Latest HIPAA News

HHS Proposes Rule Easing Restrictions on Substance Use Disorder Treatment Records

Posted by HIPAA Journal

The Substance Abuse and Mental Health Services Administration (SAMHSA) has proposed a new rule that loosens restrictions on substance use disorder (SUD) treatment records, aligning Part 2 regulations more closely with HIPAA.

The new rule, proposed on August 22, is the first element of the HHS’s Regulatory Sprint to Coordinated Care initiative, which will also see changes made to HIPAA, the Anti-Kickback Statute, and Stark Law.

SUD treatment records are covered by Confidentiality of Substance Use Disorder Patient Records regulations – 42 CFR Part 2 (Part 2). Part 2 pre-dates HIPAA by two decades and was introduced at a time when there were no broader privacy and security standards for health data. Part 2 regulations were required to protect the privacy of patients by severely restricting the allowable uses and disclosures of SUD treatment records. When Part 2 was introduced, there was a stigma associated with SUD and without privacy protections, many individuals suffering from the disorder may have avoided seeking treatment.

Since 1975, further privacy and security laws have been introduced. The HIPAA Security Rule requires all HIPAA-covered entities to implement safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) and the HIPAA Privacy Rule restricts uses and disclosures of that information. However, Part 2 requires additional protections for SUD records than those for PHI and ePHI.

It is important to protect the privacy of patients and ensure that SUD information is safeguarded against unauthorized access as the information could be misused, but it is also essential for SUD treatment information to be made available to healthcare providers to better support care coordination.

The proposed rule does not change the privacy framework of Part 2, it just eases restrictions on SUD treatment records and removes some of the complexity of Part 2 regulations. While there is closer alignment with HIPAA, the proposed changes fall short of full harmonization with HIPAA Rules.

One on the most important changes concerns the separation of SUD treatment records from an individual’s medical record. The proposed rule would allow a healthcare provider to record SUD information in that individual’s medical record, provided the SUD information was willingly given by the patient. SUD treatment records created by federally assisted substance use disorder (SUD) treatment programs still need to be segregated.

The language of Part 2 has been changed to clarify that, with written consent, SUD records can be shared for payment and healthcare operations. Another clarification has been made on procedures during emergency situations, when additional protections for SUD records are suspended.

Under the proposed rule, providers who do not provide opioid treatments would be permitted to access a central registry of patients who have enrolled in treatment programs. Enrollment in an opioid treatment program would involve consent to have treatment information shared with the central registry. This update is intended to help prevent accidental overdoses.  Opioid treatment programs will be permitted to sign up with a state prescription drug monitoring program and report on the Schedule II to V drugs that have been dispensed or prescribed.

Changes have also been proposed that make it easier for patients to share their SUD records with non-medical entities such as the Social Security Administration. Currently, a patient would need to provide the name of a person within a non-medical entity who is authorized to receive their records. Under the proposed rule, a patient could give consent to share the records with the entity as a whole.

Business associates that have been provided with SUD records for research purposes will be permitted to disclose that information to entities not covered by HIPAA for similar purposes.

Part 2 requires providers to sanitize devices containing SUD treatment records. Under the proposed rule, the information would only need to be deleted as sanitization typically involves the destruction of the device.

A restriction has been removed that prevented the courts from disclosing substance use records as part of an investigation into a serious crime that was not believed to have been committed by the patient. The time that undercover agents can stay in a Part 2 program has also been extended from 6 months to one year.

There have been calls from many healthcare associations and healthcare provider groups calling for Part 2 regulations to be aligned with HIPAA. Such a change would require approval on Capitol Hill. Recently, the National Association of Attorneys General (NAAG) called for leaders in the House and Senate to support changes to Part 2, and support is required. As HHS Secretary Alex Azar explained in a press meeting on Thursday, the HHS can only propose changes. In order to align Part 2 with HIPAA, House and Senate approval is required. Secretary Azar has expressed support for such changes.

“We do believe the proposed changes are very common sense, responsive changes to concerns by both patients and providers,” said Azar. While important changes have been made, many will feel the HHS has not done enough. Azar accepts that the proposed rule will not satisfy all calls for Part 2 reform, “We believe we’re going as far as we can.”

