Latest HIPAA News

2019 Healthcare Data Breach Report

Posted by HIPAA Journal

Figures from the Department of Health and Human Services’ Office for Civil Rights breach portal show a major increase in healthcare data breaches in 2019. Last year, 510 healthcare data breaches of 500 or more records were reported, which represents a 196% increase from 2018.

As the graph below shows, aside from 2015, healthcare data breaches have increased every year since the HHS’ Office for Civil Rights first started publishing breach summaries in October 2009.

37.47% more records were breached in 2019 than 2018, increasing from 13,947,909 records in 2018 to 41,335,889 records in 2019.

Last year saw more data breaches reported than any other year in history and 2019 was the second worst year in terms of the number of breached records. More healthcare records were breached in 2019 than in the six years from 2009 to 2014. In 2019, the healthcare records of 12.55% of the population of the United States were exposed, impermissibly disclosed, or stolen.

Largest Healthcare Data Breaches of 2019

The table below shows the largest healthcare data breaches of 2019, based on the entity that reported the breach.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
1 Optum360, LLC Business Associate 11500000 Hacking/IT Incident Network Server
2 Laboratory Corporation of America Holdings dba LabCorp Healthcare Provider 10251784 Hacking/IT Incident Network Server
3 Dominion Dental Services, Inc., Dominion National Insurance Company, and Dominion Dental Services USA, Inc. Health Plan 2964778 Hacking/IT Incident Network Server
4 Clinical Pathology Laboratories, Inc. Healthcare Provider 1733836 Unauthorized Access/Disclosure Network Server
5 Inmediata Health Group, Corp. Healthcare Clearing House 1565338 Unauthorized Access/Disclosure Network Server
6 UW Medicine Healthcare Provider 973024 Hacking/IT Incident Network Server
7 Women’s Care Florida, LLC Healthcare Provider 528188 Hacking/IT Incident Network Server
8 CareCentrix, Inc. Healthcare Provider 467621 Hacking/IT Incident Network Server
9 Intramural Practice Plan – Medical Sciences Campus – University of Puerto Rico Healthcare Provider 439753 Hacking/IT Incident Network Server
10 BioReference Laboratories Inc. Healthcare Provider 425749 Hacking/IT Incident Other
11 Bayamon Medical Center Corp. Healthcare Provider 422496 Hacking/IT Incident Network Server
12 Memphis Pathology Laboratory d/b/a American Esoteric Laboratories Healthcare Provider 409789 Unauthorized Access/Disclosure Network Server
13 Sunrise Medical Laboratories, Inc. Healthcare Provider 401901 Hacking/IT Incident Network Server
14 Columbia Surgical Specialist of Spokane Healthcare Provider 400000 Hacking/IT Incident Network Server
15 Sarrell Dental Healthcare Provider 391472 Hacking/IT Incident Network Server
16 UConn Health Healthcare Provider 326629 Hacking/IT Incident Email
17 Premier Family Medical Healthcare Provider 320000 Hacking/IT Incident Network Server
18 Metro Santurce, Inc. d/b/a Hospital Pavia Santurce and Metro Hato Rey, Inc. d/b/a Hospital Pavia Hato Rey Healthcare Provider 305737 Hacking/IT Incident Network Server
19 Navicent Health, Inc. Healthcare Provider 278016 Hacking/IT Incident Email
20 ZOLL Services LLC Healthcare Provider 277319 Hacking/IT Incident Network Server

 

The above table does not tell the full story. When a business associate experiences a data breach, it is not always reported by the business associate. Sometimes a breach is experienced by a business associate and the covered entities that they work with report the breaches separately, as was the case with American Medical Collection Agency (AMCA), a collection agency used by several HIPAA covered entities.

In 2019, hackers gained access to AMCA systems and stole sensitive client data. The breach was the second largest healthcare data breach ever reported, with only the Anthem Inc. data breach of 2015 having impacted more individuals.

HIPAA Journal tracked the breach reports submitted to OCR by each affected covered entity. At least 24 organizations are known to have had data exposed/stolen as a result of the hack.

