Latest HIPAA News

NIST Releases Draft Mobile Device Security Guidance for Corporately-Owned Personally-Enabled Devices

Posted by HIPAA Journal

The National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) has issued draft mobile device security guidance to help organizations improve the security of corporately-owned personally-enabled (COPE) mobile devices and reduce the risk the devices pose to network security.

Mobile devices are now essential in modern business. They provide easy access to resources and data and allow employees to work more efficiently. Mobile devices are increasingly being used to perform everyday enterprise tasks, which means they are used to access, view, and transmit sensitive data.

The devices introduce new threats to the enterprise that do not exist for traditional IT devices such as desktop computers and mobile devices are subject to different types of attacks. A different approach is therefore required to ensure mobile devices are secured and risks are effectively managed.

Mobile devices are typically always on and always connected to the Internet and they are often used to access corporate networks remotely via untrusted networks. Malicious apps can be installed on devices that may be granted access to data. The devices are also small and portable, which increases the risk of loss or theft.

The new guidance – SP 1800-21 – explains the unique risks introduced by mobile devices and how those risks can be reduced to a low and acceptable through the use of privacy protections. By adopting a standards-based approach to mobile device security, and through the use of commercially available technology, organizations can address the privacy and security risks associated with mobile devices and greatly improve their security posture.

NCCoE created a reference architecture to illustrate how a variety of mobile security technologies can be integrated into an enterprise network along with recommended protections to implement to reduce the risk of the installation of malicious applications and personal and business data loss. The guidance also explains how to mitigate breaches when devices are compromised, lost, or stolen.

The guidance contains a series of How-to-Guides that contain step by step instructions for setup and configuration to allow security staff to quickly implement and test the new architecture in their own test environments.

NIST also included advice on reducing the cost of issuing COPE mobile devices through enterprise visibility models and suggests ways that system administrators can increase visibility into security incidents and set up automated alerts and notifications in the event that a device is compromised.

NIST is seeking comments on the new draft guidance until September 23, 2019.

The draft mobile device security guidance for COPE devices can be downloaded from NIST on this link.

The post NIST Releases Draft Mobile Device Security Guidance for Corporately-Owned Personally-Enabled Devices appeared first on HIPAA Journal.

How to Choose the Right Healthcare Cloud Provider

Posted by HIPAA Journal

Healthcare organizations are more frequently turning to a HIPAA compliant cloud vendor or Managed Service Provider to ensure electronic patient records are secured within a robustly secure and compliant IT infrastructure. Extensive data privacy legislation was enacted in 1996 with the Health Insurance Portability and Accountability Act (HIPAA). This legally binding compliance initiative is designed to ultimately protect the patient, but this kind of legislation can often make choosing the right cloud vendor a seemingly impossible task.

Cloud Security

Certifications and Security Standards – Secure cloud vendors with HIPAA compliant hosting are one of the most important factors for healthcare organizations when making the decision to join the cloud revolution. HIPAA compliance ensures healthcare professionals that the cloud vendor provides enhanced technical solutions in-line with the administrative, physical and technical safeguards demanded by federal legislation.

These safeguards command the cloud vendor to comply with numerous regulations including:

  • Data Security – there are strict guidelines on how data is stored, transferred and removed, ensuring that data is always encrypted and always protected
  • System Security – client servers and segregated networking systems must be protected to HIPAA best practice agreements to ensure that they are only accessible by approved users
  • Structural Security – cloud data centers must be built from the ground up with stringent security protocols in place to protect the physical building and the electronic systems containing patient data
  • Maintenance – the vendor must ensure the infrastructure is always up-to-date and properly maintained, including antivirus and operating system patching

Other critical certifications to look out for include HITECH compliance and SSAE18 (SOC1 and SOC2). These standards ensure that the internal audit controls, security policies, data processing, and client confidentiality adheres to the highest standards available for a cloud vendor.

