Latest HIPAA News

Deadline for Reporting 2019 Healthcare Data Breaches of Fewer than 500 Records

Posted by HIPAA Journal

The HIPAA Breach Notification Rule requires data breaches of 500 or more records to be reported to the Secretary of the Department of Health and Human Services no later than 60 days after the discovery of a breach. Breaches of fewer than 500 records can be reported to the Secretary at any time, but no later than 60 days from the end of the calendar year in which the data breach was experienced – 45 C.F.R. § 164.408.

That means smaller healthcare data breaches must usually be reported to the HHS no later than March 1 each year, but this year is a leap year so there is an extra day in February. That means the deadline for reporting smaller breaches is one day earlier. All breaches that have affected fewer than 500 individuals must therefore be reported to OCR no later than February 29, 2020.

All breaches must be submitted to the Secretary of the HHS via the Office for Civil Rights breach portal. Each data breach must be reported separately and full information about each breach should be submitted. If several small data breaches have been experienced in the 2020 calendar year, reporting the breaches can take some time. It is therefore advisable not to leave the reporting of data breaches to the last minute to ensure the deadline is not missed. If data breaches are reported later than the 60-day deadline, financial penalties can be imposed.

If a breach has been experienced and the number of individuals affected by the breach has not yet been determined, the breach report should include an estimate of the number of people affected. It is not permissible to delay reporting the breach. When the actual number of affected individuals is known, an addendum can be submitted. Addenda should also be used to update breach reports when further information about the breach becomes available.

The post Deadline for Reporting 2019 Healthcare Data Breaches of Fewer than 500 Records appeared first on HIPAA Journal.

HHS Issues Final Rule Requiring Pharmacies to Track Partially Filled Prescriptions of Schedule II Drugs

Posted by HIPAA Journal

The Department of Health and Human Services has issued a final rule modifying the HIPAA National Council for Prescription Drug Programs (NCPDP) D.0 Telecommunication Standard to require pharmacies to track partially filled prescriptions for Schedule II drugs. The modification is part of HHS efforts to curb opioid abuse in the United States and will provide a greater quantum of data that may help prevent impermissible refills of Schedule II drugs.

The final rule takes effect on March 24, 2020. The compliance date is September 21, 2020.

By September 21, 2020, pharmacies will be required to use the Quantity Prescribed (460-ET) field for retail pharmacy transactions for all Schedule II drugs. Pharmacies must distinguish in retail pharmacy transactions whether the full prescribed amount of a Schedule II drug has been dispensed in a refill, or if the prescription has only been partially filled.

Background

The NCPDP Telecommunication Standard was adopted by the Secretary of the HHS in January 2009 for pharmacy transactions (health care claims or equivalent encounter information, referral certification and authorization, and coordination of benefits).

Under the Controlled Substances Act, the refilling of Schedule II drugs is prohibited, but partial fills are permitted if a pharmacist has less than the prescribed amount in stock, for patients in long-term care facilities, and for patients with terminal illnesses.

An analysis of prescription drug refill records by the HHS’ Office of Inspector General in 2012 revealed that in 2009, $25 million has been inappropriately paid by Medicare Part D plan sponsors for 397,203 Schedule II drug refills. 75% of those refills were billed by long-term care facilities. There was considerable concern that these prohibited refills could contribute to the diversion of Schedule II drugs and their being resold on the street.

The HHS’ Centers for Medicare and Medicaid services believed the OIG figures were incorrect due to a misinterpretation of the data in the Fill Number (403-D3) field, which resulted in partial fills being confused with refills dispensed to patients in long-term care facilities. A CMS review confirmed pharmacies could not distinguish between partial fills of Schedule II drugs and refills for billing purposes without using the Fill Number (403-D3) field.

The NCPDP D.0 standard was then updated to include the Quantity Prescribed (460-ET) field for claims, which should include the actual quantity supplied. That data could then be used to determine whether inappropriate fills had been made over and above the amount prescribed.

The change was detailed in the November 2012 publication of Version D.0 which required the Quantity Prescribed (460–ET) field to be completed when submitting claims to Medicare Part D for Schedule II drugs. However, since the HHS has not adopted the November 2012 publication, pharmacies could not use the Quantity Prescribed field for HIPAA transactions. The final rule addresses this issue.

