Latest HIPAA News

HHS Proposes New Stark Law Safe Harbor Covering Cybersecurity Donations

Posted by HIPAA Journal

The U.S. Department of Health and Human Services (HHS) has proposed changes to physician self-referral and federal anti-kickback regulations which will see the creation of a new safe harbor covering hospital donations of cybersecurity software and associated services to physicians.

The proposed law change is detailed in two new rules issued by the HHS’ Office of Inspector General (OIG) and the Centers for Medicaid and Medicare Services (CMS) which aim to modernize and clarify regulations that interpret the Federal Anti-Kickback Statute and Physician Self-Referral law known as Stark Law.

The proposed rules are part of the HHS’s Regulatory Sprint to Coordinated Care which promotes value-based care by eliminating federal regulatory barriers that are impeding efforts to improve the coordination of care between providers.

“The digitization of the healthcare delivery system and related rules designed to increase interoperability and data sharing in the delivery of healthcare create numerous targets for cyberattacks,” explained OIG. “The healthcare industry and the technology used to deliver healthcare have been described as an interconnected ‘ecosystem’ where the ‘weakest link’ in the system can compromise the entire system.”

Physician practices are a possible weak link that could be exploited by threat actors to compromise the whole system. Many small healthcare providers lack the necessary resources to improve their security posture and ensure that their systems, networks, and patient data are adequately protected.

The proposed updates are intended to provide greater clarity for healthcare providers participating in value-based arrangements and are providing coordinated care for patients. They are intended to ease the compliance burden for healthcare providers while ensuring strong safeguards are maintained to protect patients and programs from fraud and abuse.

There is already an exception to Stark Law which permits healthcare providers to make EHR-related donations to physicians as well as donations of cybersecurity software and services. The proposed rule seeks to provide greater certainty for healthcare providers that such donations do not violate Stark Law.

The new safe harbor will remove real or perceived barriers that prevent parties from using cybersecurity technologies to improve security. The safe harbor was recommended by the HHS Healthcare Industry Cybersecurity Task Force in 2017 and will cover certain cybersecurity technologies and associated services that are essential for protecting against cyberattacks on the healthcare industry. Those attacks increase the costs of healthcare delivery and often prevent healthcare providers from accessing health records and other information essential for healthcare delivery.

In the context of the proposed rule changes, OIG defines cybersecurity as “the process of protecting information by preventing, detecting, and responding to cyberattacks.” Covered cybersecurity technology includes software or information technology that improves cybersecurity, but there are limitations on what can be donated. The rule includes software, cybersecurity training services, business continuity and data recovery services, services associated with security risk assessments, threat sharing services, and cybersecurity-as-a-service offerings.

The OIG rule does not permit donations of hardware as it could have uses outside of cybersecurity and would increase the risk of donations being made to influence referrals. OIG says it may consider updating its proposed rule to include certain types of stand-alone hardware that can only be used for cybersecurity purposes, such as multi-factor authentication dongles.

The proposed rules will help to reduce the cost of healthcare by helping smaller healthcare providers avoid the costs of improving their security posture and reduce the potential for costly cyberattacks. By receiving donations of necessary software and cybersecurity services, they will be able to direct funds to other items and services not covered by the proposed safe harbor.

“Administrative costs are driving up the cost of healthcare in America – to the tune of hundreds of billions of dollars. The Stark proposed rule is an important next step in President Trump’s healthcare agenda for Americans. We are updating our antiquated regulations to decrease burden for providers and helping bring down these increasingly escalating costs,” said CMS administrator Seema Verma.

“Regulatory reform has been a key piece of President Trump’s agenda not just for faster innovation and economic growth, but also better, higher-value healthcare. Our proposed rules would be an unprecedented opportunity for providers to work together to deliver the kind of high-value, coordinated care that patients deserve,” said HHS Secretary, Alex Azar.

The post HHS Proposes New Stark Law Safe Harbor Covering Cybersecurity Donations appeared first on HIPAA Journal.

New York Legislation Prohibits First Responders from Selling Patient Data for Marketing Purposes

Posted by HIPAA Journal

On October 7, 2019, New York Governor Andrew Cuomo signed new legislation into law – S.4119/A.230 – that prohibits first responders and ambulance service personnel from selling or disclosing patient data to third parties for marketing or fundraising purposes.

