Latest HIPAA News

OCR Announces $4.3 Million Civil Monetary Penalty for University of Texas MD Anderson Cancer Center

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has announced its fourth largest HIPAA violation penalty has been issued to The University of Texas MD Anderson Cancer Center (MD Anderson). MD Anderson has been ordered to pay $4,348,000 in civil monetary penalties to resolve the HIPAA violations related to three data breaches experienced in 2012 and 2013.

MD Anderson is an academic institution and a cancer treatment and research center based at the Texas Medical Center in Houston, TX. Following the submission of three breach reports in 2012 and 2013, OCR launched an investigation to determine whether the breaches were caused as a result of MD Anderson having failed to comply with HIPAA Rules.

The breaches in question were the theft of an unencrypted laptop computer from the home of an MD Anderson employee and the loss of two unencrypted USB thumb drives, each of which contained the electronic protected health information (ePHI) of its patients. In total, the PHI of 34,883 patients was exposed and could potentially have been viewed by unauthorized individuals.

The investigation revealed that MD Anderson had conducted a risk analysis, as is required by HIPAA. That risk analysis revealed the use of unencrypted devices posed a serious threat to the confidentiality, integrity, and availability of ePHI. To address the risk, in 2006 MD Anderson developed policies that required all portable storage devices to be encrypted.

However, even though policies called for the use of encryption, encryption was not implemented until March 24, 2011. When encryption was implemented, it was not implemented on all portable devices in its inventory. MD Anderson reported to OCR that by January 25, 2013, it had only encrypted 98% of its computers. If MD Anderson had implemented encryption on all portable electronic devices containing ePHI, the three breaches would have been prevented.

Preventable Data Breaches Experienced by MD Anderson

The laptop was stolen from the home of Dr. Randall Millikan on April 30, 2012. Dr. Millikan confirmed that the ePHI on the device were not encrypted, the laptop was not password protected, and the ePHI could potentially have been viewed by family members at his home as a result, as well as by the individual who stole the laptop.

The USB devices were lost on or around July 12, 2012 and December 2, 2013. The first contained an Excel file containing the ePHI of 2,264 individuals. The device was lost by a summer intern on her way home from work. The second USB drive was lost by a visiting researcher from Brazil at some point over the Thanksgiving weekend. The device was usually left in the tray on her desk. Neither device was encrypted or password protected.

Between 2010 and 2011, MD Anderson’s Information Security Program and Annual Reports stated clearly that the storage of ePHI on mobile media was a key risk area that had not yet been mitigated, which was also detailed in its risk analysis for fiscal year 2011. That risk analysis determined that employees were downloading ePHI onto portable storage devices for use outside the institution. The failure to address the risk was a violation of 45 C.F.R. § 164.312(a)(2)(iv) and its own policies.

Penalties for HIPAA Violations

When financial penalties are deemed appropriate, OCR usually negotiates with the covered entity and a settlement is agreed; however, MD Anderson disagreed with OCR’s decision and maintained the financial penalty was unreasonable. Specifically, MD Anderson claimed that it was not obligated to use encryption as the data on the devices were used for research purposes, and that the research was not subject to HIPAA’s nondisclosure requirements. A covered entity has the right to contest penalties for HIPAA violations. Consequently, the matter was referred to an Administrative Law Judge.

OCR proposed penalties for HIPAA violations under the tier of ‘reasonable cause’. OCR wrote in its Notice of Proposed Determination, “Reasonable cause is “an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.”

The penalty amounts in such cases are a minimum of $1,000 for each violation up to a maximum of $1.5 million per calendar year.

 

Penalty Structure for HIPAA Violations

OCR determined penalties were appropriate for calendar year 2011 (283 days from March 24 to December 31), calendar year 2012 (366 days from January 1 to December 31) and calendar year 2013 (25 days from January 1 to January 25), and applied the maximum penalty of $1.5 million for each of those calendar years.