The post HHS Proposes Rule Easing Restrictions on Substance Use Disorder Treatment Records appeared first on HIPAA Journal.

32% of Healthcare Employees Have Received No Cybersecurity Training

Posted by HIPAA Journal

There have been at least 200 breaches of more than 500 records reported since January and 2019 looks set to be another record-breaking year for healthcare data breaches.

The continued increase in data breaches prompted Kaspersky Lab to conduct a survey to find out more about the state of cybersecurity in healthcare. Kaspersky Lab has now published the second part of its report from the survey of 1,758 healthcare professionals in the United States and Canada.

The study provides valuable insights into why so many cyberattacks are succeeding. Almost a third of surveyed healthcare employees (32%) said they have never received cybersecurity training in the workplace.

Security awareness training for employees is essential. Without training, employees are likely to be unaware of some of the cyber threats that they will encounter on a daily basis. Employees must be trained how to identify phishing emails and told of the correct response when a threat is discovered. The failure to provide training is a violation of HIPAA.

Even when training is provided, it is often insufficient. 11% of respondents said they received cybersecurity training when they started work but had not received any training since. 38% of employees said they were given cybersecurity training each year, and a fifth (19%) of healthcare employees said they had been provided with cybersecurity training but did not feel they had been trained enough.

32% of respondents said they had been provided with a copy of their organization’s cybersecurity policy but had only read it once and 1 in 10 managers were not aware if their company had a cybersecurity policy.  40% of healthcare workers in the United States were unaware of the cybersecurity measures protecting IT devices at their organization.

Training on HIPAA also appears to be lacking. Kaspersky Lab found significant gaps in employees’ knowledge of regulatory requirements. For instance, 18% of respondents were unaware what the Security Rule meant and only 29% of respondents were able to identify the correct meaning of the HIPAA Security Rule.

Kaspersky Lab researchers recommend hiring a skilled IT team that understands the unique risks faced by healthcare organizations and has knowledge of the tools that are required to keep protected health information safe and secure.

It is also essential to address data security and regulatory knowledge gaps. IT security leaders must ensure that every member of the workforce receives regular cybersecurity training and is fully aware of the requirements of HIPAA.

It is also important to conduct regular assessments of security defenses and compliance. Companies that fail to regularly check their cyber pulse can identify and address vulnerabilities before they are exploited by hackers and cause a costly data breach.

The post 32% of Healthcare Employees Have Received No Cybersecurity Training appeared first on HIPAA Journal.

Study Reveals Widespread Noncompliance with HIPAA Right of Access

Posted by HIPAA Journal

A recent study conducted by the health manuscript archiving company medRxiv has revealed widespread noncompliance with the HIPAA right of access.

For the study, the researchers sent medical record requests to 51 healthcare providers and assessed the experience of obtaining those records. The companies were also assessed on their response versus the requirements of HIPAA.

In each case, the record request was a legitimate request for access to patient data. The requests were made to populate a new consumer platform that helps patients obtain their medical records. Record requests were sent for 30 patients at a rate of 2.3 medical requests per patient.

Each of the providers was scored based on their response to the request and whether they satisfied four requirements of HIPAA – Accepting a request by email/fax, sending the records in the format requested by the patient, providing records within 30 days, and only charging a reasonable fee.

Providers were given a 1-star rating for simply accepting a patient record request. Providers received a second star for satisfying the request and meeting all four requirements of HIPAA, but only after the researchers had escalated the request to a supervisor on more than one occasion.

A three-star rating was given to providers that required a single escalation phone call to a supervisor. A four-star rating was given to providers that were fully compliant with the HIPAA right of access. A five-star rating was given to providers that went above and behind the requirements of HIPAA by sending copies of records within 5 days, accepting non-standard forms, and providing patients with copies of their records at no cost.