The bill was originally introduced by New York Assembly Member Edward Braunstein in 2014 following reports that ambulance and first response service personnel were selling patient data such as names, addresses, phone numbers and medical histories to third parties such as pharmaceutical firms and nursing homes for marketing and fundraising purposes. Prior to the introduction of the new law, these disclosures and the sale of patient information were permitted in New York.

“Patients have a right to privacy and their medical information should never be sold to pharmaceutical companies, insurers, nursing homes, or other businesses,” explained Braunstein.

The legislation follows the June 25, 2019 signing of the Stop Hacks and Improve Electronic Data Security (SHIELD) Act into law, which overhauled state regulations for data privacy and security to better protect the private information of New York residents.

The new law applies to ambulance staff and first responders, but not to healthcare providers, health insurers, and parties acting under appropriate legal authority, such as government health inspectors and law enforcement. Patient information may be disclosed, transferred, or sold to the patient who is the subject of the information or a person authorized to make health care decisions on behalf of the patient.

Ambulance staff and first responders are only permitted to sell, disclose, transfer, exchange, or use patient data for marketing or fundraising purposes if they have obtained written consent from the patient in question prior to the sale or disclosure. The new law does not apply to de-identified patient data.

The new law applies to all individually identifying information which would allow a patient to be identified. Marketing is classed as, but not limited to, “advertising, detailing, marketing, promotion, or any activity that is intended to be or could be used to influence business volume, sales or market share or evaluate the effectiveness of marketing practices or personnel,” and applies to the sale or disclosure of patient data to for-profit, not-for-profit, and governmental entities.

“Nothing is more personal than your health records, and New Yorkers have a right to privacy when it comes to this incredibly sensitive information,” said Governor Cuomo. “This law sets clear guidelines so patient information isn’t sold or used for marketing purposes and most importantly doesn’t end up in the wrong hands.”

“Under no circumstances, when someone is in the middle of a life-threatening crisis, should they have to worry about their information being sold for any reason,” added Senator John Liu.

The post New York Legislation Prohibits First Responders from Selling Patient Data for Marketing Purposes appeared first on HIPAA Journal.

Pulse Connect, GlobalProtect, Fortigate VPN Vulnerabilities Being Actively Exploited by APT Actors

Posted by HIPAA Journal

Vulnerabilities in popular VPN products from Pulse Secure, FortiGuard, and Palo Alto are being actively exploited by advanced persistent threat (APT) actors to gain access to vulnerable VPNs and internal networks.

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) and other cybersecurity agencies issued security advisories about multiple vulnerabilities in VPN products over the summer of 2019; however, many organizations have been slow to take action. Weaponized exploits for the vulnerabilities have now been developed and are being used by APT actors and exploit code is freely available online on GitHub and the Metasploit framework.

On October 1, 2019, the UK’s National Cyber Security Centre issued a warning about the vulnerabilities following several attacks on government agencies, the military, businesses, and the education and healthcare sectors. The National Security Agency (NSA) also issued a security advisory about the vulnerabilities along with mitigations on October 7.

The vulnerabilities are present in outdated versions of the Pulse Secure VPN (CVE-2019-11508 and CVE-2019-11538), the Palo Alto GlobalProtect VPN (CVE-2019-1579), and the Fortinet Fortigate VPN (CVE 2018-13379, CVE-2018-13382, CVE-2018-13383).

No mention was made about the APT actors responsible for the attacks, although there have been reports that the Chinese APT group APT5 has been conducting attacks on Pulse Secure and Fortinet VPNs.

The weaponized exploits allow APT actors to retrieve arbitrary files, including those containing authentication credentials. Those credentials can then be used to gain access to vulnerable VPNs, change configurations, remotely execute code, hijack encrypted traffic sessions, and connect to other network infrastructure.

The flaws are serious and require immediate action to prevent exploitation. The NSA security advisory urges all organizations using any of the above products to check to make sure they are running the latest versions of VPN operating systems and to upgrade immediately if they are not.

The NSA advisory also provides information on actions to take to check whether the flaws have already been exploited and steps to take if an attack is discovered. If a threat actor has already exploited one of the vulnerabilities and has obtained credentials, upgrading to the latest version of the OS will not prevent those credentials from being used.

