Latest HIPAA News

Senate Fails to Remove Ban on Funding of National Patient Identifier

Posted by HIPAA Journal

The Department of Health and Human Services (HHS) is prohibited from using any of its budget to fund the development and implementation of a national patient identifier, but there was hope that the ban would finally be lifted this year.

The House of Representatives added an amendment to its Departments of Labor, Health, and Human Services, and Education, and Related Agencies Act of 2020 which removed the ban, which would allow the HHS to follow through on this requirement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

It now looks likely that the ban will remain in place for at least another year as the Senate Appropriations Subcommittee’s draft 2020 fiscal budget bill, released last Wednesday, has retained the text banning the HHS from acting on this HIPAA requirement.

The ban has been in place since 1999 and was introduced because of concerns over patient privacy. The ban has been written into the Congressional budget every year since and the proposed 2020 fiscal budget bill is no different.

The proposed fiscal budget bill includes the text, “None of the funds made available in this act may be used to promulgate or adopt any final standard under section 1173(b) of the Social Security Act providing for, or providing for the assignment of, a unique health identifier for an individual (except in an individual’s capacity as an employer or a health care provider), until legislation is enacted specifically approving the 13 standard.”

The purpose of the national patient identifier is to make it easier for patients to be efficiently matched with their health records. Regardless of where a patient receives treatment, their health data will be tied to them through their unique national patient identifier code. The new identifier would help to ensure that patient information could flow freely between different healthcare organizations and it is seen by many healthcare industry stakeholders to be essential for full interoperability. A national patient identifier could help to improve patient privacy, patient safety, and eliminate considerable waste and misspending in healthcare.

For several years, industry associations such as the College of Healthcare Information Management Executives (CHIME), the American Health Information Management Association (AHMIA), and the Health Innovation Alliance (HIA) have been calling for the ban to be lifted.

HIA Executive Director Joel White has called the ban ‘antiquated’ and said studies have suggested that patients are matched with their records as little as 50% of the time. A national patient identifier would instantly solve that problem.

Efforts to have the ban removed have stepped up in recent years, and this year 56 healthcare stakeholder groups urged the Senate to remove the ban. Significant progress was made this year when the amendment receives strong bipartisan support in the House of Representatives.

Convincing the Senate to lift the ban is proving more difficult. As long as privacy concerns remain, the ban is unlikely to be lifted. One of the main issues is a single identifier would be used to tie medical records to an individual from birth until death, and that could allow unprecedented tracking of Americans through their health records. It could also potentially facilitate the sharing, use, and analysis of patient data without patient consent.

While the draft fiscal budget bill has not had the ban removed, it is possible that an amendment could be made at a later date. AHMIA and CHIME leaders remain hopeful that the Senate will follow the House’s lead and have the ban lifted this year.

The post Senate Fails to Remove Ban on Funding of National Patient Identifier appeared first on HIPAA Journal.

Study Reveals Types of Protected Health Information Most Commonly Exposed in Healthcare Data Breaches

Posted by HIPAA Journal

Researchers from Michigan State University and Johns Hopkins University have conducted a study of healthcare data breaches over the past 10 years to examine what types of information are most commonly exposed in healthcare data breaches.

The study, published in the journal Annals of Internal Medicine on Monday September 23, 2019, confirms that the health information of approximately 169 million Americans was exposed, compromised, or impermissibly disclosed in 1,461 data breaches at 1,388 entities between October 2009 and July 2019. Those breaches each impacted 500 or more individuals and were reportable incidents under HIPAA and the HITECH Act.

The researchers explain that information about the types of information exposed in data breaches is not widely available to the public, since it is not a requirement to share the types of data that have been compromised in the breaches. It is therefore difficult for researchers to classify the amount and types of healthcare information exposed and gain an accurate picture of the consequences of the breaches.

“When the media reports data breaches that occurred to healthcare providers, the headline is always the number of patients affected,” explained John (Xuefeng) Jiang, MSU professor of accounting and information systems at MSU and lead author of the study. “We felt both the regulators and the public didn’t pay enough attention to the type of information compromised in the healthcare data breach.”

Types of Data Exposed in Healthcare Data Breaches

For the study, the researchers categorized healthcare data into three main groups: Demographic information (Names, email addresses, personal identifiers etc.); service and financial information (Payments, payment dates, billing amounts etc.); and Medical information (Diagnosis, treatments, medications etc.)

