Latest HIPAA News

Congress Passes CISA Act Which Calls for New Cybersecurity Agency Within DHS

Posted by HIPAA Journal

The U.S. Department of Homeland Security will be forming a new agency solely focused on cybersecurity following the passing of new legislation by Congress.

The Cybersecurity and Infrastructure Security Agency Act of 2018 (CISA Act) amends the Homeland Security Act of 2002 can calls for DHS to form a new Cybersecurity and Infrastructure Security Agency. The CISA Act was unanimously passed by the House of Representatives and just awaits the president’s signature.

The new agency will be formed through the reorganization of the National Protection and Programs Directorate (NPPD) and will have the same status as other DHS agencies such as the U.S. Secret Service.

The NPPD is already responsible for reducing and eliminating threats to U.S. critical physical and cyber infrastructure, with cybersecurity elements covered by the Office of Cybersecurity and Communications and the National Risk Management Center.

NPPD currently coordinates IT security initiatives with other entities, local, state, tribal and territorial governments and the private sector and oversees cybersecurity at federal government civilian agencies.

The new name better reflects the work NPPD does and emphasizes the importance of cybersecurity in securing the nation’s critical infrastructure. The new agency will consolidate information security and physical infrastructure security in a unified agency.

“The cyber threat landscape is constantly evolving, and we need to ensure we’re properly positioned to defend America’s infrastructure from threats digital and physical,” said DHS Secretary Kirstjen M. Nielsen. “It was time to reorganize and operationalize NPPD into the Cybersecurity and Infrastructure Security Agency.”

Having a single agency in charge of the nation’s cybersecurity will help the U.S. government address current security gaps. At present, each federal agency is responsible for its own IT systems and managing cyber risks. Regardless of size and budget, each government entity must ensure cyber risks are managed and reduced to a minimal level. There are also several government agencies that cover various cybersecurity functions, which is inefficient and results in security gaps.

“Elevating the cybersecurity mission within the Department of Homeland Security, streamlining our operations, and giving NPPD a name that reflects what it actually does will help better secure the nation’s critical infrastructure and cyber platforms,” said Christopher Krebs, current undersecretary of the NPPD. “The changes will also improve the Department’s ability to engage with industry and government stakeholders and recruit top cybersecurity talent.”

The post Congress Passes CISA Act Which Calls for New Cybersecurity Agency Within DHS appeared first on HIPAA Journal.

HealthCare.gov Data Breach Exposed Personal Information of 94,000 Individuals

Posted by HIPAA Journal

Last month, the Centers for Medicare & Medicaid Services (CMS) announced that the HealthCare.gov website had been hacked and the sensitive data of approximately 75,000 individuals had potentially been compromised.

This week, the CMS issued an update on the breach confirming more people had been affected than was initially thought. The revised estimate has seen the number of breach victims increased to 93,689.

The initial breach announcement was light on details about the exact nature of the breach and the types of information that had potentially been compromised. In the initial announcement the CMS explained that suspicious activity was detected on the site on October 13 and on October 16 a breach was confirmed. Steps were immediately taken to secure the site and prevent any further data access or data theft.

The CMS started sending out breach notification letters on November 7 which explain the breach in more detail, including the types of information that were potentially accessed.

CMS explained that the ‘suspicious activity’ it detected was certain agent and broker accounts conducting an unnatural number of searches to find consumer information. Those searches returned results that contained the personal information of people detailed in Marketplace applications.

The compromised agent and broker accounts were rapidly deactivated and the Direct Enrollment pathway for agents and brokers was temporarily deactivated while the system was secured. The Direct Enrollment pathway was brought back online on October 26.