Data Governance and Compliance – There are several other critical governance and compliance processes which your shortlisted cloud vendors should adhere to:

  • Auditable – is the cloud vendor’s infrastructure auditable? Can the vendor provide an auditors risk assessment report? These audits validate the cloud vendor’s compliance and offer the client greater insight into the vendor’s capabilities
  • Business Continuity – Can the cloud vendor offer secure offsite backups and data protection technology (such as disaster recovery failover) for the hosted IT infrastructure
  • Business Associate Agreement – Healthcare compliance demands the cloud vendor must sign a Business Associate Agreement which clearly defines the rules and responsibilities of each party entering the agreement
  • Data location – It is important to know where all your data is located. Most healthcare data must stay within the United States. You need to understand the cloud provider’s data services locations. This is essential for backups and DR

Accountability and Compliance

When entering a BAA with a cloud vendor, the vendor is essentially guaranteeing you a level of service and compliance for your organization. The roles and responsibilities of the cloud vendor should be clearly defined, as well as your responsibilities as a client. The aim is to create a status quo of an agreement which is mutually beneficial to all involved.

Other areas of accountability to consider are:

  • Service Level Agreements – This is a service agreement the vendor must adhere to or risk an (often financial) penalty. Things such as Service Uptime, agreed RPO (Recovery Point Objective) and RTO (Recovery Time Objective)
  • Managed Service – The cloud vendor will need to provide a level of service management agreed in the BAA. This usually includes providing and upgrading the technology solution, keeping and maintaining procedures and processes of your technical solution. It may also include offering technical support, monitoring, and pre/post-sales support.

Technology and Services

It is important to develop an understanding of what the cloud vendor can do for your healthcare business. Does the cloud vendor offer you the services and technology that your organization can utilize? 

Healthcare is a very specific business market, it is worthwhile choosing a knowledgeable vendor with vast experience providing similar services to other healthcare professionals, using tried and tested methods of proven solutions, they must also have the ability to be forward-thinking and constantly evolving within the Healthcare marketplace, offering digital transformation services to enhance your business.

This can be done by assessing the technology and services on offer from the provider, most healthcare organizations opt for Infrastructure as a Service (IAAS) or Platform As A Service (PAAS). But, your cloud vendor can offer more services such as:

  • Managed backup service –  Compliance safeguards require a backup solution with guaranteed data protection. It is often best to leverage an existing HIPAA compliant backup service that may be offered by your cloud vendor
  • Managed Disaster Recovery solution – the ability to evoke DR services to fail over production infrastructure to a geographically disparate location are a fundamental part of healthcare compliance. Some cloud vendors can manage this in its entirety for you, failover sequence, boot sequence and testing, as well as implementing regular DR tests
  • 24x7x365 Operational Support – To ensure the manageability of your new cloud infrastructure you may at times need support directly from your cloud vendor. Having around-the-clock support can be highly advantageous
  • Managed network services – Firewalls and associated technology can be difficult to manage for many organizations. If your cloud provider offers HIPAA compliant network infrastructure you can be ensured that you will receive a durable and reliable computer network 
  • Migration Services to the cloud – Most healthcare organizations will already have a significant IT footprint, it’s important to ask what your cloud vendor can do to fast-track the migration to the cloud and also what their exit strategy is should you happen to change vendor in the future
  • Data Monitoring – Data and trend monitoring not only protects against data misuse but also offers enhanced security and system protection to healthcare clients
  • Intrusion Detection – This can be a physical or technical safeguard to protect the underlying computer hardware which provides your cloud service. If your cloud vendor offers this capability, then you can be assured your digital assets are protected to a high standard
  • Multi-factor authentication (MFA) – cloud vendors are extremely flexible with how clients access data, however, protecting this data is also important. MFA provides multiple levels of protection to sensitive data, typically by phone authorization, pin code or even fingerprint and biometric scanning
  • Encryption – Data must be encrypted at rest and in transit to AES 256bit standard

Everything Else

We have highlighted what we believe are the key elements to consider when choosing a cloud vendor. There are also many other factors which play a role in who you decide to utilize for cloud hosting.