Social Security numbers, drivers license numbers, payment card information, bank account information, insurance information, and birth dates added to a subcategory of sensitive demographic information. This information could be used by criminals for identity theft, medical identity theft, tax and financial fraud. A subcategory of medical information was also used for particularly sensitive health data such as substance abuse records, HIV status, sexually transmitted diseases, mental health information, and cancer diagnoses, due to the potential implications for patients should that information be exposed or compromised.

Key Findings of the Study

  • 71% of breaches involved either sensitive demographic information or sensitive financial information, which placed 159 million individuals at risk of identity theft or financial fraud
  • 66% of breaches involved sensitive demographic information such as Social Security numbers
  • 65% of the breaches exposed general medical or clinical information
  • 35% of breaches compromised service or financial information
  • 16% of breaches only exposed medical or clinical information without exposing sensitive demographic or financial information
  • 76% of breaches included sensitive service and financial information such as credit card numbers – Those breaches affected 49 million individuals
  • 2% of breaches compromised sensitive health information – Those breaches affected 2.4 million individuals

Jiang believes hackers are not targeting healthcare organizations to gain access to patients’ sensitive medical information, instead healthcare organizations are attacked, and hackers take whatever data they can find in the hope that the information can be monetized. Jiang suggests hospitals and research institutions should store medical information separately from demographic information. Medical information could then be shared between healthcare providers and researchers without greatly increasing risks for patients. A separate system could be used for demographic, financial and billing information, which is needed by hospital administration staff.

The researchers advocate greater focus on the types of information exposed or compromised in healthcare data breaches to help breach victims manage risk more effectively. They suggest the Department of Health and Human Services should formally collect and publish information about the types of data that have been exposed in data breaches to help the public assess the potential for harm. The researchers plan to work closely with lawmakers and the healthcare industry to provide practical guidance and advice based on the results of their academic studies.

Data Breach Notifications Under HIPAA

The HIPAA Breach Notification Rule requires all patients affected by a reportable healthcare data breach to be notified within 60 days of discovery of the breach. Affected individuals must be told what types of information have been exposed or compromised as that information allows breach victims to make a determination about the risk they face so they can make a decision about any actions they need to take to reduce the risk of harm.

OCR explains in its online guidance on breach notification requirements of HIPAA, “These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable).”

Publicly Available HIPAA Breach Information

The HHS’ Office for Civil Rights, as required by the HITECH Act, has been publishing summaries of data breaches of 500 or more healthcare records on the HHS website since October 2009. The breach portal, which can be accessed by the public, contains basic information about the breaches.

The breach portal details the name of the breached entity, state, type of covered entity, individuals affected, breach submission date, type of breach, location of breached information, and whether there was business associate involvement. This information can also be downloaded for breaches that are under investigation by OCR and for incidents that have been archived following the closure of the OCR investigation.

When a data breach is archived, further information is added to the breach summary in a “web description” field. The web summary is not available for breaches still under investigation, but the information is included for archived breaches. The web summary is only viewable in the downloaded breach reports.

In many cases, the web description includes details of the types of information that were exposed in the breach, but not in all cases. Formalizing this requirement would ensure that all breaches detailed on the portal would have that information included. The web description field also includes information on any actions taken by OCR in response to the breach that led to the resolution and closure of the investigation.

The post Study Reveals Types of Protected Health Information Most Commonly Exposed in Healthcare Data Breaches appeared first on HIPAA Journal.

August 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

In August, healthcare data breaches continued to be reported at a rate of more than 1.5 per day, which is around twice the average monthly breaches in 2018 (29.5 per month). This is the second successive month when breaches have been reported at such an elevated level. While the number of breaches has not changed much since last month (49 compared to 50), there has been a substantial reduction in the number of exposed records.

 

August saw 729,975 healthcare records breached compared to 25,375,729 records in July, 3,452,442 records in June, and 1,988,376 records in May. The exceptionally high breach total for July was mostly due to the massive data breach at American Medical Collection Agency (See below for an update on the AMCA breach total).