The NSA therefore advises all entities running vulnerable VPN versions to reset credentials after the upgrade and before reconnection to the external network as a precaution, since it may be difficult to identify an historic attack from log files.

User, administrator, and service account credentials should be reset, and VPN server keys and certificates should be immediately revoked and regenerated. If a compromise is suspected, accounts should be reviewed to determine whether the attacker has created any new accounts.

The NSA has also provided recommendations for public-facing VPN deployment and long-term hardening controls.

The post Pulse Connect, GlobalProtect, Fortigate VPN Vulnerabilities Being Actively Exploited by APT Actors appeared first on HIPAA Journal.

An Internal Security Operations Center Cuts Data Breach Costs by More Than Half

Posted by HIPAA Journal

A recent survey conducted by B2B International on behalf of Kaspersky Lab has revealed the average cost of an enterprise-level data breach has risen to $1.41 million from $1.23 million in 2018.

The increased risk of a data breach and the increasing remediation costs has prompted enterprises to invest more heavily in cybersecurity. When the Kaspersky Global Corporate IT Security Risks Survey was last conducted in 2018, average IT security budgets were $8.9 million. In 2019, budgets had increased to an average of $18.9 million.

The biggest costs from a data breach were found to be damage to the company’s credit rating and increased insurance costs, followed by the cost of hiring external security consultants, loss of business, brand repair, additional wages for internal staff, compensation, and financial penalties and regulatory fines.

While there are several things enterprises can do to cut data breach costs, the appointment of a dedicated Data Protection Officer (DPO) and deploying an internal Security Operations Center (SOC) are the two most important for reducing cyberattack-related costs.

A DPO is responsible for creating and implementing a data protection strategy and monitoring and managing compliance issues. 34% of enterprises that had a dedicated DPO said security incidents at their company did not result in financial losses, compared to 20% of businesses overall.

The average data breach cost at an organization with an internal SOC was $675,000 – Less than half the cost of a breach at an organization without an internal SOC. The equivalent cost at large SMBs (500+ employees) was $129,000. With an internal SOC in place to monitor and respond to security incidents, the cost of a data breach was reduced to $106,000.

The survey revealed outsourcing security to managed service providers can result in increased data breach costs, at least for enterprises. 23% of businesses that used an MSP for security experienced data breach costs in the range of $100,000 to $249,000, compared to 19% of businesses with an in-house IT security team.

Appointing a DPO and setting up an internal SOC can help to reduce the likelihood of a data breach occurring, but it does not mean all data breaches will be prevented. With these key personnel in place, when a breach does occur the company will be prepared and will be able to respond quickly and efficiently, which will keep the costs to a minimum.

Recruiting a DPO, hiring staff for an internal SOC, and purchasing the necessary tools to support those personnel can be a time consuming and costly process, but the survey shows investment in key internal security personnel is certainly worthwhile and can significantly reduce the costs of data breaches. 61% of enterprises and SMBs in the United States are planning on increasing investment in specialized IT staff in the next 12 months.

The post An Internal Security Operations Center Cuts Data Breach Costs by More Than Half appeared first on HIPAA Journal.

FBI Issues Updated Ransomware Guidance: Extent of U.S. Ransomware Epidemic Revealed

Posted by HIPAA Journal

A recent report from New Zealand-based cybersecurity firm Emsisoft has revealed the extent to which ransomware is being used to attack government entities, healthcare organizations and school districts in the United States. In the first 9 months of 2019, the firm has identified 621 reported ransomware attacks in the United States.

Ransomware attacks can have devastating consequences. This week, a healthcare provider announced that it will be permanently closing its doors as a result of a ransomware attack due to extensive damage to its systems and the permanent loss of patient data. This is the second healthcare provider known to have been forced out of business due to a ransomware attack this year.

Even when recovery is possible – by paying the ransom or restoring files from backups – the attacks cause major disruption and result in substantial losses. A ransomware attack on DCH health system forced its three hospitals to temporarily close to all but critical patients while systems were restored. Attacks on municipalities have resulted in essential services grinding to a halt, police departments have lost access to records systems, and schools have been forced to send children home and, in one case, delay the start of the school year.

The cost of the attacks is considerable. Lake City in Florida paid a ransom demand of $460,000 and Riviera Beach in Florida paid $600,000 for the keys to unlock the encryption. Those payments were high, but they are just a fraction of the total cost of the attack.