  • Reliability – Consider the uptime guarantees of the vendor, consider the hardware and software partnerships they have in place as well as maintenance contracts
  • Performance – The cloud offering must also perform well despite all the security safeguards put in place

Scalability – Can the cloud provider grow with your business if your organization’s growth should exponentially propagate?

The post How to Choose the Right Healthcare Cloud Provider appeared first on HIPAA Journal.

2019 Cost of A Data Breach Study Reveals Increase in U.S. Healthcare Data Breach Costs

Posted by HIPAA Journal

The Ponemon Institute/IBM Security has published its 2019 Cost of a Data Breach Report – A comprehensive analysis of data breaches reported in 2018.

The report shows data breach costs have continue to rise and the costliest breaches are experienced by healthcare organizations, as has been the case for the past 9 years.

Average Data Breach Costs $3.92 Million

Over the past five years, the average cost of a data breach has increased by 12%. The global average cost of a data breach has increased to $3.92 million. The average breach size is 25,575 records and the cost per breached record is now $150; up from $148 last year.

Globally, the healthcare industry has the highest breach costs with an average mitigation cost of $6.45 million. Healthcare data breaches typically cost 65% more than data breaches experienced in other industry sectors.

Data breach costs are the highest in the United States, where the average cost of a data breach is $8.19 million – or $242 per record. The average cost of a healthcare data breach in the United States is $15 million.

Healthcare Data Breaches Cost $429 per Record

In healthcare, the average cost of a breach has increased to $429 per record from $408 last year – an increase of 5.15%. The financial sector has the second highest breach costs. Financial industry breaches cost an average of $210 per record – less than half the per record cost of a healthcare data breach.

Fortunately, mega data breaches are relatively rare but when they do occur the costs can soar. Mega data breaches are classed as breaches of more than 1 million records. IBM projected losses due to a data breach of $1 million records would be $42 million, whereas a breach of 50 million records would cost $388 million to resolve. The recent data breach at American Medical Collection Agency, which is known to have affected 18 healthcare providers and 25 million individuals, would fit halfway along that cost scale.

“Cybercrime represents big money for cybercriminals, and unfortunately that equates to significant losses for businesses,” said Wendi Whitmore, Global Lead for IBM X-Force Incident Response and Intelligence Services. “With organizations facing the loss or theft of over 11.7 billion records in the past 3 years alone, companies need to be aware of the full financial impact that a data breach can have on their bottom line –and focus on how they can reduce these costs.”

The survey was conducted by the Ponemon Institute on 507 companies that have experienced a data breach in the past year and involved 3,211 interviews with individuals with knowledge of the breach. Breach costs were determined using an activity-based costing (ABC) method, which identifies activities and assigns a cost to each based on actual use.

The Effects of A Data Breach Are Felt For Years

In this year’s study, IBM analyzed the financial impact of a data breach including the longtail financial costs. The analysis revealed the financial repercussions of a data breach are felt for years. The majority of the breach costs are realized in the first year after the breach when 67% of the cost is accrued. 22% of the cost is accrued in the second year, and 11% of the cost comes 2 or more years after the breach. In highly regulated industries such as healthcare, the longtail costs are higher.

For the majority of businesses, the biggest cost is loss of business after a data breach. Across all industry sectors, loss of business has been the biggest breach cost for the past 5 years, which now costs businesses an average of $1.42 million or 36% of their total breach cost. The average loss of customers following a data breach is 3.9%, although the figure is higher for healthcare organizations who often struggle to retain patients after a breach.

Breach costs are affected by several factors, including the nature of the breach and the organization’s size. The average cost of a data breach at an SMB with fewer than 500 employees is $2.5 million or 5% of annual revenue. With such crippling costs, it is easy to see why so many SMBs fail within 6 months of experiencing a data breach.