Breached Healthcare Records by Year

Causes of August 2019 Healthcare Data Breaches

Hacking and other IT incidents dominated the breach reports in August. 32 breaches were attributed to hacking/IT incidents, which is almost double the number of breaches from all other causes. Hacking/IT incidents breached 602,663 healthcare records – 82.56% of all records breached in August. The average breach size was 18,833 records and the median breach size was 5,248 records.

There were 12 unauthorized access/disclosure incidents reported in August which breached 77,316 healthcare records. Those incidents breached an average of 6,443 records and the mean breach size was 1,281 records.  There were 3 loss incidents and 2 theft incidents. The theft incidents saw 17,650 records potentially compromised and 32,346 records were exposed due to the loss of paperwork or electronic devices. The mean loss breach size was 10,782 records and the mean theft breach size was 8,825 records.

Causes of August 2019 Healthcare Data Breaches

Location of Breached PHI

Phishing continues to pose serious problems for healthcare organizations. Out of the 49 reported breaches, 46.94% – 23 breaches – involved PHI stored in email accounts. The majority of those email breaches were due to phishing attacks.

There were 9 breaches reported that involved PHI stored on network servers, several of which involved ransomware. There were 7 breaches involving paper records/films, highlighting the need for enhanced physical security and administrative controls.

Four breaches involved portable electronic devices such as zip drives and laptop computers. These types of breaches have reduced considerably in recent years largely through the use of encryption, which should be implemented on all portable electronic devices used to store ePHI.

Location of Breached PHI in August 2019 Healthcare Data Breaches

Defending against phishing attacks is a major challenge, and one that can only be solved through layered defenses and staff training. Technological solutions such as spam filters, web filters, firewall rules, multi-factor authentication, and DMARC should be implemented to block phishing attempts, but the sophisticated nature of many phishing campaigns means even layered defenses may be bypassed. End user training is therefore essential. Employees must be trained how to recognize email threats and conditioned how to respond when suspicious emails land in their inboxes.

An annual training session may have been sufficient to provide protection a few years ago, but the increased number of attacks and diverse nature of email threats means a single annual training session is no longer enough. Annual classroom-based training sessions should be augmented with more regular refresher training sessions, cybersecurity bulletins, and email alerts about new threats to watch out for. Phishing simulation exercises are also very beneficial for helping identify individuals who require further training and to find out how effective training has been at reducing susceptibility to phishing attacks.

Largest Healthcare Data Breaches in August 2019

Listed below are the top ten healthcare data breaches reported in August 2019. The largest breach of the month was a phishing attack on Presbyterian Healthcare Services, which saw 183,370 healthcare records breached. The Conway Regional Health System, NorthStar Anesthesia, and Source 1 Healthcare Solutions breaches were also due to phishing attacks.

The Wisconsin Diagnostic Laboratories breach, which affected 114,985 individuals, the 33,370-record breach at Mount Sinai Hospital, and the 29,644-record breach at Integrated Regional Laboratories were all due to the hacking of business associate AMCA.

The breach at Grays Harbor Community Hospital was due to a ransomware attack and the Renown Health breach was due to the loss of a portable storage device. The cause of the breach at Timothee T. Wilkin, D.O. has not been confirmed.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
Presbyterian Healthcare Services Healthcare Provider 183370 Hacking/IT Incident
Wisconsin Diagnostic Laboratories Healthcare Provider 114985 Hacking/IT Incident
Grays Harbor Community Hospital Healthcare Provider 88399 Hacking/IT Incident
Conway Regional Health System Healthcare Provider 37000 Unauthorized Access/Disclosure
Mount Sinai Hospital Healthcare Provider 33730 Hacking/IT Incident
Integrated Regional Laboratories, LLC Healthcare Provider 29644 Hacking/IT Incident
Renown Health Healthcare Provider 27004 Loss
NorthStar Anesthesia, P.A. Healthcare Provider 19807 Unauthorized Access/Disclosure
Source 1 Healthcare Solutions LLC Business Associate 15450 Hacking/IT Incident
Timothee T. Wilkin, D.O. Healthcare Provider 15113 Hacking/IT Incident

 

August 2019 Healthcare Data Breaches by Covered Entity Type

42 of the month’s 49 data breaches were reported by healthcare providers and three incidents were reported by health plans. Business associates reported 4 breaches and a further 8 incidents had some business associate involvement.