Organizations Affected by the 2019 AMCA Data Breach

Healthcare Organization Confirmed Victim Count
Quest Diagnostics/Optum360 11,500,000
LabCorp 10,251,784
Clinical Pathology Associates 1,733,836
Carecentrix 467,621
BioReference Laboratories/Opko Health 425,749
American Esoteric Laboratories 409,789
Sunrise Medical Laboratories 401,901
Inform Diagnostics 173,617
CBLPath Inc. 141,956
Laboratory Medicine Consultants 140,590
Wisconsin Diagnostic Laboratories 114,985
CompuNet Clinical Laboratories 111,555
Austin Pathology Associates 43,676
Mount Sinai Hospital 33,730
Integrated Regional Laboratories 29,644
Penobscot Community Health Center 13,299
Pathology Solutions 13,270
West Hills Hospital and Medical Center / United WestLabs 10,650
Seacoast Pathology, Inc 8,992
Arizona Dermatopathology 5,903
Laboratory of Dermatology ADX, LLC 4,082
Western Pathology Consultants 4,079
Natera 3,035
South Texas Dermatopathology LLC 15,982
Total Records Breached 26,059,725

Causes of 2019 Healthcare Data Breaches

The HHS’ Office for Civil Rights assigns breaches to one of five different categories:

  • Hacking/IT incidents
  • Unauthorized access/disclosures
  • Theft
  • Loss
  • Improper disposal

59.41% of healthcare data breaches in 2019 were classified as hacking/IT incidents and involved 87.60% of all breached records. 28.82% of data breaches were classed as unauthorized access/disclosure incidents and involved 11.27% of all records breached in 2019.

10.59% of breaches were classed as loss and theft incidents involving electronic devices containing unencrypted electronic protected health information or physical records. Those incidents accounted for 1.07% of breached records in 2019.

1.18% of breaches and 0.06% of breached records were due to improper disposal of physical records and devices containing electronic protected health information.

Breach Cause Incidents Breached Records Mean Breach Size Median Breach Size
Hacking/IT Incident 303 36,210,097 119,505 6,000
Unauthorized Access/Disclosure 147 4,657,932 31,687 1,950
Theft 39 367,508 9,423 2,477
Loss 15 74,271 4,951 3,135
Improper Disposal 6 26,081 4,347 4,177

We have not tracked the cause of each breach reported in 2019, but the table below provides an indication of the biggest problem area for healthcare organizations – Securing email systems and blocking phishing attacks. The email incidents include misdirected emails, but the majority of email incidents were phishing and spear phishing attacks.

Healthcare Data Breaches by Covered Entity

77.65% of 2019 data breaches were reported by healthcare providers (369 incidents), 11.57% of breaches were reported by health plans (59 incidents), and 0.39% of data breaches were reported by healthcare clearinghouses (2 incidents).

23.33% of the year’s breaches involved business associates to some extent. 10.39% of data breaches were reported by business associates (53 incidents) and 66 data breaches were reported by a covered entity which stated there was some business associate involvement.

States Worst Affected by Healthcare Data Breaches

Data breaches were reported by HIPAA-covered entities or business associates in 48 states, Washington DC, and Puerto Rico. The worst affected state was Texas with 60 data breaches reported. California was the second most badly hit with 42 reported data breaches.

The only states where no data breaches of 500 or more records were reported were North Dakota and Hawaii.

State Breaches State Breaches State Breaches State Breaches State Breaches
Texas 60 Maryland 14 Arkansas 9 Alabama 4 Mississippi 2
California 42 Washington 14 South Carolina 9 Alaska 4 Montana 2
Illinois 26 Georgia 13 New Jersey 8 Iowa 4 South Dakota 2
New York 25 North Carolina 13 Massachusetts 7 Kentucky 4 Washington DC 2
Ohio 25 Tennessee 11 Puerto Rico 7 Nebraska 4 West Virginia 2
Minnesota 23 Arizona 10 Virginia 7 Oklahoma 4 Delaware 1
Florida 22 Colorado 10 Louisiana 6 Utah 4 Kansas 1
Pennsylvania 19 Connecticut 10 New Mexico 6 Wyoming 3 New Hampshire 1
Missouri 17 Indiana 10 Wisconsin 6 Idaho 2 Rhode Island 1
Michigan 16 Oregon 10 Nevada 5 Maine 2 Vermont 1

HIPAA Enforcement in 2019

The HHS’ Office for Civil Rights continued to enforce compliance with HIPAA at a similar level to the previous three years.

