Latest HIPAA News

April 2020 Healthcare Data Breach Report

Posted by HIPAA Journal

There were 37 healthcare data breaches of 500 or more records reported in April 2020, up one from the 36 breaches reported in March. As the graph below shows, the number of breaches reported each month has been fairly consistent and has remained well below the 12-month average of 41.9 data breaches per month.

Healthcare data breaches by month (2019-2020)

While the number of breaches increased slightly, there was a significant reduction in the number of breached healthcare records in April. 442,943 healthcare records were breached in April, down 46.56% from the 828,921 records breached in March. This is the second successive month where the number of exposed records has fallen. While this is certainly good news, it should be noted that in the past 12 months, 39.92 million healthcare records have been breached.

Healthcare records breached in the past 6 months

Largest Healthcare Data Breaches in April 2020

 

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
Beaumont Health Healthcare Provider 112,211 Hacking/IT Incident Email
Meridian Health Services Corp. Healthcare Provider 111,372 Hacking/IT Incident Email
Arizona Endocrinology Center Healthcare Provider 74,122 Unauthorized Access/Disclosure Electronic Medical Record
Advocate Aurora Health Healthcare Provider 27,137 Hacking/IT Incident Email, Network Server
Doctors Community Medical Center Healthcare Provider 18,481 Hacking/IT Incident Email
Andrews Braces Healthcare Provider 16,622 Hacking/IT Incident Network Server
UPMC Altoona Regional Health Services Healthcare Provider 13,911 Hacking/IT Incident Email
Colorado Department of Human Services, Office of Behavioral Health Healthcare Provider 8,132 Unauthorized Access/Disclosure Network Server
Agility Center Orthopedics Healthcare Provider 7,000 Hacking/IT Incident Email
Beacon Health Options, Inc. Business Associate 6,723 Loss Other Portable Electronic Device

 

Causes of Healthcare Data Breaches in April

As was the case in March, hacking and IT incidents were the leading causes of healthcare data breaches. Unauthorized access/disclosure incidents were the next most common causes of breaches, an increase of 77.77% from the previous month.

333,838 records were compromised in the 18 reported hacking/IT incidents, which account for 75.37% of all records breached in April. The average breach size was 18,547 records and the median breach size was 4,631 records. There were 16 reported unauthorized access/disclosure incidents in April. The average breach size was 6,171 records and the median breach size was 1,122 records. In total, 98,737 records were breached across those 16 incidents.

There were two theft incidents reported in April, both involving portable electronic devices. The records of 3,645 individuals were stored on those devices. There was also one lost portable electronic device containing the records of 6,723 patients.

causes of healthcare data breaches in April 2020

The bar chart below shows the location of breached protected health information. The chart shows email is by far the most common location of breached health information. 48.65% of all reported breaches in April involved PHI stored in emails and email attachments. The majority of those breaches were phishing attacks. Most healthcare data breaches involve electronic data, but one in five breaches involved PHI in paper files and charts.

Location of breached PHI in April 2020

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type in April with 30 breaches reported. 4 health plans reported a breach in April, and three breaches were reported by business associates of HIPAA-covered entities. A further 8 breaches had some business associate involvement.

Healthcare Data Breaches by State

April’s data breaches were reported by covered entities and business associates in 22 states. Florida and Texas were the worst affected with 4 breaches each. There were three data breaches reported in Michigan and Pennsylvania, and two breaches affecting covered entities and business associates based in California, Connecticut, Minnesota, Missouri, and Wisconsin. One breach was reported by entities based in Arkansas, Arizona, Colorado, Delaware, Indiana, Massachusetts, Maryland, North Carolina, New Mexico, Nevada, Tennessee, Utah, and Washington.

HIPAA Enforcement Activity in April

There were no financial penalties imposed on covered entities or business associates by state Attorneys General or the HHS’ Office for Civil Rights in April.

The post April 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

Guidance on Managing the Cybersecurity Tactical Response in a Pandemic

Posted by HIPAA Journal

Joint guidance on has been issued by the Healthcare and Public Health Sector Coordinating Council (HSCC) and the Health Information Sharing and Analysis Center (H-ISAC) on managing the cybersecurity tactical response in emergency situations, such as a pandemic.