August 2019 Healthcare Data Breaches by Covered Entity Type

August 2019 Healthcare Data Breaches by State

August’s healthcare data breaches affected entities based in 26 states. Texas was the worst affected with 5 reported breaches. 4 breaches were reported by entities based in Washington state, and three breaches were suffered by entities based in Arkansas, New York, and Pennsylvania.

California, Georgia, Illinois, Massachusetts, Minnesota, Missouri, New Mexico, Ohio, Oregon, and Wisconsin each experienced 2 breaches and one breach was reported by an entity based in each of Connecticut, Florida, Iowa, Kansas, Michigan, Nevada, New Jersey, Oklahoma, Rhode Island, Tennessee, and Virginia.

HIPAA Enforcement Activity in August 2019

There were no civil monetary penalties or settlements between the HHS and HIPAA-covered entities/business associates in August, and also no HIPAA-related enforcement activities by state attorneys general.

AMCA Data Breach Update

The AMCA data breach affected at least 24 healthcare organizations, 23 of which have now submitted breach reports to the Department of Health and Human Service’ Office for Civil Rights. The confirmed breach total currently stands at 26,043,743 records with a further 16,100 records expected to be added to that total.  These breaches were mostly reported to OCR in July and August.

Healthcare Organization Confirmed Victim Count
1 Quest Diagnostics/Optum360 11,500,000
2 LabCorp 10,251,784
3 Clinical Pathology Associates 1,733,836
4 Carecentrix 467,621
5      Laboratories/Opko Health 425,749
6 American Esoteric Laboratories 409,789
7 Sunrise Medical Laboratories 401,901
8 Inform Diagnostics 173,617
9 CBLPath Inc. 141,956
10 Laboratory Medicine Consultants 140,590
11 Wisconsin Diagnostic Laboratories 114,985
12 CompuNet Clinical Laboratories 111,555
13 Austin Pathology Associates 43,676
14 Mount Sinai Hospital 33,730
15 Integrated Regional Laboratories 29,644
16 Penobscot Community Health Center 13,299
17 Pathology Solutions 13,270
18 West Hills Hospital and Medical Center / United WestLabs 10,650
19 Seacoast Pathology, Inc 8,992
20 Arizona Dermatopathology 5,903
21 Laboratory of Dermatology ADX, LLC 4,082
22 Western Pathology Consultants 4,079
23 Natera 3,035
24 South Texas Dermatopathology LLC TBC (Est. 16,100)
Total Records Breached 26,043,743

The post August 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

400 Million Medical Images Are Freely Accessible Online Via Unsecured PACS

Posted by HIPAA Journal

A recent investigation by ProPublica, the German public broadcaster Bayerischer Rundfunk, and vulnerability and analysis firm, Greenbone Networks, has revealed 24.3 million medical images in medical image storage systems are freely accessible online and require no authentication to view or download the images.

Those images, which include X-rays, MRI, and CT scans, are stored in picture archiving and communications systems (PACS) connected to the Internet.

Greenbone Networks audited 2,300 Internet-connected PACS between July and September 2019 and set up a RadiAnt DICOM Viewer to access the images stored on open PACS servers.

Those servers were found to contain approximately 733 million medical images of which 399.5 million could be viewed and downloaded. The researchers found 590 servers required no authentication whatsoever to view medical images.

PACS use the digital imaging and communications in medicine (DICOM) standard to view, process, store, and transmit the images. In most cases, a DICOM viewer would be required to access the images, but in some cases, all that is required is a web browser or a few lines of code. Anyone with rudimentary computer expertise would be able to view and download the images.

The exposed PACS were located in 52 countries and the highest concentration of unprotected PACS were found in the United States. 187 unsecured servers were found in the United States. The exposed U.S. PACS contained 13.7 million data sets and 303.1 million medical images of around 5 million U.S. patients.

The researchers found more than 10,000 security issues on the audited systems, 20% of which were high-severity and 500 were critical and had a CVSS v3 score of 10 out of 10.

The images included personal and medical information such as patients’ names, dates of birth, scan date, scope of the investigation, type of imaging procedure performed, institute name, attending physicians’ names, and the number of generated images. Some of the images also contained Social Security numbers.