The CMS has now confirmed that an extensive range of sensitive information has potentially been accessed and stolen by the hackers, which may have included the following data elements:

  • Name
  • Date of birth
  • Address
  • Sex
  • Last four digits of Social Security number (SSN) – if provided on applications
  • Expected income
  • Tax filing status
  • Family relationships
  • Citizen or immigrant status
  • Immigration document types and numbers
  • Employer name(s)
  • Pregnancy status
  • Whether the individual has health insurance
  • Information provided by other federal agencies and data sources to confirm application information
  • Whether the Marketplace asked the applicant for documents or explanations
  • Application result
  • Tax credit amounts
  • If an applicant enrolled, the name of the insurance plan, premium, and coverage dates

The CMS has not been able to confirm whether any personal information was stolen by the hackers, although as a precaution, individuals whose personal information has been exposed have been offered free identity theft protection services.

The investigation is continuing, and additional security measures are being implemented to prevent any further breaches.

The HealthCare.gov website has had a tough time since its launch. Malware was uploaded to a test server in July 2014, just a few months after the site was launched. Audits by government watchdog agencies, including the Government Accountability Office (GAO) identified a slew of vulnerabilities and confirmed that there had been 316 security incidents involving the website and its supporting systems between October 2013 and March 2015.

While none of those incidents resulted in sensitive data being compromised, GAO did identify a number of security weaknesses in the technical controls used to protect data, the frequency of patching, encryption, auditing, monitoring, boundary protections, and identification and authentication which placed data at risk.

It is unclear how the hackers gained access to login credentials and whether any of the GAO-identified weaknesses were exploited.

The post HealthCare.gov Data Breach Exposed Personal Information of 94,000 Individuals appeared first on HIPAA Journal.

OIG Finds Deficiencies in FDA’s Policies and Procedures to Address Cybersecurity Risk to Postmarket Medical Devices

Posted by HIPAA Journal

The HHS’ Office of Inspector General (OIG) has published the findings of an audit of the FDA’s policies and procedures for addressing medical device cybersecurity in the postmarket phase and has identified several deficiencies.

Ensuring the safety, security, and effectiveness of medical devices is a key management challenge for the Department of Health and Human Services. It is the responsibility of the U.S. Food and Drug Administration (FDA) to ensure all medical devices that come to market are secure and incorporate cybersecurity protections to prevent cyberattacks that could alter the functionality of the devices which could cause harm to patients.

The FDA has developed policies and procedures to ensure that cybersecurity protections are reviewed before medical devices come to market and the agency has plans and processes for addressing medical device issues, such as cybersecurity incidents, in the postmarket stage. However, OIG determined that those plans and practices are insufficient in several areas.

One area of weakness concerns how the FDA handles postmarket medical device cybersecurity events, including recalls of medical devices that contain vulnerabilities that could be exploited by hackers to gain access to the devices to alter functionality, steal patient data, or use the devices for attacks on healthcare networks. Written standard operating procedures for device recalls had not been established in two of the 19 FDA district offices under review.

While plans and procedures for dealing with cybersecurity events have been developed by the FDA, the agency’s ability to respond to cybersecurity incidents had not been adequately tested, according to OIG.

OIG noted in its report that as a result of the failure of the FDA to assess risks from medical device security events and ineffective approaches to responding to events, the FDA’s efforts to address medical device vulnerabilities were susceptible to “inefficiencies, unintentional delays, and potentially insufficient analysis.”

Even though deficiencies were identified, OIG said “We did not identify evidence that FDA mismanaged or responded untimely to a reported medical device cybersecurity event.”

OIG recommended that the FDA:

  • Continually assesses cybersecurity risks to medical devices and updates its plans and strategies accordingly
  • Establish written procedures for securely sharing sensitive information about cybersecurity events with appropriate stakeholders
  • Enter into a formal agreement with the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team to establish roles and responsibilities
  • Ensure policies and procedures are established and maintained covering the recall of medical devices vulnerable to cybersecurity threats.

The FDA has been proactively addressing the issue of medical device cybersecurity; however, at the time of OIG’s fieldwork in the spring of 2017, the FDA had not yet properly addressed the emerging issue of medical device cybersecurity.