Threat actors will try to exploit emergency situations to conduct attacks, which has been clearly seen during the COVID-19 pandemic. In many cases, the duration of an emergency will limit the potential for threat actors to take advantage, but in a pandemic the period of exposure is long. The SARS-CoV-2 outbreak was declared a public health emergency on January 30, 2020, giving threat actors ample time to exploit COVID-19 to conduct attacks on the healthcare sector.

The key to dealing with the increased level of cybersecurity threat during emergency situations is preparation. Without preparation, healthcare organizations will find themselves constantly fighting fires and scrambling to improve security at a time when resources are stretched thin.

The new guidance was created during the COVID-19 pandemic by HSCC’s Cybersecurity Working Group (CWG), H-ISAC, and healthcare industry and government cybersecurity experts and is intended to help healthcare organizations develop a tactical response for managing cybersecurity threats that increase during emergencies and to help them improve their level of preparedness.

During the COVID-19 crisis, cyber threat actors have conducted a range of attacks on healthcare organizations including phishing attacks, domain attacks, and malware and ransomware attacks. The attacks came at a time when healthcare organizations were attempting to provide care for highly infectious patients, deploy remote diagnostic and treatment services, and transition to teleworking to prevent the spread of COVID-19. The change in working practices significantly increased the attack surface and introduced new vulnerabilities and attack vectors.

“For each gain delivered by automation, interoperability, and data analytics, the vulnerability from malicious cyber-actors increases as well,” explained HSCC/H-ISAC in the guidance document. “To thwart these attacks before they occur, it is essential for healthcare organizations to establish, implement, and maintain current and effective cybersecurity practices.”

The guidance document can be used by healthcare organizations of all sizes to improve their cybersecurity programs and prepare for emergency situations. Smaller healthcare organizations can use the guidance to help them choose appropriate measures to improve their security posture, while larger organizations that have already planned their tactical crisis response can use the guide as a checklist to ensure nothing has been missed.

The guidance document divides techniques, practices, and activities into four main sections: Education and Outreach; Enhance Prevention Techniques; Enhance Detection and Response; and Take Care of the Team.

The cybersecurity response to a crisis is largely dependent on technical controls, but HSCC/H-ISAC explains that education and outreach play an important part in the success of the response strategy. In emergency situations, even the best laid plans can come unstuck without proper education and outreach. Organizations that communicate their plans effectively will reduce confusion, improve response times, and maximize the effectiveness of their cybersecurity plan. The guide explains how to develop a communication plan and conduct policy and procedure reviews effectively.

Preventing cyberattacks is critical. Most healthcare organizations will have implemented a range of measures to thwart cyberattacks prior to the public health emergency, but HSCC/H-ISAC suggests three practices should be reviewed: Limiting the potential attack surface, bolstering remote access, and leveraging threat intelligence feeds.

Reducing the attack surface requires effective vulnerability management, accelerated patching, securing medical devices and endpoints, and managing third party network access. The guidance document suggests some of the ways that remote access can be secured, and how to leverage threat intelligence feeds to prevent attacks and accelerate the response.

Many attacks are difficult to prevent, so it is critical for mechanisms to be developed and implemented to detect successful attacks and respond quickly. The guidance document suggests some of the steps that can be taken to enhance detection and response to attacks.

It is also important to take care of the team. In crisis situations, health, well-being, job security, and financial stability are all key concerns for healthcare employees. It is important for organizations to communicate effectively with their workers and address these concerns and share how the organization will support employees during the crisis.

You can view and download the guidance document on this link. A second guidance document was released by HSCC earlier this month that details steps healthcare organizations can take to protect trade secrets and research. The guidance document is available for download here.

The post Guidance on Managing the Cybersecurity Tactical Response in a Pandemic appeared first on HIPAA Journal.

Republicans and Democrats Introduce Competing Bills Covering COVID-19 Contact Tracing Apps

Posted by HIPAA Journal

Two privacy bills have been introduced relating to COVID-19 contact tracing apps that are now being considered by Congress. The competing bills, introduced by Republican and Democratic lawmakers, share some common ground and look to achieve similar aims.