The Administrative Simplification: Modification of the Requirements for the Use of Health Insurance Portability and Accountability Act of 1996 (HIPAA) National Council for Prescription Drug Programs (NCPDP) D.0 Standard has been published in the federal register on January 24, 2020 and can be viewed on this link.

The post HHS Issues Final Rule Requiring Pharmacies to Track Partially Filled Prescriptions of Schedule II Drugs appeared first on HIPAA Journal.

HHS Reminds Covered Entities of Data Sharing in Light of Novel Coronavirus Outbreak

Posted by HIPAA Journal

The Department of Health and Human Services has issued a bulletin reminding HIPAA covered entities about the ways that patient information can be shared during outbreaks of infectious disease and other emergency situations, in light of the recent Novel Coronavirus (2019-nCoV) outbreak.

In the bulletin, the HHS confirms that in such situations, the protections of the HIPAA Privacy Rule still apply and healthcare organizations must continue to apply administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI).

Under the HIPAA Privacy Rule, covered entities are permitted to disclose patient information without authorization for treatment purposes, care coordination, consultations, and referrals of patients for treatment.

In situations when patients have contracted an infectious disease such as 2019-nCoV, there is a legitimate need for information to be shared with public health authorities and others responsible for ensuring public health and safety. Those entities may need to be provided with PHI to allow them to carry out their public health missions. In such cases, the HIPAA Privacy Rule allows covered entities to share PHI with those entities and individual authorizations are not required.

That includes sharing information with the Centers for Disease Control and Prevention (CDC) and state and health departments authorized by law to receive such information to prevent or control disease and injury. Directed by a public health authority, PHI may also be shared with foreign government agencies that are working with public health authorities. Information can also be shared with individuals believed to be at risk of contracting or spreading disease, if other law, such as state law authorizes the covered entity to notify such persons to help prevent the spread of disease or to carry out public health investigations.

Information can also be shared with friends, family members, and other individuals involved in the care of a patient, including sharing information about a patient, as necessary, to identify, locate, and notify family members, guardians, and others responsible for the patient’s care, of the patient’s location, general condition, or death.

In such cases, verbal permission should be obtained from the patient or it can be reasonably inferred that the patient does not object. If a patient is incapacitated, then professional judgement should be used as to whether the sharing of information is in the patient’s best interest.

Patient information may also be shared to prevent or lessen a serious or imminent threat to the health and safety of a person or the public, consistent with applicable laws. Generally speaking, providing specific information about an identifiable patient to the media or public at large is not permitted.

All permitted disclosures of patient information are subject to the minimum necessary rule. Shared information should be limited to the minimum necessary amount to accomplish the purpose for which information is disclosed.

The post HHS Reminds Covered Entities of Data Sharing in Light of Novel Coronavirus Outbreak appeared first on HIPAA Journal.

Average Ransomware Payment Increased Sharply in Q4, 2019

Posted by HIPAA Journal

A new report from the ransomware incident response firm Coveware shows payments made by ransomware victims increased sharply in Q4, 2019. The average ransomware payment doubled in Q4, as two of the most prolific ransomware gangs – Sodinokibi and Ryuk – shifted their attention to attacking large enterprises. In Q3, 2019 the average ransom payment was $41,198. In Q4, that figure jumped to $84,116, with a median payment of $41,179.

The large increase in ransom amounts is largely due to changing tactics of the two main ransomware gangs, Ryuk especially. Ryuk is now heavily focused on attacking large enterprises. The average number of employees at victim companies increased from 1,075 in Q3 to 1,686 in Q4. The largest ransom amount was $779,855.5 in Q4; a considerable jump from the largest demand of $377,027 in Q3.

In Q4, the most prevalent ransomware threats were Sodinokibi (29.4%), Ryuk (21.5%), Phobos (10.7%), Dharma (9.3%), DoppelPaymer (6.1%), and NetWalker (5.1%). 10.7% of attacks involved the Rapid, Snatch, IEncrypt or GlobeImposter ransomware variants.