OIG notes that prior to issuing the draft report of the findings of the audit, the preliminary findings were shared with the FDA. By the time that the draft report was issued, the FDA had already addressed some of OIG’s recommendations.

The FDA concurred with all of OIG’s recommendations; however, the FDA did not agree with OIG’s suggestion that it had failed to assess medical service security at an enterprise or component level and neither that its policies and procedures were inadequate.  The FDA also said that the OIG report provided an incomplete and inaccurate picture of its oversight of postmarket medical device cybersecurity.

The post OIG Finds Deficiencies in FDA’s Policies and Procedures to Address Cybersecurity Risk to Postmarket Medical Devices appeared first on HIPAA Journal.

Q3 Healthcare Data Breach Report: 4.39 Million Records Exposed in 117 Breaches

Posted by HIPAA Journal

The latest installment of the Breach Barometer Report from Protenus shows there was a quarterly fall in the number of healthcare data breaches compared to Q2, 2018; however, the number of healthcare records exposed, stolen, or impermissibly disclosed increased in Q3.

In each quarter of 2018, the number of healthcare records exposed in data breaches has risen. Between January and March 1,129,744 healthcare records were exposed in 110 breaches. Between April and June, 3,143,642 records were exposed in 142 breaches, and 4,390,512 healthcare records were exposed, stolen, or impermissibly disclosed between July and September in 117 breaches.

The largest healthcare data breach in Q3 was reported by the Iowa Health System UnityPoint Health. The breach was due to a phishing attack that saw multiple email accounts compromised. Those accounts contained the protected health information of more than 1.4 million patients. That breach was the second phishing attack experienced by UnityPoint Health. An earlier phishing attack resulted in the exposure of 16,400 healthcare records.

In Q3, hacking was the leading cause of healthcare data breaches. 51% of the 117 breaches were due to hacking and those incidents accounted for 83% of all exposed records in the quarter. Hacking incidents and the number of records exposed through hacking both increased in Q3.

23% of data breaches in Q3 (27 breaches) were due to insider wrongdoing or insider error, resulting in the theft/exposure/disclosure of 680,117 health records – 15% of the records exposed in Q3. Insider wrongdoing includes theft of data by employee, snooping on medical records, and other incidents where insiders violated HIPAA Rules.

19 breaches were caused by insider error – mistakes made by healthcare employees that resulted in the exposure or impermissible disclosure of healthcare records. Insider errors resulted in the exposure/disclosure of 389,428 patient records. There were 8 incidents involving insider wrongdoing.

Protenus has drawn attention to the significant increase in records exposed/stolen through insider wrongdoing. In Q1, 4,597 patients were affected by insider wrongdoing, the number increased to 70,562 in Q2, and 290,689 patients were affected by insider wrongdoing incidents in Q3.

There were 22 breaches reported in Q3 that involved paper records (19% of the total). Those incidents saw 344,729 healthcare records exposed.

Healthcare providers disclosed 86 breaches in Q3, 13 health plans reported breaches, and a further 13 breaches were reported by business associates. 5 breaches were reported by other entities. 27 incidents – 23% of the total – had some business associate involvement.

On average, it took 402 days to discover data breaches. The median time to detect a breach was 51 days. One healthcare provider took 15 years to discover an employee had been accessing healthcare records without authorization. Over that time frame, the employee had viewed the records of 4,686 patients without any work reason for doing so. The average time to report breaches was 71 days and the median time was 57.5 days.

The states worst affected by healthcare data breaches in Q3 were Florida with 11 incidents, followed by California with 10, and Texas with 9 incidents.

The post Q3 Healthcare Data Breach Report: 4.39 Million Records Exposed in 117 Breaches appeared first on HIPAA Journal.

Fewer Than One Third of Healthcare Organizations Have a Comprehensive Cybersecurity Program

Posted by HIPAA Journal

An alarming number of healthcare organizations do not have comprehensive cybersecurity programs in place, according to the recently published 2018 CHIME Healthcare’s Most Wired survey.