More than half (51%) of the providers assessed were either not fully compliant with the HIPAA right of access or it too several attempts and referrals to supervisors before requests were satisfied in a fully compliant manner. 27%  of providers were given a one-star rating, 24% received a 2-star rating, and 20% received a 3-star rating. Only 30% of providers were fully compliant. 12% were given a 4-star rating and 18% received 5-stars.

The researchers also conducted a telephone survey on 3,003 healthcare providers and asked about policies and procedures for releasing patient medical records. The researchers suggest as many as 56% of healthcare providers may not be fully compliant with the HIPAA right of access. 24% did not appear to be fully aware of the fee limitations for providing copies of medical records.

The main area of noncompliance was the failure to send medical records electronically, even if it was specifically requested by the patient. 12 of the 14 providers who received a 1-star rating did not email medical records, one refused to send the records to the patient’s nominated representative, and one charged an unreasonable fee.

The researchers note that had they not escalated the requests to supervisors, 71% of all requests would not have been satisfied in a way that was fully compliant with HIPAA.

The post Study Reveals Widespread Noncompliance with HIPAA Right of Access appeared first on HIPAA Journal.

Hackers Demand $1 Million Ransom from Washington Hospital

Posted by HIPAA Journal

A ransomware attack on an Aberdeen, WA-hospital and associated clinics is still causing problems two months after the attack occurred. The attackers have demanded $1 million for the keys to unlock the encryption.

On June 15, 2019, Grays Harbor Community Hospital started experiencing IT problems. The attack occurred on a Saturday when staffing was limited so initially the problem was attributed to an IT issue. On Monday it became apparent that ransomware was involved and steps were taken to isolate the infection and secure the network; however, the attackers had already moved laterally and had gained access to servers and the systems used by Harbor Medical Group clinics. The initial point of attack appears to have been a response to a phishing email by a single employee.

Harbor Medical Group operates 8 clinics in the Aberdeen and Hoquiam region, and those clinics were the worst affected by the attack. Grays Harbor Community Hospital used older software, which prevented the ransomware from being installed on the hospital’s main computer system. The clinics used more recent software, which allowed the attackers to infect more systems. Those systems are still down at the clinics, which are using pen and paper to record patient information.

A spokesperson for the hospital said patient care has not been affected. The hospital is continuing to provide emergency care to patients and appointments are going ahead as scheduled. There have been some delays to appointments and there are still issues accessing patient information. Patients have been told to bring details of their prescriptions and their medical histories and to make that information available at point of care.

The hospital had created backups but it was not possible to recover files as the backups had also been encrypted. As of August 13, 2019, the hospital still had not regained access to its files. The attack has been reported to the FBI and the hospital is assisting with its investigation.

The hospital had previously taken out a cybersecurity insurance policy for $1 million, which may cover the ransom payment. It is unclear whether the ransom has been paid.

No evidence of data access or theft was found, but the possibility could not be discounted. Affected patients had the following information exposed: Full name, address, phone number, date of birth, Social Security number, insurance information, diagnoses, and treatment information.

The hospital has started notifying the 85,000 patients affected by the breach and each has been offered complimentary credit monitoring services. Security measures are being assessed at the hospital and medical group and additional hardware and software solutions will be implemented as appropriate to improve security. Employees will also be provided with additional training.

The post Hackers Demand $1 Million Ransom from Washington Hospital appeared first on HIPAA Journal.

State Attorneys General Urge Congress to Align Part 2 Regulations with HIPAA

Posted by HIPAA Journal

The National Association of Attorneys General (NAAG) has urged leaders of the House and Senate to make changes to Confidentiality of Substance Use Disorder Patient Records regulations known as 42 CFR Part 2.

The regulations in question, which NAAG called “cumbersome [and] out-of-date,” restrict the uses and disclosures of substance abuse treatment records.

Under HIPAA, protected health information (PHI) can be shared between providers and caregivers for purposes related to treatment, payment, and healthcare operations without first obtaining consent from the patient. 42 CFR Part 2 prohibits the sharing of addiction treatment information by federally assisted treatment programs unless consent to do so has been obtained from the patient.

The Part 2 regulations were created more than 40 years ago to ensure the privacy of patients was protected and to ensure that patients would not face any legal or civil consequences from seeking treatment for substance abuse disorder.