The first bill, the COVID-19 Consumer Data Protection Act, was introduced by Republican senators Roger Wicker (R-Miss), John Thune (R-S.D), Jerry Moran, (R-Kan), and Marsha Blackburn (R-Tenn) last month “to protect the privacy of consumers’ personal health information, proximity data, device data, and geolocation data during the coronavirus public health crisis.”

The bill would make it illegal for personal health information, proximity data, device data, and geolocation data to be collected unless notice was given to consumers about the purpose of collecting data and consumers are required to give their consent to the collection, processing, and transfer of their data. The bill prohibits the collection, use, or transfer of data for any secondary purposes.

The allowed purposed for the collection, processing, and transfer of data is limited to tracking the spread, signs, and symptoms of COVID-19; the collection, processing and transfer of an individual’s data to measure compliance with social distancing guidelines and other requirements related to COVID-19 imposed on individuals; and the collection, processing, or transfer of data for COVID-19 contact tracing purposes.

The bill also requires companies to allow individuals to opt out, provide transparency reports describing data collection activities, establish data minimization and data security requirements, define what constitutes aggregate and de-identified data to ensure companies adopt certain technical and legal safeguards to prevent re-identification; and to require companies to delete collected data when the COVID-19 public health emergency is over.

According to Senator Thune, “This bill strikes the right balance between innovation – allowing technology companies to continue their work toward developing platforms that could trace the virus and help flatten the curve and stop the spread – and maintaining privacy protections for U.S. citizens.”

The Democratic bill, the Public Health Emergency Privacy Act, was introduced by Representatives Anna G. Eshoo (D-Calif), Jan Schakowsky (D-Ill), Suzan DelBene(D-Wash), and Senators Richard Blumenthal (D-Conn) and Mark Warner (D-Va). The aim of the bill is to ensure there is transparency over the health and location data collected by contact-tracing apps and to give Americans control over the collection and use of their data. The bill also ensures that businesses can be held to account by consumers if their data is used for any activities other than the fight against COVID-19.

The bill requires health data to only be used for public health purposes; prohibits the use of health data for discriminatory, unrelated, or intrusive purposes, including commercial advertising or to gate access to employment, finance, insurance, housing, or education opportunities; prevents misuse of data by government agencies that have no role in public health; ensures meaningful data security and data integrity protections are implemented; prohibits conditioning the right to vote based on a medical condition or use of contact tracing apps; and requires reports to be regularly produced on the impact of digital collection tools on civil rights.

The bill requires the public to be given control over participation in contact tracing through opt-in consent, there must be meaningful transparency, and robust private and public enforcement. The bill also calls for the destruction of data within 60 days of the end of the public health emergency. The bill would not apply to HIPAA-covered entities or their business associates, which would continue to be required to comply with HIPAA Rules.

“As we continue to respond to the devastating suffering caused by COVID-19, our country’s first and foremost public health response must be testing, testing, testing, AND manual contact tracing. Digital contact tracing can and should complement these efforts, but it is just that – complimentary. However, if we do pursue digital contact tracing, consumers need clearly-defined privacy rights and strong enforcement to safeguard these rights,” said Rep. Jan Schakowsky.

Given the similarity of both bills and their common goals, it may be possible for some consensus to be reached on the content of any new legislation and for both sides to work together to get a bill passed to protect the privacy of Americans and ensure that data collected by COVID-19 contact tracing apps is not misused.

The post Republicans and Democrats Introduce Competing Bills Covering COVID-19 Contact Tracing Apps appeared first on HIPAA Journal.

CISA and FBI Publish List of Top 10 Exploited Vulnerabilities

Posted by HIPAA Journal

On Tuesday, the FBI and the Cybersecurity and Infrastructure Security Agency issued a joint public service announcement detailing the top 10 most exploited vulnerabilities between 2016 and 2019. These vulnerabilities have been exploited by sophisticated nation state hackers to attack organizations in the public and private sectors to gain access to their networks to steal sensitive data.

The vulnerabilities included in the list have been extensively exploited by hacking groups with ties to China, Iran, Russia and North Korea with those cyber actors are still conducting attacks exploiting the vulnerabilities, even though patches have been released to address the flaws. In some cases, patches have been available for more than 5 years, but some organizations have still not applied the patches.