If the decision is taken not to pay the attackers, the costs can be considerably higher. The city of Baltimore was issued with a ransom demand of $76,000 which it refused to pay. The cost of mitigating the attack has been estimated at $18.2 million. The costs may even be higher still. Last month, the Danish hearing aid manufacturer Demant experienced a suspected ransomware attack and recently told its investors that the bill is likely to be between $80 million and $95 million.

When attacks take place, it may be possible to restore files without paying a ransom. Emsisoft has developed workarounds for certain types of ransomware attack and free decryptors are available for some ransomware variants through the NoMoreRansom project. However, in most cases attacked entities only have three choices: Accept file loss, restore files from backups, or pay the ransom.

FBI Updates its Ransowmare Guidance

The recent attacks have prompted the FBI’s Internet Crime Complaint Center (IC3) to update its advice on ransomware. The FBI has long maintained the view that paying a ransom is never advisable. The attackers may not hold valid keys to unlock the encryption or may choose not to supply them and issue further demands after an initial payment is made.

Data can be corrupted during the encryption process which may make it impossible to recover some or all of the encrypted data. The FBI also says, “Paying ransoms emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals.”

That said, the latest ransomware guidance has seen the FBI slightly soften its stance on paying ransoms, saying “the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.” In some cases, paying the ransom demand may be the best option.

What the recent attacks have clearly demonstrated is that it is essential to ensure that valid backups of all critical data are made to keep attacked entities’ options open. It is no use creating backups and storing them on networked devices, as those backups are likely to also be encrypted. Multiple backup copies should be created and at least one backup copy should be stored on a non-networked device that is not connected to the internet. It is also essential to test backups to make sure files can be recovered in the event of disaster. If backups are corrupted, paying the ransom may be the only option.

The post FBI Issues Updated Ransomware Guidance: Extent of U.S. Ransomware Epidemic Revealed appeared first on HIPAA Journal.

Dental Practice Fined $10,000 for PHI Disclosures on Yelp

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has agreed to settle a HIPAA violation case with Elite Dental Associates over the impermissible disclosure of multiple patients’ protected health information (PHI) when responding to patient reviews on the Yelp review website.

Elite Dental Associates is a Dallas, TX-based privately-owned dental practice that provides general, implant and cosmetic dentistry. On June 5, 2016, OCR received a complaint from an Elite patient about a social media HIPAA violation. The patient claimed the dental practice had responded to a review she left on Yelp and publicly disclosed some of the PHI.

When replying to the patient’s June 4, 2016 post, Elite disclosed the patient’s last name along with details of her health condition, treatment plan, insurance, and cost information.

The investigation confirmed that to be the case, but also found it was not the first time that PHI had been disclosed without authorization on the social media platform when responding to patient reviews. Further impermissible PHI disclosures were found on the Elite review page.

In addition to the impermissible disclosures of PHI, which violated 45 C.F.R. § 164.502(a), OCR determined Elite had not implemented policies and procedures relating to PHI, in particular the release of PHI on social media and other public platforms, in violation of 45 C.F.R. § 164.530(i). Elite was also discovered not to have included the minimum required content in its Notice of Privacy Practices as required by the HIPAA Privacy Rule (45 C.F.R. § 164.520(b)).

OCR agreed to a HIPAA violation fine of $10,000 and a corrective action plan (CAP) to resolve the alleged HIPAA violations and settle the case with no admission of liability. The three potential HIPAA violations could have attracted a substantially higher financial penalty; however, when considering an appropriate financial penalty, OCR took the financial position of the practice, its size, and Elite’s cooperation with the OCR investigation into account.

“Social media is not the place for providers to discuss a patient’s care,” said OCR Director, Roger Severino.  “Doctors and dentists must think carefully about patient privacy before responding to online reviews.”

This is the 4th OCR HIPAA settlement of 2019. In September, OCR fined Bayfront Health St Petersburg $85,000 for a HIPAA Right of Access failure. In May, two settlements were agreed to resolve multiple HIPAA violations at Medical Informatics Engineering ($100,000) and Touchstone Medical Imaging ($3,000,000).

The post Dental Practice Fined $10,000 for PHI Disclosures on Yelp appeared first on HIPAA Journal.