NAAG argues that the regulations were created at a time when there was an “intense stigma” surrounding substance abuse disorder but says that the continued separation of substance abuse disorder from other diseases perpetuates that stigma. “The principle underlying these rules is that substance use disorder treatment is shameful and records of it should be withheld from other treatment providers in ways that we do not withhold records of treatment of other chronic diseases,” wrote NAAG.

NAAG wants substance abuse disorder to be recognized as the chronic disorder that it is, which would mean aligning the rules covering substance abuse treatment records with those of HIPAA. That would allow substance abuse treatment information to be shared along with other health information, provided protections are in place to keep that information private and confidential.

As it stands, Part 2 regulations are a barrier to treating opioid use disorder. Providers are used to complying with HIPAA, but the requirements of Part 2 can be intimidating. As such, many providers do not offer medicated-assisted treatment (MAT) for substance abuse disorder.

MAT providers are not required to comply with Part 2 requirements if they do not advertise their MAT services, but that means fewer people will take up those services. To effectively tackle the opioid epidemic in the United States, MAT services need to be promoted and should be easily accessible. Currently, many providers are keeping it a secret that they provide MAT programs to patients due to the restrictions of Part 2 regulations.

42 CFR Part 2 privacy regulations were updated in 2018, although the changes made were relatively minor. NAAG is not the only organization calling for more substantial changes and closer alignment between Part 2 and HIPAA regulations. A growing coalition of more than 40 national health care organizations support the changes and there is some support in the House and the Senate.

Reps. Markwayne Mullin (R-OK) and Earl Blumenauer (D-OR) introduced the Overdose Prevention and Patient Safety Act (OPPS Act) (H.R. 2062) and Sens. Joe Manchin (D-WV) and Shelley Moore Capito (RWV) introduced the Protecting Jessica Grubb’s Legacy Act (Legacy Act) (S. 1012) which both align HIPAA with Part 2. However, getting enough people to back the changes is likely to be a major challenge.

The post State Attorneys General Urge Congress to Align Part 2 Regulations with HIPAA appeared first on HIPAA Journal.

GAO Discovers Widespread Cybersecurity Risk Management Failures at Federal Agencies

Posted by HIPAA Journal

The Government Accountability Office (GAO) conducted a study of 23 federal agencies and found widespread cybersecurity risk management failures.

Federal agencies are targeted by cybercriminals, so it is essential for safeguards to be implemented to protect against those threats. Federal law requires government agencies to adopt a risk-based approach to cybersecurity to identify, prioritize, and manage cybersecurity risks.

The GAO was asked to conduct its review to determine whether federal agencies had established the key elements of a cybersecurity risk management program, what challenges were faced when developing those programs, and what steps had been taken by the Department of Homeland Security (DHS) and the Office of Management and Budget (OMB) to address their responsibilities with respect to addressing cybersecurity challenges faced by federal agencies.

The study revealed all but one (22) federal agency had appointed a cybersecurity risk executive, but other important elements of the risk management program had not been incorporated at many of the agencies assessed for the study.

There were deficiencies in the development of a cybersecurity risk management plan. 16 agencies had not fully established a cybersecurity risk management strategy which delineated the boundaries for risk-based decisions. 17 agencies had not fully established an agency-wide and system-level plan for assessing, monitoring, and responding to cybersecurity risks. A process for assessing agency-wide cybersecurity risks based on an aggregation of system-level risks had not been established at 11 agencies. 13 agencies had not established a process for coordinating between cybersecurity and ERM programs for managing all major risks.

Until policies and procedures are changed and the security failures are addressed, federal agencies will face an elevated risk of experiencing cyberattacks that threaten the national security of the United States and personal privacy.

GAO made 58 recommendations that all agencies should incorporate into their risk management processes, including specific recommendations for certain agencies.

Federal agencies have faced several challenges assessing and managing cybersecurity risks. The main challenge was hiring and retaining key cybersecurity management personnel, which was cited as a problem by all 23 agencies.