The annual CHIME survey explores the extent to which healthcare organizations have adopted health information technology and draws attention to those that are ‘Most Wired’ and have the broadest, deepest IT infrastructure.

This year’s report highlights gaps in foundational technologies and strategies for security and disaster recovery. “Before provider organizations can achieve outcomes with their strategies for population health management, value-based care, patient engagement, and telehealth, they must first ensure that foundational pieces such as integration, interoperability, security, and disaster recovery are in place,” explained CHIME.

The attack surface has grown considerably in recent years due to increased adoption of networked medical devices and IoT technology. Threats to the privacy of sensitive information and security of systems and devices have grown and security is now a major challenge.

To address cybersecurity threats, many healthcare organizations have invested heavily in IT solutions and new technologies to secure their systems and data. A growing number of healthcare organizations have now adopted cybersecurity frameworks such as those developed by NIST and HITRUST, rather than relying on their own self-developed frameworks.

A comprehensive cybersecurity framework is an important component of any cybersecurity program, although CHIME has identified six other core building blocks of security that should be incorporated into healthcare security programs. These are:

  • Appointing a dedicated Chief Information Security Officer (CISO)
  • Progress tracking
  • Reporting of security deficiencies
  • Creating a governance committee dedicated to cybersecurity
  • Conducting security board meetings at least annually
  • Ensuring board-level oversight of cybersecurity

Appointing a dedicated CISO to oversee security and reporting security updates and progress toward security goals to an executive committee are important first steps to mitigate vulnerabilities, yet these foundational elements are still being developed by many healthcare organizations. Only 29% of healthcare organizations that took part in the survey said they had a comprehensive cybersecurity program in place that covered all of the above requirements.

Healthcare organizations were most likely to report security deficiencies (95%) and security progress (94%) to the board, but only 90% had a dedicated CISO. Only 79% had a dedicated cybersecurity committee, and just 34% had a board-level committee providing oversight of the security program.

Virtually all healthcare organizations that took part in the study had implemented firewalls and authentication controls and securely disposed of devices containing ePHI, but many other important safeguards were lacking. For instance, 10% of organizations lacked mobile device management solutions, 12% did not have unique user identifications or physical device locks, 14% did not use encryption on removable storage devices, and 18% were not yet encrypting data backups.

No man is an island, and the same is true of healthcare organizations. Accessing and sharing knowledge, best practices, and threat information is an important part of any cybersecurity program. While most healthcare organizations used at least one information sharing and analysis organization (ISAO), fewer than a third communicated with formal groups such as the Cyber Information Sharing and Collaboration Program (CISCP), National Cybersecurity & Communication Integration Center (NCCIC), or the Health Cybersecurity & Communication Integration Center (HCCIC).

The survey also assessed healthcare organizations’ ability to recover from disasters. Only 68% of organizations said they were confident that if an event wiped out their primary data center they would be able to restore clinical, financial, supply chain management, HR, and staffing systems within 24 hours.

CHIME identified ten critical elements of a comprehensive incident response plan:

  • Documented EHR outage procedures
  • Security/privacy breach notification procedures
  • Tabletop exercises conducted at least annually
  • Disaster recovery plans linked to business continuity
  • Marketing & communications team included in planning and exercises
  • HR team involvement in planning and exercises
  • Other members of the organization involved in planning and exercises
  • Resource management team involvement in planning and exercises
  • Legal team involvement in planning and exercises
  • Enterprise-wide exercises held at least annually

Only 26% of healthcare organizations had all ten elements, 43% had between 7 and 9 in their disaster response programs, and 31% had fewer than 7. Most organizations said they used a data repository to back up data and most used off-site data storage for backups.

While it is certainly encouraging that improvements are being made, there is still considerable room for improvement to bring cybersecurity programs up to the necessary standard.