Malicious attacks were most common (51%) and were also the costliest breaches to resolve. Malicious attacks cost 25% more to resolve than breaches caused by system glitches or human error. Malicious attacks are now occurring much more frequently. There was a 21% increase in malicious attacks between 2014 and 2019.

The study identified several factors which reduce the cost of a data breach. The most important step to take to reduce breach costs is to form an incident response (IR) team. Companies that had formed an IR team, developed an IR plan, and extensively tested that plan, reduced their breach costs by an average of $1.23 million.

A rapid breach response greatly reduces breach costs. The average time from breach to discovery is 279 days. Companies that identified and remediated the breach inside 200 days saved an average of $1.2 million.

The post 2019 Cost of A Data Breach Study Reveals Increase in U.S. Healthcare Data Breach Costs appeared first on HIPAA Journal.

June 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

For the past two months, healthcare data breaches have been reported at a rate of 1.5 per day – Well above the typical rate of one per day. In June, data breaches returned to more normal levels with 30 breaches of more than 500 healthcare records reported in June – 31.8% fewer than May 2019.

 

While the number of reported data breaches fell,  June saw a 73.6% increase in the number of health records exposed in data breaches. 3,452,442 healthcare records were exposed in the 30 healthcare data breaches reported in June.

Largest Healthcare Data Breaches in June 2019

The increase in exposed records is due to a major breach at the dental health plan provider Dominion Dental Services (Dominion National Insurance Company). Dominion discovered an unauthorized individual had access to its systems and patient data for 9 years. During that time, the protected health information of 2,964,778 individuals may have been stolen. That makes it the largest healthcare data breach to be reported to the Office for Civil Rights so far in 2019 – At least for a month until entities affected by the breach at American Medical Collection Agency report the breach.

9 of the ten largest healthcare data breaches in June were hacking/IT incidents and the top six breaches involved network servers. Three email security breaches and one improper disposal incident round out the top ten.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
Dominion Dental Services, Inc., Dominion National Insurance Company, and Dominion Dental Services USA, Inc. Health Plan 2,964,778 Hacking/IT Incident Network Server
Inform Diagnostics, Inc. Healthcare Provider 173,617 Hacking/IT Incident Network Server
EyeCare Partners, LLC [on behalf of affiliated covered entities] Healthcare Provider 141,165 Hacking/IT Incident Network Server
TenX Systems, LLC d/b/a ResiDex Software Business Associate 90,000 Hacking/IT Incident Network Server
Shingle Springs Health and Wellness Center Healthcare Provider 21,513 Hacking/IT Incident Network Server
Desert Healthcare Services, LLC Healthcare Provider 8,000 Hacking/IT Incident Network Server
Summa Health Healthcare Provider 7,989 Hacking/IT Incident Email
Community Physicians Group Healthcare Provider 5,400 Hacking/IT Incident Email
Community Healthlink Healthcare Provider 4,598 Hacking/IT Incident Email
Adventist Health Physician Services Healthcare Provider 3,797 Improper Disposal Paper/Films

The Year So Far

As you can see in the graph below, 2019 is shaping up to be a bad year for healthcare data breaches. In the first 6 months of 2019, the records of 9,652,575 Americans were exposed, impermissibly disclosed, or stolen. That is already almost double the records exposed in 2017 and last year’s total will soon be exceeded. The data breach at American Medical Collection Agency has yet to appear in the figures below. That breach alone will raise the 2019 total to almost 35 million healthcare records. That’s more healthcare records than were breached in 2016, 2017, and 2018 combined.

Causes of June 2019 Healthcare Data Breaches

There was a fairly even split between hacking/IT incidents and unauthorized access/disclosure incidents in June, which accounted for 83% of all breaches reported. There were 12 unauthorized access/disclosure incidents reported in June, but they typically involved small numbers of records. Unauthorized access/disclosure incidents impacted 18,165 patients. The mean breach size was 1,813 records and the median breach size was 1,502 records.