Many of the above ransomware variants are distributed under the ransomware-as-a-service model, where affiliates can sign up and use the ransomware and retain a cut of the ransom payments. The more sophisticated gangs are cautious about who they accept as affiliates whereas some of the smaller ransomware gangs let anyone sign up. Only a handful of affiliates are used to distribute Sodinokibi, with some specializing in different types of attack. One Sodinokibi affiliate has extensive knowledge of remote monitoring and management tools and specializes in attacks on managed service providers.

Ransomware is mostly delivered as a result of brute forcing weak RDP credentials or purchasing stolen RDP credentials. This tactic is used in more than 50% of successful ransomware attacks, followed by phishing (26%) and the exploitation of software vulnerabilities (13%).

Coveware explained in its report that 98% of victims who paid the ransom were supplied with valid keys and were able to decrypt their files. The probability of success can vary greatly depending on the variant of ransomware involved. Some threat actors are known for defaulting and often do not supply valid keys, even after the ransom is paid. Threat groups associated with Rapid, Mr. Dec, and Phobos ransomware were named as being consistent defaulters. Those threat groups were also less selective and tended to work with any affiliate.

Even when valid decryptors are supplied, some data lost can be expected. Out of the companies Coveware helped recover data, on average, 97% of files were recovered. An average of 3% of files were permanently lost as files were corrupted during the encryption/decryption process. More sophisticated attackers, such as the Ryuk and Sodinokibi threat actors, tend to be more careful encrypting data to ensure file recovery is possible and their reputation is not damaged.

The average downtime from a ransomware attack increased from 12.1 days in Q3, 2019 to 16.2 days in Q4. This is largely due to an increase in attacks on large enterprises, which have complex systems that take much longer to restore.

The figures for the report naturally only include ransomware victims that have used Coveware to negotiate with the attackers and assist with recovery. Many firms chose to deal with their attackers directly or use other ransomware recovery firms.

The post Average Ransomware Payment Increased Sharply in Q4, 2019 appeared first on HIPAA Journal.

How One Company is Helping to Drive Down the Cost of U.S. Healthcare and Improve Patient Outcomes

Posted by HIPAA Journal

2019 Health Statistics published by the Organisation for Economic Co-operation and Development’s (OECD) show healthcare expenditures in the United States are significantly higher than those in other developed countries. A 2018 Harvard study of 11 developed countries showed the United States had the highest healthcare costs relative to its GDP out of all 11 countries studied. Per capita healthcare spending was found to be almost twice that of other wealthy, developed countries.

Higher costs are not necessarily bad if they translate into better patient outcomes, but the OECD figures show that is not the case. The United States performed poorly for patient outcomes, even though the costs of healthcare are so high. Reducing the cost of healthcare is a major challenge and there is no silver bullet, but there are ways for costs to be reduced and for patient outcomes to be improved.

The Trump Administration is committed to reducing the cost of healthcare through executive orders and HHS rulings. In November 2018 an executive order – Improving Price and Quality Transparency in American Healthcare – was issued which is intended to improve healthcare price transparency to increase competition among hospitals and insurers and drive down healthcare spending.

Another key area where costs can be cut is by eliminating wastage in healthcare. A great deal of money being wasted due to inefficiency, such as the continued use of outdated communications technology.

The healthcare industry is still heavily reliant on communications technology from the 1970s. Advances are being made and new communications tools are being introduced, but oftentimes when new communications technology is purchased, it tends to be introduced in silos and healthcare organizations fail to achieve the full benefits. As a result, communications problems persist.

Communication inefficiencies are costing the healthcare industry dearly and that cost is being passed onto patients. Research shows communication inefficiencies cost a single 500-bed hospital around $4 million a year. The breakdown in communication is estimated to be a major factor in 70% of medical error deaths, according to a study published in the Journal of Medical Internet Research.

One company helping to cut the cost of healthcare is TigerConnect. TigerConnect has developed an advanced communications and collaboration solution that allows all members of care teams to communicate and collaborate quickly, efficiently, and effectively. The platform helps accelerate productivity and eliminates wastage, which allows healthcare providers to reduce the cost of healthcare. The solution has also been shown to improve patient outcomes.