Exploiting the vulnerabilities in the top 10 list requires fewer resources compared to zero-day exploits, which means more attacks can be conducted. When patches are applied to address the top 10 vulnerabilities, nation state hackers will be forced to develop new exploits which will limit their ability to conduct attacks.

“A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries,” explains CISA and FBI in the alert.

CISA and the FBI hope the list will help organizations to prioritize patching and are urging all organizations to invest more time and resources into patching and develop a program that will keep all system patching up to date moving forward.

Top 10 Routinely Exploited Vulnerabilities

The top 10 list of routinely exploited vulnerabilities includes flaws in Microsoft Office, Microsoft Windows, Microsoft SharePoint, Microsoft .NET Framework, Apache Struts, Adobe Flash Player, and Drupal. Out of the top ten, most nation state hacking groups have concentrated on just three vulnerabilities – CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158 – all of which concern Microsoft’s OLE technology. Microsoft’s Object Linking and Embedding (OLE) allows content from other applications to be embedded in Word Documents. The fourth most commonly exploited vulnerability – CVE-2017-5638 – is present in the web framework, Apache Struts. These vulnerabilities have been exploited to deploy a range of different malware payloads including Loki, FormBook, Pony/FAREIT, FINSPY, LATENTBOT, Dridex, JexBos, China Chopper, DOGCALL, WingBird, FinFisher, and Kitty.

Priority Vulnerability Affected Products
1 CVE-2017-11882 Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016 Products
2 CVE-2017-0199 Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1
3 CVE-2017-5638 Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1
4 CVE-2012-0158 Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0
5 CVE-2019-0604 Microsoft SharePoint
6 CVE-2017-0143 Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT
7 CVE-2018-4878 Adobe Flash Player before 28.0.0.161
8 CVE-2017-8759 Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7
9 CVE-2015-1641 Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1
10 CVE-2018-7600 Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1

 

A warning has also been issued about two vulnerabilities that have been exploited in attacks in 2020. These vulnerabilities both concern Virtual Private Network (VPN) solutions and have been exploited by nation state hackers and cybercriminal groups: The Citrix vulnerability CVE-2019-19781 and the Pulse Secure VPN vulnerability CVE-2019-11510.

The rush to implement cloud collaboration services such as Microsoft Office 365 to allow employees to work remotely due to COVID-19 has given hackers new options for attacking organizations. Hasty deployments of these solutions have led to oversights in security configurations which makes them vulnerable to attack. Cybersecurity weaknesses are also being targeted, such as poor employee education about phishing and social engineering. A lack of system recovery and contingency plans has also placed organizations at risk of ransomware attacks.

The post CISA and FBI Publish List of Top 10 Exploited Vulnerabilities appeared first on HIPAA Journal.

AMA Publishes Set of Privacy Principles for Non-HIPAA-Covered Entities

Posted by HIPAA Journal

The American Medical Association (AMA) has published a set of privacy principles for non-HIPAA-covered entities to help ensure that the privacy of consumers is protected, even when healthcare data is provided to data holders that do not need to comply with HIPAA Rules.

HIPAA only applies to healthcare providers, health plans, healthcare clearinghouses (covered entities) and business associates of those entities. HIPAA requires those entities to protect the privacy of patients and implement security controls to keep their healthcare data private and confidential. When the same healthcare data is shared with an entity that is not covered by HIPAA, those protections do not need to be in place. HIPAA also gives patients rights over their health data, but those rights do not apply to health data sent to a non-HIPAA-covered entity.

The Centers for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator for Health IT (ONS) have recently published rules to prevent information blocking and improve sharing of healthcare data. One requirement is to allow patients to have their health data sent to a third-party app of their choice. In most cases, the developers of those apps are not HIPAA-covered entities.

Discussions are taking place in Congress about new federal regulations covering healthcare data provided to non-HIPAA-covered entities and several legislative acts have been proposed, although none have so far attracted sufficient support.

The new privacy principles developed by the AMA are intended to give consumers greater control over their healthcare data when it is held by a non-HIPAA-covered entity and to inform discussions about new legislation to better protect privacy when health data is shared with third-parties outside of the healthcare system.