In 2019, there were 10 HIPAA enforcement actions that resulted in financial penalties. 2 civil monetary penalties were imposed and 8 covered entities/business associates agreed settlements with OCR to resolve HIPAA violations.

In total, $12,274,000 was paid to OCR in fines and settlements. The largest financial penalties of the year resulted from investigations of potential HIPAA violations by University of Rochester Medical Center and Touchstone Medical Imaging. Both cases were settled for £3,000,000.

OCR uncovered multiple violations of HIPAA Rules while investigating separate loss/theft incidents reported by University of Rochester Medical Center. OCR discovered risk analysis and risk management failures, a lack of encryption on portable electronic devices, and insufficient device and media controls.

Touchstone Medical Imaging experienced a data breach that resulted in the impermissible disclosure of 307,839 individuals’ PHI due to the exposure of an FTP server over the internet. OCR investigated and determined there had been risk analysis failures, business associate agreements failures, insufficient access rights, a failure to respond to a security incident, and violations of the HIPAA Breach Notification Rule.

Sentara Hospitals agreed to a $2.175 million settlement stemming from a 577-record data breach that was reported to OCR as only affecting 8 individuals. OCR told Sentara Hospitals that the breach notification needed to be updated to include the other individuals affected by the mailing error, but Sentara Hospitals refused. OCR determined a financial penalty was appropriate for the breach notification reporting failure and the lack of a business associate agreement with one of its vendors.

A civil monetary penalty of $2.154 million was imposed on the Miami, FL-based nonprofit academic medical system, Jackson Health System (JHS). Following a data breach, OCR investigated and found a compliance program that had been in disarray for several years. The CMP resolved multiple violations of HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

A civil monetary penalty of $1,600,000 was imposed on Texas Department of Aging and Disability Services for multiple violations of HIPAA Rules discovered during the investigation of breach involving an exposed internal application. OCR discovered there had been risk analysis failures, access control failures, and information system activity monitoring failures, which contributed to the impermissible disclosure of 6,617 patients’ ePHI.

Medical Informatics Engineering, an Indiana-based provider of electronic medical record software and services, experienced a major data breach in 2015 at its NoMoreClipboard subsidiary. Hackers used a compromised username and password to gain access to a server that contained the protected health information (PHI) of 3.5 million individuals. OCR determined there had been a risk analysis failure and the case was settled for $100,000. MIE also settled a multi-state action with state attorneys general over the same breach and settled that case for $900,000.

The Carroll County, GA ambulance company, West Georgia Ambulance, was investigated over the reported loss of an unencrypted laptop computer that contained the PHI of 500 patients. OCR found there had been a risk analysis failure, there was no security awareness training program for staff, and HIPAA Security Rule policies and procedures had not been implemented. The case was settled for $65,000.

There was one financial penalty for a social media HIPAA violation. Elite Dental Associates respondents to patient reviews on Yelp, and in doing so impermissibly disclosed PHI. OCR determined a financial penalty was appropriate and the case was settled for $10,000.

OCR also launched a new HIPAA enforcement initiative in 2019, under which two settlements were reached with covered entities over HIPAA Right of Access failures. Korunda Medical and Bayfront Health St. Petersburg had both failed to respond to patient requests for copies of their health information within a reasonable time frame. Both covered entities settled their HIPAA violation cases with OCR for $85,000.

OCR HIPAA Settlements and Civil Monetary Penalties in 2019

HIPAA Enforcement by State Attorneys General in 2019

State attorneys general can also take action over violations of HIPAA Rules. There were three cases against covered entities and business associates in 2019. As previously mentioned, Medical Informatics Engineering settled a multi-state lawsuit and paid a financial penalty of $900,000.

A second multi-state action was settled by Premera Blue Cross. The lawsuit pertained to a 2015 hacking incident that resulted in the theft of 10.4 million records. The investigation uncovered multiple violations of violations of HIPAA Rules and resulted in a $10 million financial penalty.

The California attorney general also took legal action over a data breach that affected 1,991 California residents. The health insurer Aetna had sent two mailings to its members in which highly sensitive information relating to HIV and Afib diagnoses was visible through the windows of the envelopes. The case was settled for $935,000.