The platform has been shown to reduce wait times in emergency departments, reduce the potential for medical errors, reduce the length of hospitals stays, and the platform helps improve staff morale, especially among physicians. The platform eliminates phone tag, allows all members of the care team to access the data they need to make decisions, and ensures proper patient handoffs, which is where the majority of medical errors occur.  

The TigerConnect team is committed to solving pervasive problems in healthcare communication and continues to innovate and develop its solution to meet the need of healthcare organizations of all sizes. The platform has proven popular with healthcare organizations and the company has been enjoying a period of tremendous growth, according to 2019 figures released today.

The TigerConnect solution is the most widely adopted healthcare communications and collaboration platform in the United States and 2019 has seen the company expand its industry footprint further. More than 600 new clients have been added in 2019, including 100 new enterprise clients such as Geisinger, NCH Healthcare System, Penn State Health, University of Maryland Medical System, Einstein Medical Center, Cooper University Health Care, and St. Luke’s University Health Network. More than 6,000 healthcare organizations are now using the platform.

TigerConnect has also expanded its workforce to cope with the increased demand. Over 50 new members of staff joined the company in 2019. TigerConnect also created new leadership roles, with the appointment of former Vacasa CTO, Tim Goodwin, as its first Chief Technology Officer, former McKesson consultant Sarah Shillington as the SVP of client success, and former Expedia executive, Allie Hanegan as VP of People.

TigerConnect is now looking to make greater gains in 2020 and has launched several initiatives to accelerate growth. Ahead of HIMSS20, TigerConnect will be launching several major product and partner initiatives, the company will be aggressively marketing its solution toward new clients and will also be looking to expand its footprint with its existing customer base. TigerConnect has also confirmed it will be forming a client advisory group and will be leveraging additional forums to get feedback from users to identify areas where the platform can be further improved.

“As we look ahead to the next decade, we see nothing but greenfield opportunity to redefine the way healthcare teams, payers, and patients connect and collaborate. We remain steadfast in our mission to partner with care organizations of every size and type, providing them with the world’s most advanced collaboration technology to produce a vision of the future we can all be proud of,” said Brad Brooks, co-founder, and CEO of TigerConnect.

The post How One Company is Helping to Drive Down the Cost of U.S. Healthcare and Improve Patient Outcomes appeared first on HIPAA Journal.

HHS’ Office for Civil Rights Makes Changes to Individuals’ Right of Access to Health Records

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has announced that certain legislative changes made in the HIPAA Omnibus Final Rule of 2013 – Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act, and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Ruleshave been reversed.

The reversal applies to a portion of the rule that expanded the third-party directive within the individual right of access (45 C.F.R. §164.524) “beyond requests for a copy of an electronic health record with respect to

Member Login

of an individual … in an electronic format” and guidance issued in 2016 confirming fee limitations for providing a copy of an individual’s PHI – 45 C.F.R. § 164.524(c)(4) – also apply to an individual’s request to send health records to a third party for legal or commercial reasons. Those fee limitations will now only apply to an individual’s request for access to their own records, not for an individual’s request to send a copy of their PHI to a third party such as a lawyer or insurance company.

The reversal followed the conclusion of legal action by the medical records provider, Ciox Health, challenging the changes. Ciox Health contracts with healthcare providers to maintain, retrieve, and produce individuals’ PHI. Ciox Health handles requests from healthcare providers to supply individuals’ PHI for treatment purposes, along with requests from patients exercising their rights under the HIPAA individual right of access, and requests to send PHI to legal and commercial entities. Ciox Health handles tens of millions of requests for PHI each year.

Ciox Health understood the fee limitations only applied to requests from individuals for access to their own PHI, and not to requests to send PHI to legal and commercial entities. However, in 2016, the Department of Health and Human Services (HHS) issued a guidance document in which it was made clear that the fee limitations had been expanded to include requests for PHI from legal and commercial entities. According to the lawsuit, that change resulted in Ciox Health and other medical records companies losing millions in revenue. The change was challenged as it was seen to be violative of the procedural and substantive protections of the Administrative Procedure Act (“APA”).