Managing competing priorities between operations and cybersecurity, establishing and implementing consistent policies and procedures, establishing and implementing standardized technology capabilities, and receiving quality risk data were also common problems.

GAO has recommended that the DHS and OMB develop methods for sharing best practices and successful methods for addressing some of the common challenges faced when implementing consistent cybersecurity risk management practices to ensure those challenges can be overcome quickly and security posture at all of the federal agencies is rapidly improved.

The post GAO Discovers Widespread Cybersecurity Risk Management Failures at Federal Agencies appeared first on HIPAA Journal.

Judge Approves $74 Million Premera Blue Cross Data Breach Settlement

Posted by HIPAA Journal

A Federal District Judge has given preliminary approval to a proposed $74 million settlement to resolve a consolidated class action lawsuit against Premera Blue Cross for its 2014 data breach of more than 10.6 million records.

US District Judge Michael Simon determined that the proposed settlement was fair, reasonable and adequate based on the defense’s case against Premera and the likely cost of continued litigation.

The settlement will see $32 million made available to victims of the breach to cover claims for damages of which $10 million will reimburse victims for costs incurred as a result of the breach. The remaining $42 million will be used to improve Premera’s security posture over the next three years.

Data security improvements are necessary. Internal and third-party audits of Premera before and after the data breach uncovered multiple vulnerabilities. Premera had been warned about the vulnerabilities prior to the breach and failed to take action. That lack of action allowed hackers to gain access to its network. Further, it took almost a year for Premera to determine that its systems had been compromised

“Improved data security benefits all class members, even if they are no longer insured by Premera or a related Blue Cross entity, because sensitive information remains stored on Premera’s servers,” wrote Judge Simon.

Considering the data breach affected 10.6 million individuals, a fund of $10 million to reimburse costs may not seem that much. However, Judge Simon determined the figure to be fair because relatively few of the plaintiffs had suffered identity theft as a result of the data breach and the settlement includes $3.5 million to cover the cost of additional credit monitoring services.

The case against Premera was complex and involved a considerable amount of technical information about the data security protections that were put in place. The evidence also spanned several years. “Whether Premera breached its contractual promises, was negligent, or engaged in unfair practices under Washington’s Consumer Protection Act with respect to Premera’s provision of data security are relatively strong claims,” wrote Judge Simon.

The settlement resolves the lawsuit with no admission of liability. In addition to the $74 million, Premera also settled a multi-state lawsuit with 30 states for $10 million over the failure to address known data security risks.

The Premera data breach was also investigated by the HHS’ Office for Civil Rights. It remains to be seen whether a financial penalty will be deemed appropriate.

The post Judge Approves $74 Million Premera Blue Cross Data Breach Settlement appeared first on HIPAA Journal.

First Half of 2019 Sees 31.6 Million Healthcare Records Breached

Posted by HIPAA Journal

It has been a particularly bad six months for the healthcare industry. Data breaches have been reported in record numbers and the number of healthcare records exposed on a daily basis is extremely concerning. The trend of more than one healthcare data breach a day has continued throughout 2019, even reaching a rate of 2 per day in May.

According to the 2019 Mid-Year Data Breach Barometer Report from Protenus and Databreaches.net, 31,611,235 healthcare records were breached between January 2019 and June 2019. To put that figure into perspective, it is double the number of records exposed in healthcare data breaches in the entirety of 2018 (14,217,811 records).

One breach stands out from the 285 incidents reported in the first half of the year: The data breach at American Medical Collection Agency (AMCA). A batch of stolen credentials on a dark net marketplace was traced back to AMCA, which discovered its payment web page had been compromised for months. It is not yet known exactly how many healthcare records were exposed in the incident, but 18 clients are known to have been affected and more than 20 million records have been confirmed as having been breached.

The report shows the first 6 months was dominated by hacking incidents, which accounted for 60% of all incidents and 88% of breached records. 168 data breaches were due to hacking, 88 involved phishing, 27 involved ransomware or malware, and one involved another form of extortion.

20.91% of all breaches – 60 incidents – were insider breaches. 3,457,621 records were exposed in those breaches or 11% of all breached records. 35% of incidents were classified as being caused by insider error and 22% were due to insider wrongdoing. There were 24 theft incidents were reported involving at least 184,932 records and the cause of 32 incidents (142,009 records) is unknown.