The post 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Deadline for Reporting 2019 Healthcare Data Breaches of Fewer than 500 Records

Posted by HIPAA Journal

The HIPAA Breach Notification Rule requires data breaches of 500 or more records to be reported to the Secretary of the Department of Health and Human Services no later than 60 days after the discovery of a breach. Breaches of fewer than 500 records can be reported to the Secretary at any time, but no later than 60 days from the end of the calendar year in which the data breach was experienced – 45 C.F.R. § 164.408.

That means smaller healthcare data breaches must usually be reported to the HHS no later than March 1 each year, but this year is a leap year so there is an extra day in February. That means the deadline for reporting smaller breaches is one day earlier. All breaches that have affected fewer than 500 individuals must therefore be reported to OCR no later than February 29, 2020.

All breaches must be submitted to the Secretary of the HHS via the Office for Civil Rights breach portal. Each data breach must be reported separately and full information about each breach should be submitted. If several small data breaches have been experienced in the 2020 calendar year, reporting the breaches can take some time. It is therefore advisable not to leave the reporting of data breaches to the last minute to ensure the deadline is not missed. If data breaches are reported later than the 60-day deadline, financial penalties can be imposed.

If a breach has been experienced and the number of individuals affected by the breach has not yet been determined, the breach report should include an estimate of the number of people affected. It is not permissible to delay reporting the breach. When the actual number of affected individuals is known, an addendum can be submitted. Addenda should also be used to update breach reports when further information about the breach becomes available.

The post Deadline for Reporting 2019 Healthcare Data Breaches of Fewer than 500 Records appeared first on HIPAA Journal.

HHS Issues Final Rule Requiring Pharmacies to Track Partially Filled Prescriptions of Schedule II Drugs

Posted by HIPAA Journal

The Department of Health and Human Services has issued a final rule modifying the HIPAA National Council for Prescription Drug Programs (NCPDP) D.0 Telecommunication Standard to require pharmacies to track partially filled prescriptions for Schedule II drugs. The modification is part of HHS efforts to curb opioid abuse in the United States and will provide a greater quantum of data that may help prevent impermissible refills of Schedule II drugs.

The final rule takes effect on March 24, 2020. The compliance date is September 21, 2020.

By September 21, 2020, pharmacies will be required to use the Quantity Prescribed (460-ET) field for retail pharmacy transactions for all Schedule II drugs. Pharmacies must distinguish in retail pharmacy transactions whether the full prescribed amount of a Schedule II drug has been dispensed in a refill, or if the prescription has only been partially filled.

Background

The NCPDP Telecommunication Standard was adopted by the Secretary of the HHS in January 2009 for pharmacy transactions (health care claims or equivalent encounter information, referral certification and authorization, and coordination of benefits).

Under the Controlled Substances Act, the refilling of Schedule II drugs is prohibited, but partial fills are permitted if a pharmacist has less than the prescribed amount in stock, for patients in long-term care facilities, and for patients with terminal illnesses.

An analysis of prescription drug refill records by the HHS’ Office of Inspector General in 2012 revealed that in 2009, $25 million has been inappropriately paid by Medicare Part D plan sponsors for 397,203 Schedule II drug refills. 75% of those refills were billed by long-term care facilities. There was considerable concern that these prohibited refills could contribute to the diversion of Schedule II drugs and their being resold on the street.

The HHS’ Centers for Medicare and Medicaid services believed the OIG figures were incorrect due to a misinterpretation of the data in the Fill Number (403-D3) field, which resulted in partial fills being confused with refills dispensed to patients in long-term care facilities. A CMS review confirmed pharmacies could not distinguish between partial fills of Schedule II drugs and refills for billing purposes without using the Fill Number (403-D3) field.

The NCPDP D.0 standard was then updated to include the Quantity Prescribed (460-ET) field for claims, which should include the actual quantity supplied. That data could then be used to determine whether inappropriate fills had been made over and above the amount prescribed.

The change was detailed in the November 2012 publication of Version D.0 which required the Quantity Prescribed (460–ET) field to be completed when submitting claims to Medicare Part D for Schedule II drugs. However, since the HHS has not adopted the November 2012 publication, pharmacies could not use the Quantity Prescribed field for HIPAA transactions. The final rule addresses this issue.

The Administrative Simplification: Modification of the Requirements for the Use of Health Insurance Portability and Accountability Act of 1996 (HIPAA) National Council for Prescription Drug Programs (NCPDP) D.0 Standard has been published in the federal register on January 24, 2020 and can be viewed on this link.