The types of patient information included on the images could be used for identity theft, medical identity theft, and insurance fraud. The data could also be used to extort money from patients or create highly convincing spear phishing emails.

While the investigation uncovered no evidence to suggest any of the exposed information had been copied and published online, the possibility of data theft could not be discounted.

PACS are designed to allow images to be accessed easily by healthcare professionals, but the systems often lack security controls to restrict access. It is the responsibility of healthcare delivery organizations (HDOs) to ensure safeguards are implemented to secure their PACS, but HDOs can face major challenges addressing vulnerabilities and securing their systems without negatively impacting workflows.

To help address the problem, the National Cybersecurity Center of Excellence (NCCoE) recently released new guidance for HDOs to help them improve security controls on PACS and mitigate risks without negatively impacting user productivity and system performance.

The post 400 Million Medical Images Are Freely Accessible Online Via Unsecured PACS appeared first on HIPAA Journal.

Mobile Device Security Guidance for Corporate-Owned Personally Enabled Devices Issued by NCCoE

Posted by HIPAA Journal

The National Cybersecurity Center of Excellence (NCCoE) has issued new draft NIST mobile device security guidance to help organizations mitigate the risks introduced by corporate-owned personally enabled (COPE) devices.

Mobile devices allow employees to access resources essential for their work duties, no matter where those individuals are located. As such, the devices allow organizations to improve efficiency and productivity, but the devices bring unique threats to an organization.

The devices typically have an always-on Internet connection and the devices often lack the robust security controls that are applied to devices such as desktop computers. Malicious or risky apps can be downloaded to mobile devices by users without the knowledge or authorization of the IT department. App downloads could introduce malware and app permissions could allow unauthorized access to sensitive data.

Organizations therefore need to have total visibility into all mobile devices used by employees for work activities and they must ensure that mobile device security risks are effectively mitigated. If not, vulnerabilities could be exploited by threat actors to gain access to sensitive data and network resources.

The aim of the new guidance – (NIST) Special Publication 1800-21 – is to help organizations identify and address risks and improve mobile device security to reduce the likelihood of unauthorized device access and data loss and theft.

The guidance includes how-to guides and an example solution developed in a lab environment using commercially available mobile management tools which can be used by enterprises to secure their Apple iOS and Android devices and networks while minimizing the impact on operational processes.

The guidance was developed by NIST and technology partners Kryptowire, Lookout, Appthority, MobileIron, Palo Alto Networks, and Qualcomm and is available for downloaded from NCCoE on this link (PDF – 14.5MB). Comments are being accepted until September 23, 2019.

Further guidance on mobile device security for Bring Your Own Device (BYOD) is currently under development.

The post Mobile Device Security Guidance for Corporate-Owned Personally Enabled Devices Issued by NCCoE appeared first on HIPAA Journal.

NCCoE Issues Draft Guidelines for Securing the Picture Archiving and Communication System (PACS) Ecosystem

Posted by HIPAA Journal

The National Cybersecurity Center of Excellence (NCCoE) has issued draft NIST guidelines for securing the picture archiving and communications system (PACS) ecosystem.

The guidelines – NIST Cybersecurity Practice Guide, SP 1800-24 – have been written for health healthcare delivery organizations (HDOs) to help them secure their PACS and reduce the probability of a data breach and data loss, protect patient privacy, and ensure the integrity of medical images while minimizing disruption to hospital systems.

PACS is used by virtually all HDOs for storing, viewing, and sharing digital medical images. The systems make it easy for healthcare professionals to access and share medical images to speed up diagnosis.

The system can often be accessed via desktops, laptops, and mobile devices and a PACS may also link to electronic health records, other hospital systems, regulatory registries, and government, academic, and commercial archives.

With many users and devices and interactions with multiple systems, HDOs can face challenges securing their PACS ecosystem, especially without having a negative impact on user productivity and system performance.

Key challenges include controlling, monitoring, and auditing user accounts, identifying outliers in user behavior, enforcing the rule of least privilege, creating separation-of-duties policies for internal and external users, monitoring and securing internal and external connections to the system, and ensuring data integrity as images move across the enterprise.

The Healthcare PACS Project identifies the individuals who interact with the system, defines their interactions, performs a risk assessment, and identifies commercially available mitigating security technologies.