There were 13 hacking/IT incidents reported in June. While these breaches only accounted for 43% of all incidents reported in June, 3,424,422 healthcare records were compromised in those breaches – 99.19% of all records breached in June. The mean breach size was 263,417 records and the median breach size was 7,995 records.

There were three theft incidents reported involving 3,424 records. The mean breach size was 1,141 records and the median breach size was 1,282 records. One loss incident was reported that impacted 2,634 patients and one improper disposal incident exposed the PHI of 3,797 patients.

Location of Breached Protected Health Information

Phishing attacks are continuing to cause problems for healthcare providers, but so too is ransomware. There was a sharp increase in ransomware attacks in Q1 and the trend continued in Q2. Ransomware may have fallen out of favor with cybercriminals in 2018, but it appears to be back in vogue in 2019. Email is usually the most common location of breached PHI, but there was a fairly even split between networks server and email incidents in June. The rise in ransowmare and malware attacks in June account for the increase in network server incidents.

 

June 2019 Healthcare Data Breaches by Covered Entity Type

Healthcare providers reported 24 data breaches in June, one breach was reported by a health plan and one by a healthcare clearinghouse. While only one data breach was reported by a business associate, a further 7 data breaches had some business associate involvement.

 

June 2019 Healthcare Data Breaches by State

June’s 30 healthcare data breaches affected covered entities in 20 states. Arizona and California were the worst affected with three reported breaches. Florida, Massachusetts, Maryland, Minnesota, Missouri, and Ohio each experienced two breaches, and one breach was reported in each of Arkansas, Iowa, Illinois, Indiana, Kentucky, Michigan, Nevada, Pennsylvania, Texas, Virginia, Vermont, and Wyoming.

HIPAA Enforcement Actions in June 2019

One HIPAA enforcement action came to a conclusion in June. Premera Blue Cross agreed to settle a multi-state lawsuit over its 10.4-million-record data breach in 2017.

Premera Blue Cross is one of the nations largest health insurers. In early 2018, Premera discovered hackers had gained access to its network by exploiting an unpatched software vulnerability. The investigation into the breach revealed there had been basic security failures. The case, led by Washington State Attorney General Bob Ferguson, was settled for $10,000,000.

Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah, Vermont and Washington all participated in the lawsuit.

The Department of Health and Human Services’ Office for Civil Rights did not issue any financial penalties for HIPAA violations in June.

The post June 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Equifax Agrees to Pay up to $700 Million to Settle Data Breach Case

Posted by HIPAA Journal

Equifax has agreed to settle its federal data breach case for a minimum of $575 million. The settlement will potentially rise to $700 million and also requires considerable improvements to be made to enhance security and better protect consumer data.

In 2017, Equifax experienced a colossal data breach in which the personal data of 147 million Americans was compromised. Names, dates of birth, addresses, and Social Security numbers were potentially stolen in the attack and the breach victims now have to face an elevated risk of suffering identity theft and fraud.

Equifax announced the breach in September 2017. In the two years that followed, Equifax has been called before Congress on multiple occasions to explain how the breach occurred and how the response was being handled. Regulators also investigated Equifax to determine whether reasonable and appropriate security measures had been implemented to protect the vast amounts of consumer data that was stored on its network.

The Federal Trade Commission (FTC) determined there had been security failures at Equifax that left the door open to hackers. FTC chairman Joe Simons said, “Equifax failed to take basic steps that may have prevented the breach.” A financial penalty was therefore appropriate.

Under the terms of the settlement, Equifax has committed to pay up to $700 million and is required to implement a much stronger cybersecurity program. The company must undergo annual security audits and submit to external data security audits every two years. Any third party that is provided with access to Equifax’s consumer data must also be vetted to ensure they also have appropriate data security measures in place.

The settlement includes a $300 million fund to provide monetary relief to victims of the breach. The fund will be used for credit monitoring services and to cover victims’ out of pocket expenses that have arisen from the breach. A further $125 million must be added to the fund if the $300 million is not sufficient to cover all of the claims. Claims have been capped at $20,000 per person.