In a recent blog post announcing the new privacy principles, the AMA explained that patients’ confidence in the privacy and security of their data has been shaken. The business models of many tech companies involve gathering extensive information about consumers personal lives, in many cases with a lack of transparency and consent. There have been many scandals over personal data which have made consumers nervous about sharing data not only with tech companies but also with their healthcare providers.

Consumers are now less willing to provide health information to physicians, as they are worried that the information may not remain private and confidential and may even be shared with tech companies. The AMA is particularly concerned that the recent CMS and ONC rule changes will make it even more likely that patients will feel that they should withhold certain healthcare data from their healthcare providers.

The privacy principles will help to ensure that guardrails are placed around healthcare data and patients are given meaningful control over their healthcare data and will be told, in clear and easy to understand language, exactly how their health data will be used and with whom that information will be shared. The privacy principles also cover data that has not historically been considered to be personally identifiable such as IP addresses and mobile phone advertising identifiers but could in fact be used to identify an individual.

The privacy principles detail rights that individuals should have over their healthcare data and protections that need to be implemented to protect against healthcare data being used to discriminate against individuals. The AMA is also attempting to shift the responsibility for privacy from individuals to data holders, who must be responsible stewards of any data provided to them. In cases where privacy is violated, the AMA is calling for tough penalties to be imposed and for there to be robust enforcement of any new national privacy legislation. Robust enforcement will help to maintain trust in digital health tools, including smartphone apps that can be used to access healthcare data.

The privacy principles establish 12 rights that individuals should have over their health data, equity factors that must be taken into account in any privacy laws, and the responsibilities of data holders to protect the privacy of consumers. Also included are a set of requirements for enforcement of new privacy regulations covering health data.

“The AMA privacy principles set a framework for national protections that provide patients with meaningful control and transparency over the access and use of their data,” said AMA President Patrice A. Harris, M.D., M.A. “Preserving patient trust is critical if digital health technologies are to facilitate an era of more accessible, coordinated, and personalized care.

You can view the AMA’s privacy principles on this link.

The post AMA Publishes Set of Privacy Principles for Non-HIPAA-Covered Entities appeared first on HIPAA Journal.

FTC Seeks Comment on Health Breach Notification Rule

Posted by HIPAA Journal

The U.S. Federal Trade Commission (FTC) is seeking comment on its breach notification requirements for non-HIPAA-covered entities that collect personally identifiable health information.

The FTC’s Health Breach Notification Rule was introduced in 2009 as part of the American Recovery and Reinvestment Act of 2009 (ARRA). The rule took effect on August 22, 2010 and the FTC started actively enforcing compliance on February 22, 2010.

Healthcare data collected, maintained, or transmitted by healthcare providers, health plans, healthcare clearinghouses (HIPAA-covered entities) and their business associates is covered by the Health Insurance Portability and Accountability Act (HIPAA) and is classed as protected health information (PHI).

The FTC’s Health Breach Notification Rule applies to personal health records (PHRs), which are electronic records containing personally identifiable health information that are managed, shared, and controlled by or primarily for the individual. The FTC rule applies to vendors of personal health records and PHR-related entities, which are companies that offer products and services through PHR websites, send information to PHRs, or access some of the information in PHRs.

All entities covered by the FTC’s Health Breach Notification Rule are required to issue notifications to affected consumers and the FTC without unreasonable delay and no later than 60 days from the date of discovery of a breach. The FTC must be notified within 10 days of discovery of a breach if it impacts 500 or more individuals. If a breach is experienced by a service provider, the service provider is required to notify the PHR company. The FTC publishes notices of data breaches affecting 500 or more individuals on its website.

The FTC routinely reviews rules every 10 years. In the 10 years since the rule was passed, only 2 breaches have been published on the FTC website, as most breaches reported to the FTC have involved fewer than 500 records. The FTC also reports that it has not needed to enforce compliance, as the entities to which the rule applies are somewhat limited.

Most PHR vendors and related entities are either HIPAA-covered entities or business associates of those entities and are therefore required to comply with the HIPAA Breach Notification Rule; however, the FTC explains that its rule may soon apply to a greater number of entities.