The post HHS Issues Final Rule Requiring Pharmacies to Track Partially Filled Prescriptions of Schedule II Drugs appeared first on HIPAA Journal.

HHS Reminds Covered Entities of Data Sharing in Light of Novel Coronavirus Outbreak

Posted by HIPAA Journal

The Department of Health and Human Services has issued a bulletin reminding HIPAA covered entities about the ways that patient information can be shared during outbreaks of infectious disease and other emergency situations, in light of the recent Novel Coronavirus (2019-nCoV) outbreak.

In the bulletin, the HHS confirms that in such situations, the protections of the HIPAA Privacy Rule still apply and healthcare organizations must continue to apply administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI).

Under the HIPAA Privacy Rule, covered entities are permitted to disclose patient information without authorization for treatment purposes, care coordination, consultations, and referrals of patients for treatment.

In situations when patients have contracted an infectious disease such as 2019-nCoV, there is a legitimate need for information to be shared with public health authorities and others responsible for ensuring public health and safety. Those entities may need to be provided with PHI to allow them to carry out their public health missions. In such cases, the HIPAA Privacy Rule allows covered entities to share PHI with those entities and individual authorizations are not required.

That includes sharing information with the Centers for Disease Control and Prevention (CDC) and state and health departments authorized by law to receive such information to prevent or control disease and injury. Directed by a public health authority, PHI may also be shared with foreign government agencies that are working with public health authorities. Information can also be shared with individuals believed to be at risk of contracting or spreading disease, if other law, such as state law authorizes the covered entity to notify such persons to help prevent the spread of disease or to carry out public health investigations.

Information can also be shared with friends, family members, and other individuals involved in the care of a patient, including sharing information about a patient, as necessary, to identify, locate, and notify family members, guardians, and others responsible for the patient’s care, of the patient’s location, general condition, or death.

In such cases, verbal permission should be obtained from the patient or it can be reasonably inferred that the patient does not object. If a patient is incapacitated, then professional judgement should be used as to whether the sharing of information is in the patient’s best interest.

Patient information may also be shared to prevent or lessen a serious or imminent threat to the health and safety of a person or the public, consistent with applicable laws. Generally speaking, providing specific information about an identifiable patient to the media or public at large is not permitted.

All permitted disclosures of patient information are subject to the minimum necessary rule. Shared information should be limited to the minimum necessary amount to accomplish the purpose for which information is disclosed.

The post HHS Reminds Covered Entities of Data Sharing in Light of Novel Coronavirus Outbreak appeared first on HIPAA Journal.

Average Ransomware Payment Increased Sharply in Q4, 2019

Posted by HIPAA Journal

A new report from the ransomware incident response firm Coveware shows payments made by ransomware victims increased sharply in Q4, 2019. The average ransomware payment doubled in Q4, as two of the most prolific ransomware gangs – Sodinokibi and Ryuk – shifted their attention to attacking large enterprises. In Q3, 2019 the average ransom payment was $41,198. In Q4, that figure jumped to $84,116, with a median payment of $41,179.

The large increase in ransom amounts is largely due to changing tactics of the two main ransomware gangs, Ryuk especially. Ryuk is now heavily focused on attacking large enterprises. The average number of employees at victim companies increased from 1,075 in Q3 to 1,686 in Q4. The largest ransom amount was $779,855.5 in Q4; a considerable jump from the largest demand of $377,027 in Q3.

In Q4, the most prevalent ransomware threats were Sodinokibi (29.4%), Ryuk (21.5%), Phobos (10.7%), Dharma (9.3%), DoppelPaymer (6.1%), and NetWalker (5.1%). 10.7% of attacks involved the Rapid, Snatch, IEncrypt or GlobeImposter ransomware variants.

Many of the above ransomware variants are distributed under the ransomware-as-a-service model, where affiliates can sign up and use the ransomware and retain a cut of the ransom payments. The more sophisticated gangs are cautious about who they accept as affiliates whereas some of the smaller ransomware gangs let anyone sign up. Only a handful of affiliates are used to distribute Sodinokibi, with some specializing in different types of attack. One Sodinokibi affiliate has extensive knowledge of remote monitoring and management tools and specializes in attacks on managed service providers.