The Consumer Financial Protection Bureau (CFPB) will receive $100 million in civil penalties and $175 million will be split between the 48 states, Washington D.C., and Puerto Rico. From 2020, Equifax must provide consumers with 6 free credit reports a year for the next 7 years, in addition to the three years already provided.

The settlement is certainly sizeable, but there has been considerable criticism of the level of the fine. Many believe the penalty is not nearly severe enough for a publicly traded company the size of Equifax, especially considering the breach exposed the data of almost half of all Americans.

“This settlement does not come close to making consumers whole and, once again, shows the limitations on the FTC’s ability to seek strong penalties and effective redress for consumers,” said Rep. Frank Pallone, (D-N.J), Chairman of the House Energy and Commerce Committee. “It also shows that we need a comprehensive data privacy and security law to ensure companies are designing their systems to protect consumer privacy from the start, minimizing the personal information they keep, and are held appropriately accountable if they fail.”

“We don’t have a general privacy legislation like the GDPR in Europe. Our authority is actually pretty limited in privacy,” said FTC Chairman Joseph Simons. “We can’t go out and tell companies, ‘You can’t collect this, you can’t use it this way, you can’t use it that way.”

Equifax is pleased to have finally resolved the case. Equifax CEO Mark Begor said the settlement is a positive step for U.S. consumers and Equifax. “The consumer fund of up to $425 million that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data — and reflects the seriousness with which we take this matter.”

In addition to the $700 million settlement, Equifax was fined £500,000 by the UK Information Commissioner’s Office – The maximum fine permitted prior to the introduction of GDPR. Had the breach occurred a year later, the fine could have been as high as 4% of the company’s global annual turnover.

Equifax announced in Mary 2019 that so far the company has spent $1.4 billion remediating the breach, updating its computer systems, and strengthening security.

The post Equifax Agrees to Pay up to $700 Million to Settle Data Breach Case appeared first on HIPAA Journal.

AMCA Victim Count Swells to 15 Healthcare Providers and Nearly 24 Million Records

Posted by HIPAA Journal

The number of healthcare providers confirmed to have been affected by the data breach at American Medical Collection Agency (AMCA) has grown considerably over the past few days. The victim count is fast approaching 24 million records and 15 healthcare providers are now known to have been affected.

The AMCA breach was discovered by its parent company, Retrieval Masters Credit Bureau (RMCB), on March 21, 2019. An investigation was launched to determine the extent of the attack, which revealed the hacker had access to the AMCA payment web page for around 8 months. During that time, the hacker had access to vast quantities of sensitive patient information, including financial information and Social Security numbers.

AMCA notified all entities that had been affected by the breach in May 2019; however, only limited information was released. Most of the covered entities affected by the breach were not given sufficient information to allow the affected patients to be identified. Quest Diagnostics was the first to announce that it has been impacted by the breach, closely followed by LabCorp and BioReference Laboratories. Many more healthcare providers have made announcements in the past week.

AMCA has been issuing breach notification letters to affected individuals whose financial information was exposed, but other individuals have not yet been notified. For example, Austin Pathology recently confirmed it has been affected by the breach. Austin Pathology was told around 1,800 breach notification letters had been sent to Austin Pathology patients whose financial information was exposed.

Austin Pathology has confirmed that 46,500 patients have been impacted. The 44,700 patients who have yet to be notified had their name, address, telephone number, date of birth, dates of service, provider details, and account balances exposed. It could well be weeks before all affected patients are notified.