“As consumers turn towards direct-to-consumer technologies for health information and services (such as mobile health applications, virtual assistants, and platforms’ health tools), more companies may be covered by the FTC’s Rule.”

The COVID-19 pandemic has increased use of these communication platforms following the move by the HHS to temporarily refrain from imposing financial penalties for use of non-HIPAA-compliant platforms in relation to the provision of telehealth services. The FTC rule may therefore be more relevant today than it was 10 years ago when the rule was introduced.

The FTC is seeking answers to specific questions about its rule in relation to its effectiveness, benefits, and relevance to determine whether the rule should remain as it is, should be scrapped, or updated to increase the benefits to consumers.

Comment is being accepted for 90 days from the date of publication in the Federal Register. You can view a copy of the request for public comment on Bloomberg Law.

The post FTC Seeks Comment on Health Breach Notification Rule appeared first on HIPAA Journal.

OCR Issues Guidance on Media and Film Crew Access to Healthcare Facilities

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) has issued guidance to healthcare providers to remind them that the HIPAA Privacy Rule does not allow the media and film crews to access healthcare facilities where patients’ protected health information is accessible unless written authorization has been obtained from the patients concerned in advance. A public health emergency does not change the requirements of the HIPAA Privacy Rule, which remains in effect in emergency situations.

OCR has made this clear in the past with enforcement actions against Boston Medical Center, Brigham and Women’s Hospital, and Massachusetts General Hospital in 2018 after it was discovered they had given film crews access to their facilities without first obtaining authorization from patients. They were fined a total of $999,000 for the HIPAA violations.

OCR has issued Notices of Enforcement Discretion during the coronavirus pandemic and will not be imposing sanctions and financial penalties on HIPAA-covered entities for certain violations of HIPAA Rules. Penalties can and will be imposed on covered entities for violations of HIPAA Rules not covered by the Notices of Enforcement Discretion, such as unauthorized disclosures to the media.

In the latest guidance, OCR explains that protected health information includes written, electronic, oral, and other visual and audio forms of health information which must be protected against unauthorized access and disclosure. In all cases, HIPAA authorizations must be obtained from patients in advance, before the film crews are granted access to the facilities. It is not permissible for film crews to simply mask the identities of patients in video footage, such as blurring faces before broadcast.

The HIPAA Privacy Rule does not prohibit film crews from entering healthcare facilities. Provided HIPAA authorizations have been obtained in advance from all patients who are in or will be in the areas accessed by the film crews, filming is permitted. However, in such situations, reasonable safeguards must still be put in place to protect against unauthorized disclosures of PHI, including measures such as privacy screens on computer monitors to prevent electronic PHI from being viewed. Screens must also be used to ensure patients who have not signed HIPAA authorizations are not filmed.

“The last thing hospital patients need to worry about during the COVID-19 crisis is a film crew walking around their bed shooting ‘B-roll,’” said Roger Severino, OCR Director.  “Hospitals and health care providers must get authorization from patients before giving the media access to their medical information; obscuring faces after the fact just doesn’t cut it.”

The post OCR Issues Guidance on Media and Film Crew Access to Healthcare Facilities appeared first on HIPAA Journal.

Ciitizen HIPAA Right of Access Study Shows Significant Improvement in Compliance

Posted by HIPAA Journal

There has been a significant improvement in compliance with the HIPAA Right of Access, according to the latest Patient Record Scorecard Report from Ciitizen.

To compile the report, Ciitizen conducted a study of 820 healthcare providers to assess how well each responded to patient requests for copies of their healthcare data. A wide range of healthcare providers were assessed for the study, from single physician practices to large, integrated healthcare delivery systems.

The HIPAA Privacy Rule gives patients the right to request a copy of their healthcare data from their providers. Request must be submitted in writing and healthcare providers are required to provide the patient with a copy of the health data in a designated record set within 30 days to the request being submitted. The data must be provided in the format requested by the patient if the PHI is readily producible in that format. In cases where data cannot be provided in the requested format, the provider should give the patient a printed copy of their healthcare data or provide the data in an alternative format, as agreed with the patient.