Ciox also challenged the types of labor costs that are recoverable under the fee limitation, the three methods for calculating fees for providing the records, and the 2013 change requiring medical records companies “to send PHI to third parties regardless of the format in which the PHI is contained and in the format specified by the patient.” The HHS filed a motion to dismiss and the cross-motions went before a federal court for summary judgment.

The HHS motion to dismiss was granted in part and denied in part, and the cross-motions were also granted in part and dismissed in part. The HHS motions to dismiss were denied in all cases apart from the three methods for calculating fees.

The court held that the rule requiring PHI to be delivered to third parties regardless of the records’ format was ‘arbitrary and capricious’ as it went beyond the requirements of the HITECH Act. The court also ruled in favor of the plaintiff on the challenge to the 2016 expansion of fee limitations, as this was a legislative change and the HHS failed to subject the change to notice and comment, in violation of the ACA. The 2016 explanation of what labor costs can be recovered was determined to be an interpretive rule and was therefore not subject to notice and comment.

The court declared the changes unlawful and vacated the 2016 expansion of fee limitations and the 2013 mandate broadening PHI delivery to third parties regardless of format. The Ciox Health, LLC v. Azar, et al court order can be viewed on this link.

The post HHS’ Office for Civil Rights Makes Changes to Individuals’ Right of Access to Health Records appeared first on HIPAA Journal.

2020 Emergency Preparedness and Security Trends in Healthcare Survey

Posted by HIPAA Journal

Every year, Rave Mobile Safety conducts a nationwide survey to identify healthcare security trends and assess the state of emergency preparedness and security trends in the healthcare industry.

For the 2020 Emergency Preparedness and Security Trends in Healthcare report, Rave Mobile Security is seeking insights from leaders in the healthcare industry on the efforts they have made to prepare for emergency situations.

Many HIPAA Journal readers participated in last year’s survey and have provided information on the steps they have taken to improve safety in the workplace in emergency situations. That information has been used to get an overview of emergency preparedness in the United States.

The 2020 survey is now being conducted and HIPAA Journal readers have been requested to take part in the study. If you so wish, you can participate completely anonymously.

You can participate in the survey by clicking the following link:

Click here for the Emergency Preparedness and Security Trends in Healthcare Survey.

If you provide your email address, you’ll receive the anonymized survey results before they are published and will be entered into a prize draw for a $200 gift card from the survey sponsor.

HIPAA Journal will eventually publish the results of the survey.

Note: HIPAA Journal is not conducting this survey and does not receive any payment for promoting this survey. HIPAA Journal has no commercial relationship with the survey sponsor. If your organization is running a survey that is of interest to healthcare professionals, you can contact us with the details.

The post 2020 Emergency Preparedness and Security Trends in Healthcare Survey appeared first on HIPAA Journal.

Patients Want Easy Access to Their Health Data but Better Privacy Protections Preferred

Posted by HIPAA Journal

Patients want easy access to their health data and for their health information to be presented in a concise, easy to understand format, according to a new poll conducted by Morning Consult on behalf of America’s Health Insurance Plans (AHIP). However, patients and consumers are well aware of the threat of cyberattacks and data breaches and they do not want their private health information to be compromised. A majority (62%) of patents and consumers said they would be willing to forego easy access to their health data if it meant greater privacy protections were in place to protect their health information.

In November 2019, President Trump signed an Executive Order on Improving Price and Quality Transparency in American Healthcare to Put Patients First. In response, the Department of Health and Human Services, the Department of Labor, and the Department of the Treasury proposed a new Transparency in Coverage Rule. The rule requires “employer-based group health plans and health insurance issuers offering group and individual coverage to disclose price and cost-sharing information to participants, beneficiaries, and enrollees up front.”

With access to that information, patients would be made aware of the costs they need to cover to meet the deductible of their plan or co-pay or co-insurance requirements. It would make it much easier for patients to make cost comparisons.

The cost of medical procedures is a key consideration for patients. 74% of respondents said they were very likely (52%) or somewhat likely (22%) to research how much they would have to pay for a medical procedure or service covered by their health insurance plan, and 68% said they would be very likely or somewhat likely to choose a lower cost medical procedure than one recommended by their doctor. 66% of respondents said they would consider making an appointment with a specialist, as recommended by a doctor, if they knew they would receive the same quality of care at a lower cost.