The post Fewer Than One Third of Healthcare Organizations Have a Comprehensive Cybersecurity Program appeared first on HIPAA Journal.

$200,000 Settlement Agreed with Business Associate Behind Virtua Medical Data Breach

Posted by HIPAA Journal

New Jersey Attorney General Gurbir S. Grewal has announced a $200,000 settlement has been agreed with Best Medical Transcription to resolve violations of the Health Insurance Portability and Accountability Act that were discovered during an investigation of a 2016 breach of 1,650 individuals’ protected health information.

Protected Health Information of 1,654 Patients Was Accessible Through Search Engines

Best Medical Transcription was a business associate of Virtua Medical Group, a network of medical and surgical practices in southern New Jersey. Best Medical Transcription was provided with dictated medical notes, letters, and reports which were transcribed for Virtua Medical Group physicians.

In January 2016, it was discovered that transcribed documents had been uploaded to File Transfer Protocol (FTP) website that was accessible over the Internet without the need for any authentication. The files had been indexed by Google and could be found using search terms including information contained in the files. Password-protection had been removed when software on the website was updated.

In total, 1,654 patients had their protected health information exposed. Affected patients were notified of the breach and Virtua Medical Group terminated its relationship with Best Medical Transcription. In 2017 Best Medical Transcription was dissolved.

The New Jersey attorney general and the New Jersey Division of Consumer Affairs investigated the breach, and Virtua Medical Group was held accountable for failing to protect patients’ data. Virtua Medical Group settled with New Jersey for $417,816 in April 2018 to resolve the HIPAA violations and agreed to improve its data protection protocol.

While covered entities can be held accountable for data breaches experienced by their business associates, vendors can also be fined directly for HIPAA violations. New Jersey also filed charges against ATA Consulting LLC, dba Best Medical Transcription, and the owner of the business, Tushar Mathur.

New Jersey alleged Best Medical Transcription had violated the HIPAA Privacy Rule, HIPAA Security Rule and HIPAA Breach Notification Rule. Specifically, it was alleged that Best Medical Transcription failed to conduct an accurate and thorough risk assessment of potential risks to the confidentiality, integrity, and availability of ePHI. There was also an alleged failure to implement appropriate safeguards to reduce risks and vulnerabilities to a reasonable and appropriate level and policies and procedures had not been implemented to prevent the improper alteration or destruction of ePHI. Best Medical Transcription also failed to notify Virtua Medical Group about the breach and the improper disclosure of ePHI was a violation of its business associate agreement with Virtua Medical Group.

Tushar Mathur agreed to pay New Jersey a civil monetary penalty of $191,492 to resolve the HIPAA violations and $8,508 to cover attorneys’ fees and costs. Mathur has also been barred from managing or owning a business in New Jersey.

“We will continue to protect the privacy of New Jersey patients by vigorously enforcing the laws safeguarding their personal health information,” said Attorney General Grewal. “Our action against Best Medical Transcription demonstrates that any entity that fails to comply with its duty to protect private health records of New Jersey patients will be held accountable… Our settlement with Best Medical Transcription sends a message that New Jersey requires compliance from all entities bound by patient privacy standards.”

HIPAA-Related Fines and Settlements with Attorneys General in 2018

While the number of HHS’ Office for Civil Rights HIPAA violation settlements and civil monetary penalties has fallen in 2018, state attorneys general have increased their enforcement actions to resolve HIPAA violations. The latest settlement brings the total number of HIPAA-related fines in 2018 to 10.

