Google’s actions,” said Judge Pallmeyer, also saying royalties are only appropriate for interference with a property right, and the plaintiff had failed to establish he had such rights to his PHI. Judge Pallmeyer also said in the ruling that Mr. Dinerstein had failed to adequately demonstrate the alleged privacy breach had caused him economic damage. The plaintiff has the right to file an amended complaint before October 15, 2020.

The ruling will certainly be good news for Google, which is also facing scrutiny of its partnership with Ascension over potential HIPAA violations related to the millions of records Ascension provided to Google in 2019 under “Project Nightingale”.

The post Privacy Lawsuit Against UChicago and Google Dismissed by Federal Judge appeared first on HIPAA Journal.

Feedback Sought on Draft Consumer Privacy Framework for Health Data Not Covered by HIPAA

The eHealth Initiative & Foundation (eHI) and the Center for Democracy and Technology (CDT) recently released a draft consumer privacy framework for health data to address gaps in legal protections for the health data of consumers that falls outside the protection of the Health Insurance Portability and Accountability Act (HIPAA).

The HIPAA Rules require healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities to implement safeguards to ensure the confidentiality, integrity, and availability of health data. There are restrictions on uses and disclosures of healthcare data and Americans are also given rights over how their protected health information is used, to whom that information may be disclosed, and they have the right to access their health data.

Many organizations collect, use, store, and transmit many of the data elements within the category of ‘protected health information’, yet if they are not HIPAA-covered entities or business associates of HIPAA-covered entities, HIPAA Rules will not apply.

The eHI/CDT Consumer Privacy Framework for Health Data is a voluntary, self-regulatory program “designed to hold member companies to a set of standards separately developed through a multistakeholder process” and covers consumer health data not covered by HIPAA.

The framework includes a definition of the health data which must be protected as well as the standards and rules to protect that information. The framework places limits on the amount of data collected, how health data can be used, and includes a model for holding companies accountable for data collected, used, and disclosed.

The framework requires companies to obtain affirmative express consent to collect, use, or disclose consumer health data and prohibits companies from using consumer health data for any purpose other than the reason for which the information was requested, and for which consumers gave their consent.

Notice must be provided about the information collected, used or disclosed, the purpose for data collection must be clearly stated, and if there will be any disclosures, to whom disclosures will be made. The framework also prohibits the use of consumer health information for causing harm or discrimination against an individual.

Like HIPAA, the framework calls for limits to be placed on the health information collected, disclosed or used, which should be restricted to the minimum necessary amount to achieve the purpose for which it has been collected.

The framework gives consumers rights with respect to their consumer data, including the right to access the information collected, check health information for errors, have errors collected, and have health information deleted. If technically feasible, consumers should be able to have their data transferred to another participating entity. The framework also calls for participating entities to establish and implement reasonable security policies, practices, and procedures to ensure consumer health information is protected.

eHI/CDT are seeking constructive public feedback on the Consumer Privacy Framework for Health Data. Comments will be accepted until Friday, September 25, 2020.

The post Feedback Sought on Draft Consumer Privacy Framework for Health Data Not Covered by HIPAA appeared first on HIPAA Journal.