Healthcare providers reported 72% of breaches, 11% were reported by health plans, and 9% were reported by business associates. 8% of breaches could not be classified. While the above distribution of breaches is not atypical, 2019 has been a particularly bad year for business associates.

In three of the first six months of 2019 a business associate reported the largest breach of the month. The largest breach of the year was at a business associate. That breach is already the second largest healthcare data breach of all time. Hacking was the biggest problem area for business associates. 45% of business associate data breaches were due to hacking and other IT incidents.

One business associate, Dominion National, took 8.5 years to discover its systems had been breached. By the time the breach was discovered, the records of 2,964,778 individuals had been compromised. Overall the average time to discover a breach was 50 days. The average time to report a breach to the HHS was 77 days and the median reporting time was 60 days.

“In order for healthcare organizations to reduce risk across their organization and to truly combat the challenges associated with health data security, it is critical for healthcare privacy offices to utilize healthcare compliance analytics that will allow them to audit every access to their patient data,”  wrote Protenus. “Full visibility into how their data is being accessed will help healthcare organizations prevent data breaches from wreaking havoc on their organization and the patients who trust them with their personal information.”

The post First Half of 2019 Sees 31.6 Million Healthcare Records Breached appeared first on HIPAA Journal.

DHS Issues Best Practices to Safeguard Against Ransomware Attacks

Posted by HIPAA Journal

Ransomware appeared to have gone out of fashion in 2018, but that is certainly not the case in 2019. Q1, 2019 saw a 195% increase in ransomware attacks and a further 184% increase in Q2. Judging by the number of ransomware attacks reported in the past few weeks, the Q3 figures are likely to be even worse.

States, cities, and local governments have been extensively targeted as has the healthcare industry. Many victims have been forced to pay sizable ransoms to regain access to critical data. Others have been forced to permanently close their doors.

In response to the growing number of attacks, the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), Multi-State Information Sharing & Analysis Center (MS-ISAC), National Governors Association (NGA), and the National Association of State Chief Information Officers (NASCIO) have issued a joint statement in which recommendations are given to help improve resilience to ransomware attacks.

The statement was issued primarily to state, local, territorial and tribal governments, although the recommendations are equally relevant to the healthcare industry and businesses in other industry sectors.

Taking the three steps detailed in the statement (and outlined below) will improve defenses against ransomware and will help to ensure that in the event of an attack, recovery can be made in the shortest possible time frame.

Ransomware Recommendations

  • Backup systems now (and daily)
  • Reinforce cybersecurity awareness training
  • Revise and refine cyber incident response plans

Without valid data backups, ransomware victims will be at the mercy of their attackers. As has already been seen on several occasions this year, payment of the ransom does not guarantee file recovery. Even when keys are supplied to unlock encrypted data, some data loss can be expected.

It is therefore essential to ensure that all critical data, agency and system information is backed up daily, with the backups stored on a separate, non-networked, offline device. Backups and the restoration process must be tested to ensure file recovery is possible. The joint statement instructs all partners to backup systems immediately and daily.

Ransomware is most commonly installed inadvertently by employees as a result of responding to a phishing email or visiting a malicious website. It is therefore important to ensure that the workforce is made aware of the threat and is taught how to recognize suspicious emails, links, and other threats.

Even if training has already been given to staff, refresher training sessions are recommended. The staff should also be made aware of the actions to take if a potential threat is received or if an attack is believed to be in progress, including being advised of out-of-band communication paths.

It may not be possible to prevent all attacks, so it is essential for a ransomware response plan to be developed that can be immediately implemented in the event of an attack. The response plan should include plans that can be implemented if internal capabilities become overwhelmed and instructions and contact information for external cyber first responders, state agencies, and other parties that may be required to assist in the wake of an attack.

The guidance document can be viewed/downloaded on this link (PDF).

The post DHS Issues Best Practices to Safeguard Against Ransomware Attacks appeared first on HIPAA Journal.