State Covered Entity Amount Individuals affected Settlement/CMP
New Jersey Best Transcription Medical $200,000 1,650 Settlement
Washington Aetna TBA 13,160 Settlement (Multi-state action)
Connecticut Aetna $99,959 13,160 Settlement (Multi-state action)
New Jersey Aetna $365,211.59 13,160 Settlement (Multi-state action)
District of Columbia Aetna $175,000 13,160 Settlement (Multi-state action)
Massachusetts UMass Memorial Medical Group / UMass Memorial Medical Center $230,000 15,000 Settlement
New York Arc of Erie County $200,000 3,751 Settlement
New Jersey Virtua Medical Group $417,816 1,654 Settlement
New York EmblemHealth $575,000 81,122 Settlement
New York Aetna $1,150,000 12,000 Settlement

The post $200,000 Settlement Agreed with Business Associate Behind Virtua Medical Data Breach appeared first on HIPAA Journal.

Important Cybersecurity Best Practices for Healthcare Organizations

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has drawn attention to basic cybersecurity safeguards that can be adopted by healthcare organizations to improve cyber resilience and reduce the impact of attempted cyberattacks.

The advice comes at the end of cybersecurity awareness month – a four-week coordinated effort between government and industry organizations to raise awareness of the importance of cybersecurity.

While all organizations need to implement policies, procedures, and technical solutions to make it harder for hackers to gain access to their systems and data, this is especially important in the healthcare industry. Hackers are actively targeting healthcare organizations as they store large quantities of highly sensitive and valuable data.

Healthcare organization need to ensure that their systems are well protected against cyberattacks, which means investing in technologies to secure the network perimeter, detect intrusions, and block malware and phishing threats. Large healthcare organizations have the resources to invest heavily in cybersecurity solutions, although many smaller HIPAA-covered entities and business associates may struggle to find the necessary funds to devote to cybersecurity.

OCR has reminded HIPAA-covered entities that there are several basic cybersecurity safeguards that can be implemented to improve cyber resilience which only require a relatively small financial investment, yet they can have a major impact on an organization’s cybersecurity posture.

Recommended Cybersecurity Best Practices for Healthcare Organizations

OCR has drawn attention to four cybersecurity safeguards that can significantly reduce the impact of attempted cyberattacks and are also important for HIPAA Security Rule compliance.

Data Encryption

Encryption may only be an addressable implementation specification of the HIPAA Security Rule, but it is one of the most effective cybersecurity safeguards to ensure the confidentiality, integrity, and availability of ePHI. Encryption is the conversion of data to a secure, encrypted form. If correctly applied, data are unintelligible and can only be transformed back to a readable form with a decryption key. Any healthcare organization that has experienced a ransomware attack will be aware of how effective encryption is at preventing data access.

HIPAA-covered entities should assess whether encryption is an appropriate safeguard to implement for data at rest and in motion based on the results of a risk analysis.

Social Engineering Awareness

As the OCR Breach portal shows, email hacking incidents are a common cause of healthcare data breaches. Hackers often use phishing to trick healthcare employees into revealing their email credentials. Phishing is one of the most common and most effective social engineering tactics used by hackers to gain access to ePHI.

Spam filters and other email gateway cybersecurity solutions can reduce the volume of phishing emails that are delivered to mailboxes, but no solution will be able to prevent all phishing emails from being delivered. It is therefore essential for all healthcare employees to be trained how to identify social engineering attacks. Security awareness training can greatly reduce susceptibility to phishing attacks. Regular security awareness training sessions are also a required element of HIPAA Security Rule compliance.

Audit Logs

HIPAA-covered entities are required to create and monitor audit logs. Audit logs contain a record of events related to specific systems, devices, and software. By reviewing audit logs regularly, security teams can identify attempts by unauthorized individuals to gain access to ePHI before they result in a data breach. Audit logs can also be used to reconstruct past events and identify historic data breaches that would otherwise go undetected.

Correct Configuration of Software and Network Devices

Network devices, software, and cloud-based solutions may incorporate all the necessary security controls to prevent unauthorized access, but if the security controls are not correctly configured hackers have an easy entry point into a healthcare network.

Misconfigured S3 buckets, deactivated firewalls, out of date software, and missed patches often lead to healthcare data breaches, and misconfigured audit logs may not record information to allow suspicious activity to be detected. Steps should be taken to ensure that all systems, software, and devices are correctly configured, and regular security audits should be conducted to identify potential vulnerabilities.