For each study, requests for copies of healthcare data are sent to healthcare providers by Ciitizen users. The provider then receives a rating from 1-5 based on their response. A 1-star rating represents a non-HIPAA-compliant response. 2-stars are awarded when requests are eventually resolved satisfactorily, but only after multiple escalations to supervisors. A 3-star rating is given when the request is satisfied with minimal intervention, and a 4-star rating is given to providers that are fully compliant and have a seamless response. A 5-star rating is reserved for providers with a patient-focused process who go above and beyond the requirements of HIPAA.

Previous studies revealed a majority of providers (51%) were not compliant with the HIPAA Right of Access. The latest study saw that percentage fall to 27%. The percentage of providers awarded 4 stars for their responses increased from 40% to 67%, and the percentage of providers awarded 5 stars increased from 20% to 28%.

There was further good news from this year’s study. Under HIPAA, healthcare providers are permitted to charge patients a reasonable, cost-based fee for producing the records, but only 6% of the 820 healthcare providers charged fees.

In previous studies, many healthcare providers required patients to complete a standard form, yet this year, most providers accepted any form of written request and did not require patients to complete a particular form before the request was processed.

The latest study saw a significant increase in assessments, which may have accounted, in part, for the improvements in compliance. 51 providers were assessed for the first Patient Record Scorecard report, 210 in the second, and 820 in the third. Ciitizen points out that the percentage of non-compliant providers in those studies did correlate with a separate study conducted on 3,000 providers, which suggests that the improvements made are genuine.

Ciitizen attributes the improvements in compliance to three main factors. A greater emphasis has been placed on the right of individuals to obtain copies of their healthcare data following the publication of new rules by the HHS’ Centers for Medicare and Medicaid Services and the HHS’ Office of the National Coordinator for Health IT, which make it easier for patients to obtain copies of their healthcare data.

There has also bee a positive influence of release of information (ROI) vendors. ROI vendors process patient requests on behalf of covered entities and help those entities comply with the HIPAA Right of Access. Finally, the HHS’ Office for Civil Rights launched a HIPAA Right of Access enforcement initiative last year. Under that initiative, two penalties of $85,000 were imposed on covered entities that failed to comply with requests from patients to provide copies of their PHI.

The Ciitizen Patient Record Scorecard Reports and the website sit up by Ciitizen that shows the scores of each provider may also have played a role in encouraging healthcare providers to comply with this important aspect of HIPAA.

The post Ciitizen HIPAA Right of Access Study Shows Significant Improvement in Compliance appeared first on HIPAA Journal.

NSA Cybersecurity Guidance for Teleworkers and Other Useful COVID-19 Threat Resources

Posted by HIPAA Journal

The National Security Agency has issued cybersecurity guidance for teleworkers to help improve security when working remotely. The guidance has been released primarily for U.S. government employees and military service members, but it is also relevant to healthcare industry workers providing telehealth services from their home computers and smartphones.

There are many consumer and enterprise-grade communication solutions available and the cybersecurity protections offered by each can differ considerably. The guidance document outlines 9 important considerations when selecting a collaboration service. By assessing each service against the 9 criteria, remote workers will be able to choose the most appropriate solution to meet their needs.

The NSA strongly recommends conducting high-level security assessments to determine how the security capabilities of each platform performs against certain security criteria. These assessments are useful for identifying risks associated with the features of each tool. The guidance document also provides information on using the collaboration services securely.

The NSA recommends the guidance should be reviewed by all employees who are now working from home to allow them to make an informed decision about the best communication and collaboration tools to use to meet their specific needs, and for workers to take the steps outlined in the guidance document to mitigate risks of cyberattacks.

The guidance document, Selecting and Securely Using Collaboration Service for Telework can be downloaded here.

Healthcare-specific guidance for remote workers has also recently been published by the American Hospital Association (AHA) /American Medical Association (AMA), which should be used in conjunction with the NSA guidance.

OCR Suggests Resources to Help Healthcare Organizations Combat COVID-19 Threats

On April 30, 2020, the HHS’ Office for Civil Rights suggested several resources covering the current threat landscape and the steps that can be taken to reduce risks to a reasonable and acceptable level, as detailed below:

The post NSA Cybersecurity Guidance for Teleworkers and Other Useful COVID-19 Threat Resources appeared first on HIPAA Journal.