While easier access to cost information and greater transparency would be welcomed, 3 in 4 individuals who took part in the poll said they would not support a federal regulation that increases transparency if it also meant their insurance premiums would rise.

When it comes to obtaining information on medical procedures, patients want easy to understand information rather than comprehensive information. 82% of adults said that apps and websites that provide information on a medical procedure are more valuable if they provide concise, easy to understand information rather than comprehensive information that is confusing.

The survey also revealed there is strong support for federal legislation akin to HIPAA for technology companies that collect or are provided with health data. 90% of respondents said tech companies should also have to comply with strict standards for privacy and security as is the case with healthcare organizations.

The post Patients Want Easy Access to Their Health Data but Better Privacy Protections Preferred appeared first on HIPAA Journal.

CISA Issues Warning About Increase in Emotet Malware Attacks

Posted by HIPAA Journal

A warning has been issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) about a recent increase in Emotet malware attacks.

Emotet was first detected in 2014 and was initially developed to steal banking credentials, but it has seen considerable development over the past five years and is now is a highly sophisticated Trojan.

In addition to stealing banking credentials, Emotet can steal passwords stored in web browsers and the credentials files of external drives. Modules have been added that allow it to propagate via email and download other malware variants. The malware has been used to infect devices with cryptocurrency miners and cryptowallet stealers, the TrickBot banking Trojan, and Ryuk ransomware. These additional payloads are often downloaded weeks, months, or even years after the initial Emotet infection.

Emotet malware is primarily delivered via spam email. Initially, the malware was spread by JavaScript attachments; however, the threat actors behind the malware have now switched to Office documents with malicious macros that run PowerShell commands that download the malware. If the email attachment is opened and content is enabled, Emotet will be silently downloaded and executed. Spam emails containing hyperlinks to malicious websites have also been used to deliver the malware.

Emotet malware is persistent. It inserts itself into running processes and creates registry entries to ensure it is run each time the computer boots. Once a victim’s computer has been infected it is added to the Emotet botnet. The computer will then be used to distribute copies of Emotet to the victim’s contacts via email. According to SecureWorks, Emotet steals the first 8KB of all emails in the inbox. That data is used to craft new messages to contacts containing real message threads and replies are sent to unread messages in the inbox. This tactic increases the likelihood of the recipient opening the message and file attachment. Campaigns have also been detected using email attachments that imitate receipts, shipping notifications, invoices, and remittance notices.

In addition to propagation via email, Emotet enumerates network resources and writes itself to shared drives. It also brute forces domain credentials. If Emotet is detected on one computer, it is probable that several others are also infected. Removing Emotet can be problematic as cleaned devices are likely to be reinfected by other infected computers on the network.

The Emotet botnet was inactive for around 4 months from May 2019 but sprung back to life in September. Emotet activity suddenly stopped again in late December and remained quiet until January 13, 2020 when massive spamming campaigns resumed. Proofpoint detected one spam campaign targeting pharma companies that saw around 750,000 emails sent in a single day.

“If successful, an attacker could use an Emotet infection to obtain sensitive information. Such an attack could result in proprietary information and financial loss as well as disruption to operations and harm to reputation,” warns CISA in its January 22, 2020 alert.

CISA suggests the following steps should be taken to reduce the risk of an Emotet malware attack:

  • Block email attachments that are often associated with malware (.exe, .dll, .js etc.)
  • Block email attachments that cannot be scanned by anti-virus software (e.g. .zip, .rar files)
  • Implement Group Policy Object and firewall rules.
  • Ensure anti-virus software is installed on all endpoints
  • Ensure patches are applied promptly and a formalized patch management process is adopted
  • Implement filters at the email gateway
  • Block suspicious IP addresses at the firewall
  • Restrict the use of admin credentials and adhere to the principle of least privilege
  • Implement DMARC
  • Segment and segregate networks
  • Limit unnecessary lateral communications

Detailed CISA guidance on blocking Emotet and remediating attacks can be found on this link.

The post CISA Issues Warning About Increase in Emotet Malware Attacks appeared first on HIPAA Journal.