The guidance document explains the best approach and architecture to adopt, along with the characteristics of a secure PACS. Included are how-to-guides and an example implementation that uses commercially available technologies to implement stronger security controls to create a much more secure PACS ecosystem.

The guidance document was developed with assistance from several PACS system developers and cybersecurity companies, including Cisco, Digicert, Forescout, Philips, Hylans, Symantec, tripwire, Virta Labs, Zingbox, and Clearwater compliance.

NCCoE is seeking feedback from HDOs and healthcare industry stakeholders on the new guidance until November 18, 2019. The draft guidance can be downloaded from the NCCoE website on this link.

The post NCCoE Issues Draft Guidelines for Securing the Picture Archiving and Communication System (PACS) Ecosystem appeared first on HIPAA Journal.

Consumer Technology Association Publishes Privacy Guidelines for Handling Health and Wellness Data

Posted by HIPAA Journal

The Consumer Technology Association (CTA) has released data privacy guidelines to help companies better protect health and wellness data.

The guidelines have been developed to help CTA members address tangible privacy risks and securely collect, use, and share health and wellness data collected from health/wellness apps, wearable devices, and other digital tools.

The guidelines – Guiding Principles for the Privacy of Personal Health and Wellness Information – were developed by the CTA to help members address privacy gaps, discover consumer preferences, and earn consumer trust.

“[The] privacy guidelines, developed with consensus among industry stakeholders, will help give both individuals and companies the confidence to invest in innovative technologies which will improve health,” explained CTA president and CEO, Gary Shapiro. “The CTA Privacy Principles demonstrate that health tech companies understand they must be trusted stewards of patient data.”

Consumers now have access to a plethora of apps, devices, and digital tools that let them keep track of their health metrics, improve wellness, and manage their health and medical conditions. These tools help to engage consumers in their own health and wellness, make informed decisions to improve their health, and even access and share their medical information with others. Consumers benefit from these tools through improvements to their health and healthcare companies can use the aggregated data collected by these tools for research. That can lead to faster diagnoses and treatment for health conditions.

However, recent data breaches have raised concerns among consumers about how their information is collected, stored, and shared, and privacy scandals have made consumers much more aware about secondary uses of their data. These incidents have undermined trust in wearable devices and health apps, which is something that the CTA hopes to address with the guidance.

Initially the aim was to address privacy concerns around wearable devices, but the focus has since been expanded to cover apps and other digital tools. The CTA has been working with CTA members such as IBM, Humetrix, Humana, Validic, and Doctors on Demand to develop the guidelines, which cover the collection, storage, use, and sharing of health and wellness data.

The guidelines serve as a voluntary framework to improve privacy protections and security for health data and are intended to establish a baseline for privacy and security.

The guidelines are based on five key principles:

  • Being open and transparent about how health and wellness information is collected and used
  • Being careful how personal health information is used
  • Giving consumers control over the uses and sharing of their health information
  • Implementing strong security to protect health data
  • Being accountable for practices and promises

The guidelines incorporate some flexibility to ensure they can be adopted by companies of all types and sizes. While they are primarily intended for CTA members, they can also be adopted by non-HIPAA covered app developers, service providers, technology companies, and firms that are just entering the health and wellness sphere.

The guidelines are also available to consumers to let them learn more about CTA principles and make informed decisions about the companies they choose to interact with.

The privacy guidelines can be downloaded from the CTA Tech website on this link (PDF).

The post Consumer Technology Association Publishes Privacy Guidelines for Handling Health and Wellness Data appeared first on HIPAA Journal.

HSCC Publishes Guidance on Healthcare Information Sharing Organizations

Posted by HIPAA Journal

The Healthcare and Public Health Sector Coordinating Council (HSCC) has published guidance on cybersecurity information sharing organizations in the healthcare sector.

HSCC is a public-private partnership of more than 200 companies and organizations, including health IT companies, medical device manufacturers, laboratories, pharmaceutical companies, health plans, payers and government agencies. Its role is to provide collaborative solutions to help mitigate cybersecurity threats affecting the healthcare industry.

The Health Industry Cybersecurity Matrix of Information Sharing Organizations (HIC-MISO) is the fourth cybersecurity resource published by HSCC as mandated by the Health Care Industry Cybersecurity Task Force, which requires HSCC to help improve information sharing of industry threats, risks, and mitigations. Other resources previously published by HSCC cover healthcare industry cybersecurity best practices, developing a medical device joint security plan, and the development of a health industry cybersecurity workforce.