Ransomware is mostly delivered as a result of brute forcing weak RDP credentials or purchasing stolen RDP credentials. This tactic is used in more than 50% of successful ransomware attacks, followed by phishing (26%) and the exploitation of software vulnerabilities (13%).

Coveware explained in its report that 98% of victims who paid the ransom were supplied with valid keys and were able to decrypt their files. The probability of success can vary greatly depending on the variant of ransomware involved. Some threat actors are known for defaulting and often do not supply valid keys, even after the ransom is paid. Threat groups associated with Rapid, Mr. Dec, and Phobos ransomware were named as being consistent defaulters. Those threat groups were also less selective and tended to work with any affiliate.

Even when valid decryptors are supplied, some data lost can be expected. Out of the companies Coveware helped recover data, on average, 97% of files were recovered. An average of 3% of files were permanently lost as files were corrupted during the encryption/decryption process. More sophisticated attackers, such as the Ryuk and Sodinokibi threat actors, tend to be more careful encrypting data to ensure file recovery is possible and their reputation is not damaged.

The average downtime from a ransomware attack increased from 12.1 days in Q3, 2019 to 16.2 days in Q4. This is largely due to an increase in attacks on large enterprises, which have complex systems that take much longer to restore.

The figures for the report naturally only include ransomware victims that have used Coveware to negotiate with the attackers and assist with recovery. Many firms chose to deal with their attackers directly or use other ransomware recovery firms.

The post Average Ransomware Payment Increased Sharply in Q4, 2019 appeared first on HIPAA Journal.

How One Company is Helping to Drive Down the Cost of U.S. Healthcare and Improve Patient Outcomes

Posted by HIPAA Journal

2019 Health Statistics published by the Organisation for Economic Co-operation and Development’s (OECD) show healthcare expenditures in the United States are significantly higher than those in other developed countries. A 2018 Harvard study of 11 developed countries showed the United States had the highest healthcare costs relative to its GDP out of all 11 countries studied. Per capita healthcare spending was found to be almost twice that of other wealthy, developed countries.

Higher costs are not necessarily bad if they translate into better patient outcomes, but the OECD figures show that is not the case. The United States performed poorly for patient outcomes, even though the costs of healthcare are so high. Reducing the cost of healthcare is a major challenge and there is no silver bullet, but there are ways for costs to be reduced and for patient outcomes to be improved.

The Trump Administration is committed to reducing the cost of healthcare through executive orders and HHS rulings. In November 2018 an executive order – Improving Price and Quality Transparency in American Healthcare – was issued which is intended to improve healthcare price transparency to increase competition among hospitals and insurers and drive down healthcare spending.

Another key area where costs can be cut is by eliminating wastage in healthcare. A great deal of money being wasted due to inefficiency, such as the continued use of outdated communications technology.

The healthcare industry is still heavily reliant on communications technology from the 1970s. Advances are being made and new communications tools are being introduced, but oftentimes when new communications technology is purchased, it tends to be introduced in silos and healthcare organizations fail to achieve the full benefits. As a result, communications problems persist.

Communication inefficiencies are costing the healthcare industry dearly and that cost is being passed onto patients. Research shows communication inefficiencies cost a single 500-bed hospital around $4 million a year. The breakdown in communication is estimated to be a major factor in 70% of medical error deaths, according to a study published in the Journal of Medical Internet Research.

One company helping to cut the cost of healthcare is TigerConnect. TigerConnect has developed an advanced communications and collaboration solution that allows all members of care teams to communicate and collaborate quickly, efficiently, and effectively. The platform helps accelerate productivity and eliminates wastage, which allows healthcare providers to reduce the cost of healthcare. The solution has also been shown to improve patient outcomes.

The platform has been shown to reduce wait times in emergency departments, reduce the potential for medical errors, reduce the length of hospitals stays, and the platform helps improve staff morale, especially among physicians. The platform eliminates phone tag, allows all members of the care team to access the data they need to make decisions, and ensures proper patient handoffs, which is where the majority of medical errors occur.  

The TigerConnect team is committed to solving pervasive problems in healthcare communication and continues to innovate and develop its solution to meet the need of healthcare organizations of all sizes. The platform has proven popular with healthcare organizations and the company has been enjoying a period of tremendous growth, according to 2019 figures released today.