AMCA Data Breach Victims

Affected Entity Records Exposed
Quest Diagnostics/Optum360 12,900,000
LabCorp 7,700,000
BioReference Laboratories/Opko Health 422,600
Penobscot Community Health Center 13,000
Clinical Pathology Associates 2,200,000
Carecentrix 500,000
Austin Pathology Associates 46,500
Seacoast Pathology, Inc 10,000
Arizona Dermatopathology 7,000
American Esoteric Laboratories Unconfirmed
CBLPath Inc. Unconfirmed
Sunrise Laboratories Unconfirmed
Natera Unconfirmed
South Texas Dermatopathology PLLC Unconfirmed
Laboratory of Dermatology ADX, LLC Unconfirmed

 

So far, the protected health information of 23,799,100 individuals is known to have been exposed, and as more providers confirm numbers, that total will continue to swell.

As it stands, the AMCA data breach is the second largest healthcare data breach ever reported, behind Anthem’s 78.8 million-record-breach that was discovered in 2015.

The cost of AMCA’s breach response has been considerable. AMCA has sent more than 7 million breach notification letters, IT consultants have been hired to assist with the investigation, and as of June 19, 2019, $3.8 million had been spent on the breach response. $2.5 million of that came from RMCB CEO Russell Fuchs, who lent the company the money to cover the cost of the breach notifications. RMCB has since filed for Chapter 11 protection.

AMCA will also be investigated by state attorneys general and the HHS’ Office for Civil Rights to determine whether the breach could be attributed to poor security and noncompliance with HIPAA. OCR has previously fined defunct companies for historic HIPAA violations. Bankruptcy does not offer protection against regulatory fines.

The post AMCA Victim Count Swells to 15 Healthcare Providers and Nearly 24 Million Records appeared first on HIPAA Journal.

Idaho Hospitals Must Now Comply with New Idaho Patient Rights Rules

Posted by HIPAA Journal

New rules for hospitals have been implemented in Idaho that give patients new rights. The rules were implemented by the Idaho Department of Health and Welfare (IDHW) and are effective from July 1, 2019.

The new rules were suggested by patient advocacy groups and “incorporate standards that parallel—but do not exactly mirror—existing law and/or Medicare conditions of participation for hospitals,” according to IDHW. The policies align with the MyHealthEData initiative, which was launched in 2018 with the aim of removing the barriers to secure access to electronic medical records.

Under previous state law, critical access hospitals (CAHs) were not required to comply with many of the regulatory conditions that applied to other healthcare providers. The new rules change that, which will mean new policies and procedures will need to be implemented by CAHs. That will come with a considerable administrative burden.

The new rules apply to all hospitals in Idaho as well as any provider that renders services in hospitals. All hospitals and providers have been advised to check their policies and procedures to make sure they are compliant with the new rules.

The main purpose of the new rules is to improve patient rights and make it easier – and quicker – for patients to obtain copies of their health information and access to their EHRs.

As required by HIPAA, patients must be provided with a copy of their medical records on request within 30 days of the request being received. Under the new rules in Idaho, access to EMRs must be provided within 3 days of the request being received. The copy must also be provided in a readily readable format on a popular portable media storage device.

HIPAA limits the amount that can be charged for providing patients with copies of their health information. The new Idaho rules further protect patients by only permitting hospitals to charge a reasonable fee for labor and restricting the charges for copies to the cost of copying at the local library.

A patient’s right to privacy has been further protected. Patients have the right to privacy when personal care is being provided, which extends to continuous observation and video and audio monitoring of patients. As of July 1, 2019, hospitals are not permitted to record video or audio, except in common areas, without first obtaining written consent from the patient. Those recordings must then be included in a patient’s medical record.

The new rules also cover notices of discontinuation of care, advance directives, obtaining and documenting informed consent, patient safety, patient grievances, restraint and seclusion, and law enforcement restraints.

The post Idaho Hospitals Must Now Comply with New Idaho Patient Rights Rules appeared first on HIPAA Journal.

HHS Declares Limited Waiver of HIPAA Sanctions and Penalties in Louisiana

Posted by HIPAA Journal

The Secretary of the U.S. Department of Health and Human Services (HHS) has issued a limited waiver of HIPAA sanctions and penalties in Louisiana due to the devastation likely to be caused by Tropical Storm Barry as it made landfall on July 13 as a hurricane. The HHS announced the public health emergency in Louisiana on Friday July 12, 2019.