The post Important Cybersecurity Best Practices for Healthcare Organizations appeared first on HIPAA Journal.

OCR Launches Campaign to Raise Awareness of Civil Rights Protections for Patients Being Treated for Opioid Use Disorder

Posted by HIPAA Journal

On October 26, 2017, President Donald Trump declared the opioid crisis a national public health emergency. The one-year anniversary of that declaration has seen a new opioid bill signed into law. On October 24, 2018, President Donald Trump added his signature to the Substance Use–Disorder Prevention that Promotes Opioid Recovery and Treatment for Patients and Communities Act – or “SUPPORT for Patients and Communities Act” for short.

The Act will help strengthen the government’s response to the opioid crisis, improve access to addiction treatment services, and expand data sharing in cases of opioid abuse.

There have been calls for changes to be made to 42 CFR Part 2 to align the legislation with the HIPAA Privacy Rule and allow the sharing of information about a patient’s substance abuse treatment, without consent, for the purposes of treatment, payment or healthcare operations.

The SUPPORT for Patients and Communities Act does go that far, although the new law does allow information relating to opioid abuse treatment – and details of treatment for abuse of other substances – to be displayed on a patient’s medical record, if consent is obtained from a patient.

The SUPPORT for Patients and Communities Act calls for the HHS to consult with stakeholders and develop best practices that cover how that information can be prominently displayed in a patient’s medical record, how consent should be obtained from patients, and the process and methods that should be used.

The stakeholders must include a patient with a history of opioid use disorder, an expert in the confidentiality patient health information, an electronic health records expert, and a healthcare provider. The best practices should be issued within a year of the passing of the SUPPORT for Patients and Communities Act.

Following the signing of the SUPPORT for Patients and Communities Act, the HHS’ Office for Civil Rights launched a public education campaign which highlights the efforts being made by the HHS to combat the opioid epidemic.

The campaign has two main goals. First, OCR is attempting to improve access to evidence-based opioid use disorder treatment and recovery services, including medication assisted treatment, for all people, regardless of physical disability or their proficiency in English. The second goal is to raise awareness of civil rights protections that may apply to a patient who is being treated for opioid use disorder.

“Persons getting help for an opioid use disorder are protected by our civil rights laws throughout their treatment and recovery,” said OCR Director, Roger Severino. “Discrimination, bias, and stereotypical beliefs about persons recovering from an opioid addiction can lead to unnecessary and unlawful barriers to health and social services that are key to addressing the opioid crisis.”

Details of the campaign can be found on the HHS website – on this link. The web page includes fact sheets on Nondiscrimination and Opioid Use Disorder and drug addiction and federal disability rights laws.

OCR has also released guidance for healthcare providers that clarifies how HIPAA permits the sharing of information on opioid patients without consent to help patients suffering from an opioid crisis. The document explains when consent is not needed and when consent must be obtained from patients prior to sharing information related to opioid abuse and treatment for opioid use disorder. The guidance – How HIPAA Allows Doctors to Respond to the Opioid Crisis – can be downloaded from OCR on this link (PDF).

The post OCR Launches Campaign to Raise Awareness of Civil Rights Protections for Patients Being Treated for Opioid Use Disorder appeared first on HIPAA Journal.

September 2018 Healthcare Data Breach Report

Posted by HIPAA Journal

For the second consecutive month there has been a reduction in both the number of reported healthcare data breaches and the number of exposed healthcare records. In September, there were 25 breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights – the lowest breach tally since February.

Healthcare data breaches April to September

There was also a substantial reduction in the number of exposed/stolen healthcare records in September. Only 134,000 healthcare records were exposed/stolen in September – A 78.5% reduction in compared to August. Fewer records were exposed in September than in any other month in 2018.