The TigerConnect solution is the most widely adopted healthcare communications and collaboration platform in the United States and 2019 has seen the company expand its industry footprint further. More than 600 new clients have been added in 2019, including 100 new enterprise clients such as Geisinger, NCH Healthcare System, Penn State Health, University of Maryland Medical System, Einstein Medical Center, Cooper University Health Care, and St. Luke’s University Health Network. More than 6,000 healthcare organizations are now using the platform.

TigerConnect has also expanded its workforce to cope with the increased demand. Over 50 new members of staff joined the company in 2019. TigerConnect also created new leadership roles, with the appointment of former Vacasa CTO, Tim Goodwin, as its first Chief Technology Officer, former McKesson consultant Sarah Shillington as the SVP of client success, and former Expedia executive, Allie Hanegan as VP of People.

TigerConnect is now looking to make greater gains in 2020 and has launched several initiatives to accelerate growth. Ahead of HIMSS20, TigerConnect will be launching several major product and partner initiatives, the company will be aggressively marketing its solution toward new clients and will also be looking to expand its footprint with its existing customer base. TigerConnect has also confirmed it will be forming a client advisory group and will be leveraging additional forums to get feedback from users to identify areas where the platform can be further improved.

“As we look ahead to the next decade, we see nothing but greenfield opportunity to redefine the way healthcare teams, payers, and patients connect and collaborate. We remain steadfast in our mission to partner with care organizations of every size and type, providing them with the world’s most advanced collaboration technology to produce a vision of the future we can all be proud of,” said Brad Brooks, co-founder, and CEO of TigerConnect.

The post How One Company is Helping to Drive Down the Cost of U.S. Healthcare and Improve Patient Outcomes appeared first on HIPAA Journal.

HHS’ Office for Civil Rights Makes Changes to Individuals’ Right of Access to Health Records

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has announced that certain legislative changes made in the HIPAA Omnibus Final Rule of 2013 – Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act, and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Ruleshave been reversed.

The reversal applies to a portion of the rule that expanded the third-party directive within the individual right of access (45 C.F.R. §164.524) “beyond requests for a copy of an electronic health record with respect to

Member Login

of an individual … in an electronic format” and guidance issued in 2016 confirming fee limitations for providing a copy of an individual’s PHI – 45 C.F.R. § 164.524(c)(4) – also apply to an individual’s request to send health records to a third party for legal or commercial reasons. Those fee limitations will now only apply to an individual’s request for access to their own records, not for an individual’s request to send a copy of their PHI to a third party such as a lawyer or insurance company.

The reversal followed the conclusion of legal action by the medical records provider, Ciox Health, challenging the changes. Ciox Health contracts with healthcare providers to maintain, retrieve, and produce individuals’ PHI. Ciox Health handles requests from healthcare providers to supply individuals’ PHI for treatment purposes, along with requests from patients exercising their rights under the HIPAA individual right of access, and requests to send PHI to legal and commercial entities. Ciox Health handles tens of millions of requests for PHI each year.

Ciox Health understood the fee limitations only applied to requests from individuals for access to their own PHI, and not to requests to send PHI to legal and commercial entities. However, in 2016, the Department of Health and Human Services (HHS) issued a guidance document in which it was made clear that the fee limitations had been expanded to include requests for PHI from legal and commercial entities. According to the lawsuit, that change resulted in Ciox Health and other medical records companies losing millions in revenue. The change was challenged as it was seen to be violative of the procedural and substantive protections of the Administrative Procedure Act (“APA”).

Ciox also challenged the types of labor costs that are recoverable under the fee limitation, the three methods for calculating fees for providing the records, and the 2013 change requiring medical records companies “to send PHI to third parties regardless of the format in which the PHI is contained and in the format specified by the patient.” The HHS filed a motion to dismiss and the cross-motions went before a federal court for summary judgment.

The HHS motion to dismiss was granted in part and denied in part, and the cross-motions were also granted in part and dismissed in part. The HHS motions to dismiss were denied in all cases apart from the three methods for calculating fees.

The court held that the rule requiring PHI to be delivered to third parties regardless of the records’ format was ‘arbitrary and capricious’ as it went beyond the requirements of the HITECH Act. The court also ruled in favor of the plaintiff on the challenge to the 2016 expansion of fee limitations, as this was a legislative change and the HHS failed to subject the change to notice and comment, in violation of the ACA. The 2016 explanation of what labor costs can be recovered was determined to be an interpretive rule and was therefore not subject to notice and comment.