URGENT/11 Cybersecurity Vulnerabilities in Medical Devices Prompt FDA Warning

Posted by HIPAA Journal

Security researchers at Armis have identified 11 vulnerabilities in the Interpeak IPnet TCP/IP Stack, a third-party software component used in hospital networks and certain medical devices.

The vulnerabilities were reported to the DHS Cybersecurity and Infrastructure Security Agency (CISA) prompting an ICE medical advisory and a Food and Drug Administration (FDA) Safety Communication warning patients, healthcare providers, facility staff and manufacturers about the flaws.

The FDA alert – named URGENT/11 – explains that the vulnerabilities could be remotely exploited by a threat actor allowing full control to be taken of a vulnerable medical device. An attacker could change the functions of the device, access sensitive information, cause logical flaws or denial of service attack that could stop the device from working.

While there have been no reports of the flaws being exploited in the wild, the FDA warns that the software required to exploit the flaws is publicly available.

Interpeak IPnet TCP/IP Stack supports network communications between computers, and while it is no longer supported by the original developer, some device manufactures are licensed to use the component in their software applications, systems, and equipment without support.

The FDA warns that the vulnerable component is in use in some versions of the following operating systems:

  • VxWorks (by Wind River)
  • Operating System Embedded (OSE) (by ENEA)
  • INTEGRITY (by Green Hills)
  • ThreadX (by Microsoft)
  • ITRON (by TRON Forum)
  • ZebOS (by IP Infusion)

Certain Beckton Dickinson (BD), Drager, GE Healthcare, Philips Healthcare, and Spacelabs products are also affected by the flaws. Each of those companies has released security advisories about the affected products.

WindRiver holds the license for IPnet and has released patches to mitigate the vulnerabilities. If it is not possible to upgrade to the latest version of the OSE, other mitigating controls can be implemented to reduce the risk of exploitation. WindRiver should be contacted for details of possible compensating controls.

The flaws are detailed in the ICS-CERT Medical Advisory (ICSMA-19-274-01). The FDA has released recommendations for device manufacturers, healthcare providers, healthcare facility staff, patients and caregivers, which can be viewed on this link.

Healthcare providers have been advised to work with their device manufacturers to determine which devices are vulnerable and find out about the steps that need to be taken to secure the devices. They have also been advised to inform patients using vulnerable devices to immediately report any suspected operational or functional changes to their medical devices.

9 of the vulnerabilities are classed as high severity with a CVSS v3 score of between 7.0 and 10, three of which have a score of 9.8. In order of severity, the CVE numbers are: CVE-2019-12256, CVE-2019-12255, CVE-2019-12260, CVE-2019-12257, CVE-2019-12261, CVE-2019-12263, CVE-2019-12258, CVE-2019-12259, CVE-2019-12262, CVE-2019-12264, and CVE-2019-12265.

The post URGENT/11 Cybersecurity Vulnerabilities in Medical Devices Prompt FDA Warning appeared first on HIPAA Journal.

Wood Ranch Medical Announces Permanent Closure Due to Ransomware Attack

Posted by HIPAA Journal

Another healthcare provider has announced it will be permanently closing its doors as a direct result of a ransomware attack. The devastating attack occurred at Wood Ranch Medical in Simi Valley, CA, which recently announced that the practice will permanently close on December 17, 2019.

The attack occurred on August 10, 2019 and resulted in its servers being infected with ransomware. The attack caused widespread file encryption and prevented medical records from being accessed. The extent of the attack was such that computer systems were permanently damaged making file recovery impossible. The practice had created backups of patient records, but those backups were also encrypted and could not be used to restore patient data.

Ransomware attacks are usually conducted with the sole purpose of extorting money. Files are encrypted and a ransom demand is issued. If the ransom is not paid, files remain permanently encrypted. Payment of the ransom comes with no guarantee that file recovery will be possible and encourages further attacks. For these reasons the FBI recommends ransom payments are never made.

In this case, the practice believes that the sole aim of the attack was to obtain payment and no patient records are believed to have been accessed by the attackers or downloaded from its servers. Nonetheless, affected patients have been advised to exercise caution and monitor their credit reports and explanation of benefits statements for any sign of fraudulent activity. The types of information potentially compromised included names, addresses, dates of birth, health information, and health insurance information.