Causes of September 2018 Healthcare Data Breaches

In August, hacking/IT incidents dominated the healthcare breach reports, but there was a major increase (55.55%) in unauthorized access/disclosure breaches in September, most of which involved paper records. There were no reported cases of lost paperwork or electronic devices containing ePHI, nor any improper disposal incidents.

September 2018 Healthcare Data Breaches - Causes

While there were fewer hacking/IT incidents than unauthorized access/disclosure incidents in September, they resulted in the exposure of more healthcare records. Six of the top ten healthcare data breaches in September were hacking/IT incidents.

Ten Largest Healthcare Data Breaches in September 2018

Covered Entity Entity Type Records Exposed Breach Type Location of PHI
WellCare Health Plans, Inc. Health Plan 26942 Unauthorized Access/Disclosure Paper/Films
Reliable Respiratory Healthcare Provider 21311 Hacking/IT Incident Email
Toyota Industries North America, Inc. Health Plan 19320 Hacking/IT Incident Email
Independence Blue Cross, LLC Business Associate 16762 Unauthorized Access/Disclosure Other
Ransom Memorial Hospital Healthcare Provider 14329 Hacking/IT Incident Email
Ohio Living Healthcare Provider 6510 Hacking/IT Incident Email
University of Michigan/Michigan Medicine Healthcare Provider 3624 Unauthorized Access/Disclosure Paper/Films
Reichert Prosthetics & Orthotics, LLC Healthcare Provider 3380 Theft Other Portable Electronic Device
J.A. Stokes Ltd. Healthcare Provider 3200 Hacking/IT Incident Desktop Computer, Electronic Medical Record, Network Server
J&J Medical Service Network Inc. Business Associate 2500 Hacking/IT Incident Network Server

Location of Breached Protected Health Information

Over the past few months, email has been the most common location of breached PHI. September also saw a high number of email-related breaches reported – mostly due to phishing attacks – but the highest percentage of breaches involved paper records. There were 9 incidents involving unauthorized access/disclosure of paper records and one theft incident.

Data Breaches by Covered Entity Type

There was a 150% month-over-month rise in health plan data breaches in September, although healthcare providers were the worst affected with 17 healthcare data breaches reported in September 2018. While there were only 3 data breaches reported by business associates of HIPAA-covered entities, a further four breaches had some business associate involvement.

Healthcare Data Breaches by State

Healthcare organizations based in 18 states reported data breaches in September. Texas was the worst affected with four separate healthcare data breaches in September. There were three breaches reported by healthcare providers in Massachusetts and two reported breaches in California and Kansas. One breach was reported in Arizona, Colorado, Florida, Indiana, Michigan, Nebraska, New Jersey, Nevada, New York, Ohio, Oregon, Pennsylvania, Rhode Island, and Wisconsin.

HIPAA Enforcement Actions in September

After two months without any OCR financial penalties, OCR agreed settlements with three hospitals in September to resolve potential HIPAA violations. All three hospitals were alleged to have violated the HIPAA Privacy Rule by allowing an ABC film crew to record footage for the TV show “Boston Med.”

In all cases, OCR determined that patient privacy had been violated by allowing filming to take place without first obtaining patients’ consent. OCR also determined there had been failures to safeguard patients’ protected health information.

Massachusetts General Hospital agreed to a settlement of $515,000, Brigham and Women’s Hospital settled its case with OCR for $384,000, and Boston Medical Center paid OCR $100,000. New York Presbyterian Hospital had already settled its Boston Med-related case with OCR for $2.2 million in 2016.

State attorneys general also enforce HIPAA Rules and can issue fines for HIPAA violations. In September there was one settlement agreed with a state attorney general.  UMass Memorial Health Care paid $230,000 to Massachusetts to resolve alleged HIPAA failures related to two data breaches that exposed the protected health information (PHI) of more than 15,000 state residents. In both cases, employees had accessed and copied PHI without authorization.

The post September 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.