The court declared the changes unlawful and vacated the 2016 expansion of fee limitations and the 2013 mandate broadening PHI delivery to third parties regardless of format. The Ciox Health, LLC v. Azar, et al court order can be viewed on this link.

The post HHS’ Office for Civil Rights Makes Changes to Individuals’ Right of Access to Health Records appeared first on HIPAA Journal.

2020 Emergency Preparedness and Security Trends in Healthcare Survey

Posted by HIPAA Journal

Every year, Rave Mobile Safety conducts a nationwide survey to identify healthcare security trends and assess the state of emergency preparedness and security trends in the healthcare industry.

For the 2020 Emergency Preparedness and Security Trends in Healthcare report, Rave Mobile Security is seeking insights from leaders in the healthcare industry on the efforts they have made to prepare for emergency situations.

Many HIPAA Journal readers participated in last year’s survey and have provided information on the steps they have taken to improve safety in the workplace in emergency situations. That information has been used to get an overview of emergency preparedness in the United States.

The 2020 survey is now being conducted and HIPAA Journal readers have been requested to take part in the study. If you so wish, you can participate completely anonymously.

You can participate in the survey by clicking the following link:

Click here for the Emergency Preparedness and Security Trends in Healthcare Survey.

If you provide your email address, you’ll receive the anonymized survey results before they are published and will be entered into a prize draw for a $200 gift card from the survey sponsor.

HIPAA Journal will eventually publish the results of the survey.

Note: HIPAA Journal is not conducting this survey and does not receive any payment for promoting this survey. HIPAA Journal has no commercial relationship with the survey sponsor. If your organization is running a survey that is of interest to healthcare professionals, you can contact us with the details.

The post 2020 Emergency Preparedness and Security Trends in Healthcare Survey appeared first on HIPAA Journal.

Patients Want Easy Access to Their Health Data but Better Privacy Protections Preferred

Posted by HIPAA Journal

Patients want easy access to their health data and for their health information to be presented in a concise, easy to understand format, according to a new poll conducted by Morning Consult on behalf of America’s Health Insurance Plans (AHIP). However, patients and consumers are well aware of the threat of cyberattacks and data breaches and they do not want their private health information to be compromised. A majority (62%) of patents and consumers said they would be willing to forego easy access to their health data if it meant greater privacy protections were in place to protect their health information.

In November 2019, President Trump signed an Executive Order on Improving Price and Quality Transparency in American Healthcare to Put Patients First. In response, the Department of Health and Human Services, the Department of Labor, and the Department of the Treasury proposed a new Transparency in Coverage Rule. The rule requires “employer-based group health plans and health insurance issuers offering group and individual coverage to disclose price and cost-sharing information to participants, beneficiaries, and enrollees up front.”

With access to that information, patients would be made aware of the costs they need to cover to meet the deductible of their plan or co-pay or co-insurance requirements. It would make it much easier for patients to make cost comparisons.

The cost of medical procedures is a key consideration for patients. 74% of respondents said they were very likely (52%) or somewhat likely (22%) to research how much they would have to pay for a medical procedure or service covered by their health insurance plan, and 68% said they would be very likely or somewhat likely to choose a lower cost medical procedure than one recommended by their doctor. 66% of respondents said they would consider making an appointment with a specialist, as recommended by a doctor, if they knew they would receive the same quality of care at a lower cost.

While easier access to cost information and greater transparency would be welcomed, 3 in 4 individuals who took part in the poll said they would not support a federal regulation that increases transparency if it also meant their insurance premiums would rise.

When it comes to obtaining information on medical procedures, patients want easy to understand information rather than comprehensive information. 82% of adults said that apps and websites that provide information on a medical procedure are more valuable if they provide concise, easy to understand information rather than comprehensive information that is confusing.

The survey also revealed there is strong support for federal legislation akin to HIPAA for technology companies that collect or are provided with health data. 90% of respondents said tech companies should also have to comply with strict standards for privacy and security as is the case with healthcare organizations.

The post Patients Want Easy Access to Their Health Data but Better Privacy Protections Preferred appeared first on HIPAA Journal.