The waiver only applies to healthcare organizations in the emergency area and only for the length of time stated in the declaration. The waiver only applies to specific provisions of the HIPAA Privacy Rule and only for a maximum period of 72 hours after the hospital has implemented its emergency protocol.

Once the time period for the waiver ends, healthcare providers will be required once again to comply with all aspects of the HIPAA Privacy Rule, even for patients still under their at the time the declaration ends, even if the 72-hour time window has not expired.

While a waiver has been issued, the Privacy Rule does not prohibit the sharing of protected health information during disasters to assist patients and make sure they get the care they require. That includes sharing some health information with friends, family members and other individuals directly involved in a patient’s care.

The HIPAA Privacy Rule allows the sharing of PHI for public health activities and to prevent or reduce a serious and imminent threat to health or safety. HIPAA-covered entities are also permitted to share information with disaster relief organizations that have been authorized by law to assist with disaster relief efforts without first obtaining permission from patients.

During natural disasters the HIPAA Privacy and Security Rules remain in effect, although following the secretarial declaration, sanctions and penalties against HIPAA covered entities are waived for the following aspects of the HIPAA Privacy Rule:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b).

“We are working closely with state health and emergency management officials to anticipate the communities’ healthcare needs and be ready to meet them,” said Secretary Azar. The HHS emergency declaration and limited HIPAA waiver can be viewed on this link (PDF).

The post HHS Declares Limited Waiver of HIPAA Sanctions and Penalties in Louisiana appeared first on HIPAA Journal.

Premera Blue Cross Settles Multi-State Action for $10 Million

Posted by HIPAA Journal

Premera Blue Cross has agreed to a $10 million settlement to resolve a multi-state data breach lawsuit involving 30 state attorneys general.

The settlement resolves alleged violations of state and federal laws that contributed to its 10.4 million record data breach in 2014. A hacker gained access to Premera Health’s network on May 5, 2014 and remained undetected until March 6, 2015. For almost a year the hacker had access to highly sensitive plan member information such as names, contact information, dates of birth, member ID numbers, and Social Security numbers.

Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah, Vermont and Washington all participated in the lawsuit.

Washington State Attorney General Bob Ferguson led the investigation and looked at the security vulnerabilities that had been exploited by the hacker to gain access to such a large amount of sensitive data and how the attack went undetected for almost a year.

The Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule requires all HIPAA-covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI). The investigators determined that Premera Health violated HIPAA by failing to meet minimum standards for security.

This was not an oversight. Premera Health had been repeatedly told by its own auditors that its security program was inadequate. The risks of a data breach were accepted without any corrections being made to address vulnerabilities.

“We expect all companies – and particularly those that possess sensitive health information – to protect their customers’ data and to respond appropriately in the event of a breach,” said New Jersey Attorney General Gurbir S. Grewal. “As today’s settlement shows, companies that fall short will be held accountable, face penalties, and be required to improve their systems to prevent future harm to even more customers.”

In addition to the financial penalty, Premera Blue Cross is required to implement further security controls to ensure the electronic protected health information of its plan members is better protected. Annual cybersecurity reviews must also be conducted by a third-party cybersecurity expert and data security reports must be sent to the attorneys general.

Premera Blue Cross must also hire a CISO with experience in HIPAA compliance and data security who will be responsible for implementing and maintaining Premera Health’s security program. The CISO is required to attend regular meetings with executive management and must meet with the CEO at least every 2 months. The CISO is also required to report any network breaches within 48 hours of discovery.

It has been an expensive four weeks for Premera Blue Cross. Last month, Premera Blue Cross agreed to pay $74 million to settle a class action lawsuit filed by plan members affected by the breach.

The post Premera Blue Cross Settles Multi-State Action for $10 Million appeared first on HIPAA Journal.