“Many health organizations are beginning to understand the importance of cybersecurity information sharing but don’t know where to start,” said Errol Weiss, Chief Security Officer of the Health Information Sharing and Analysis Center (H-ISAC) and co-chair of the HSCC task group responsible for the HIC-MISO toolkit. “With cyber-attacks against health organizations increasing in number and severity, one of the most important things an enterprise can do is build awareness and preparedness through community engagement.”

The aim of the HIC-MISO is to help healthcare organizations understand the importance of cybersecurity information sharing and to provide the resources they need to start participating in threat sharing. The HIC-MISO is a list of the most commonly used information sharing organizations (ISOs) in the healthcare industry along with details of the services they provide.

To keep the HIC-MISO simple and manageable, it is limited to the most widely used ISOs serving the healthcare industry at a national rather than regional level. The HIC-MISO includes information on ISOs such as HITRUST, H-ISAC, HPH-SCC, and MED-ISAO, along with the mission/function of each, the services provided, and any potential costs of participation. It is aimed at healthcare organizations that do not have the resources to participate in more than one or two threat sharing groups.

HSCC advises healthcare organizations that are not currently participating in threat sharing to start small and to initially only share the most important information. As the program matures and organizations become more comfortable with threat sharing, more information can be shared, and the program can be expanded. The most important step is to get started.

The HIC-MISO is supplemented with a guide that will allow organizations establish an information management structure that is appropriate to the size of the enterprise, the resources available, and its risk profile.

The post HSCC Publishes Guidance on Healthcare Information Sharing Organizations appeared first on HIPAA Journal.

OCR Settles First HIPAA Violation Case Under 2019 Right of Access Initiative

Posted by HIPAA Journal

Earlier this year, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced that one of the main areas of HIPAA enforcement in 2019 would be HIPAA right of access failures, including untimely responses to access requests and overcharging for copies of medical records.

The HIPAA right of access allows patients to obtain copies of their medical records on request. HIPAA-covered entities are required to honor those requests and provide patients with access to PHI or copies of health data contained in a ‘designated record set’ within 30 days of the request being received. A covered entity is permitted to charge a reasonable, cost-based fee for providing a copy of the individual’s PHI, which can include the cost of certain labor, supplies and postage.

HIPAA-covered entities that fail to provide copies of records in a reasonable time frame or charge excessive amounts for providing a copy of a patient’s PHI are in violation of the HIPAA Privacy Rule – See 45 CFR 164.501. Such violations can attract a sizable financial penalty.

This week, OCR has announced that the first settlement has been reached with a HIPAA-covered entity under the right of access initiative. Bayfront Health St. Petersburg, a 480-bed hospital in St. Petersburg, FL, has agreed to pay OCR $85,000 to settle the case.

OCR launched an investigation into a potential HIPAA violation at Bayfront Health following receipt of a complaint from a patient on August 14, 2018. The patient alleged that she had requested her fetal heart monitor records from Bayfront Health St. Petersburg in October 2017. At the time of the complaint, 9 months after the request was made, she had still not been provided with a full copy of her records.

OCR confirmed that the patient made the request on October 18, 2017 and was informed by Bayfront Health that the records could not be found. Two further requests were sent to Bayfront Health by the patient’s counsel on January 2, 2018 and February 12, 2018. In March 2018, Bayfront Health provided an incomplete set of records and a complete response was only received on August 23, 2018. The patient’s counsel shared the records with the patient, but it took the intervention of OCR for the fetal heart monitor records to be provided to the patient. Those records were provided directly to the patient on February 7, 2019.

OCR determined that the failure to provide access to the patient’s designated record set was a clear violation of 45 C.F.R. § 164.524 and that the HIPAA violation warranted a sizable financial penalty.

“Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law,” said OCR Director Roger Severino.  “We aim to hold the health care industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.”

In addition to the financial penalty, Bayfront Health has agreed to implement a corrective action plan and will be monitored by OCR for the following 12 months.

The post OCR Settles First HIPAA Violation Case Under 2019 Right of Access Initiative appeared first on HIPAA Journal.