Wood Ranch Medical’s website now only displays the substitute breach notice, as operations are wound down. “WRM takes the protection of its patients’ information seriously and sincerely apologizes for any inconvenience this incident may cause.” The incident affects 5,835 patients, all of whom have been sent notification letters by mail. Over the next two months, the practice will be working with patients to help them find alternative medical practitioners in the area who will be able to serve their healthcare needs.

This incident highlights the catastrophic consequences of ransomware attacks. In this case the attack has not only forced a practice to close and made staff unemployed, it has also caused considerable disruption for patients and the permanent loss of their health records.

This is not the first practice that has been forced to shut down as a result of a ransomware attack and it is unlikely to be the last. Earlier this year, Brookside ENT and Hearing Center in Battle Creek, MI similarly experienced a ransomware attack that permanently encrypted patient records. Its owners took the decision to close the business and take early retirement rather than rebuild the practice from scratch.

The post Wood Ranch Medical Announces Permanent Closure Due to Ransomware Attack appeared first on HIPAA Journal.

Sen. Rand Paul Introduces National Patient Identifier Repeal Act

Posted by HIPAA Journal

Sen. Rand Paul, M.D., (R-Kentucky) has introduced a new bill that attempts to have the national patient identifier provision of HIPAA permanently removed due to privacy concerns over the implementation of such a system.

Today, HIPAA is best known for its healthcare data privacy and security regulations, but the national patient identifier system was proposed in the original HIPAA legislation of 1996 as a measure to facilitate data sharing and help reduce wastage in healthcare.

The provision called for the HHS to “adopt standards providing for a standard unique health identifier for each individual, employer, health plan, and healthcare provider for use in the health care system.” However, in 1998, former Congressman Ron Paul (R-Texas), Sen. Rand Paul’s father, introduced a proposal which called for a ban on funding the development and implementation of such a system. The ban was introduced into the Congressional budget for 1999 and has been written into all Congressional budgets ever since.

This year there was hope that the ban would finally be removed following a June amendment to the House of Representative’s appropriation bill for fiscal year 2020. The amendment received strong bipartisan support and it was hoped that the Senate would follow the House’s lead and have the ban finally lifted. However, on September 18, 2019, the Senate appropriations subcommittee’s proposed budget bill for fiscal year 2020 included the same language as previous years and, as it stands, the ban looks set to remain in place for at least another year.

Sen. Rand Paul’s National Patient Identifier Repeal Act seeks to repeal the HIPAA provision, which Sen Paul believes will place the privacy of Americans at risk. He considers the provision to be dangerous, as it would allow a government-issued ID number to be linked with the private medical histories of every man, woman, and child in America.

It is for the very same reason that dozens of healthcare industry stakeholder groups want the national patient identifier introduced, as without such an identifier, it is difficult to accurately match medical records with the correct patient. Those seeking to have the ban lifted believe it will improve the accuracy of health information exchange and improve security and patient safety.

Sen. Paul disagrees, as he believes the potential privacy risks are too great. “As a physician, I know firsthand how the doctor-patient relationship relies on trust and privacy, which will be thrown into jeopardy by a national patient ID,” explained Sen. Paul. “Considering how unfortunately familiar our world has become with devastating security breaches and the dangers of the growing surveillance state, it is simply unacceptable for government to centralize some of Americans’ most personal information.”

Industry associations such as the College of Healthcare Information Management Executives (CHIME) have stepped up efforts to have the ban lifted due to the difficulties matching medical records with patients.

CHIME CEO, Russ Branzell explained that Congress has already approved a healthcare identifier for Medicare beneficiaries, but a national identifier is also required. “The patient identification conversation is one about saving lives and unlocking the potential for technology to revolutionize healthcare while cutting costs.” He has called Sen. Paul’s views on the national patient identifier “antiquated and from some bygone era.”

While many industry associations share Branzell’s view, Sen. Paul’s bill has received support from certain privacy advocacy groups, including the Citizen’s Council for Health Freedom. Advocates of the removal of the HIPAA provision believes the centralization of patient information would greatly increase the risk of security breaches and could allow hackers to steal individuals’ lifelong healthcare records and such a system would allow unprecedented tracking of Americans through their healthcare records.

The post Sen. Rand Paul Introduces National Patient Identifier Repeal Act appeared first on HIPAA Journal.