Administrative Law Judge Steven T. Kessell granted summary judgement in favor of OCR to remedy MD Anderson’s noncompliance with 45 C.F.R. § 164.312(a) – Technical Safeguards; encryption – and 45 C.F.R. § 164.502(a) – Uses and Disclosure of PHI; impermissible disclosure of ePHI.

“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” said OCR Director Roger Severino. “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.”

The post OCR Announces $4.3 Million Civil Monetary Penalty for University of Texas MD Anderson Cancer Center appeared first on HIPAA Journal.

OCR Issues Guidance on Individual Authorization of Uses and Disclosures of PHI for Research

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has issued new guidance for HIPAA-covered entities to streamline HIPAA authorizations for uses of protected health information for research purposes, as required by the 21st Century Cures Act of 2016.

Uses and Disclosure of PHI for Research

The HIPAA Privacy Rule does permit covered entities to use patients’ PHI for research without obtaining individual authorizations under certain circumstances, such as if documented Institutional Review Board (IRB) or Privacy Board Approval has been obtained – see 45 CFR § 164.512(i)(1)(i) and (ii). However, in most cases, prior to using patients’ PHI for research, individual authorizations must be obtained from patients in writing. Without a valid authorization from a patient, their PHI can only be used or disclosed for purposes permitted by the Privacy Rule.

The new guidance explains the content that must be included in individual authorizations to meet HIPAA requirements.

OCR explains that individual authorizations must:

  • Be written in plain language to ensure they can be easily understood;
  • Include, in a specific and meaningful fashion, a description of the information that will be used and disclosed;
  • Include the names of the persons authorized to disclose and receive the information;
  • A description of the purpose of the requested use or disclosure, and;
  • An expiration date or expiration event after which the authorization will be invalid.

In addition, the individual authorization must make clear the following rights of the individual:

  • The right to revoke authorization in writing and any exceptions to that right;
  • Details of how that right can be exercised;
  • The ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the authorization, and;
  • The potential for information disclosed in accordance with the authorization to be redisclosed by the recipient and no longer be protected by the HIPAA Privacy Rule.

There has been some confusion about the content of individual authorizations with respect to future research, which may not have been determined at the time that the authorization is obtained. In such situations, the requirement to describe ‘each purpose’ that PHI will be used or disclosed may not be possible.

OCR has clarified that in such situations, specific future uses do not need to be described. Instead, to comply with 45 CFR § 164.508(c)(1)(iv) “the authorization must adequately describe such purposes such that it would be reasonable for the individual to expect that his or her protected health information could be used or disclosed for such future research.”

OCR also clarifies the requirement to include “an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure,” and explains it is sufficient “to state ‘end of the research study,’ ‘none,’ or similar language,” such as when the PHI will be included in the creation and maintenance of a research database or study repository. It is also permitted to state, “the authorization will remain valid unless and until it is revoked by the individual.”

While patients are given the right to revoke an authorization in writing at any time, there will be situations when exercising that right will not stop the individual’s PHI from being used in a particular research study. Patients should be made aware of this when giving their authorization.

“A covered entity may continue to use and disclose PHI that was obtained before the individual revoked authorization to the extent that the entity has taken action in reliance on the authorization,” explains OCR. “In cases where the research is conducted by the covered entity, the exception to revocation would permit the covered entity to continue using or disclosing the PHI to the extent necessary to maintain the integrity of the research —for example, to account for a subject’s withdrawal from the research study, to conduct investigations of scientific misconduct, or to report adverse events.”

OCR explains that it is not necessary for periodic reminders about the right to revoke authorization to be sent to patients as patients must be provided with a copy of the signed authorization in which their rights will be explained. However, covered entities are encouraged to implement procedures for revocation of authorizations such as creating a standard revocation form or adding current authorizations to a patient portal and allowing revocations to be submitted through that portal.

OCR’s Guidance on Individual Authorization of Uses and Disclosures of PHI for Research can be downloaded on this link (PDF).

The post OCR Issues Guidance on Individual Authorization of Uses and Disclosures of PHI for Research appeared first on HIPAA Journal.

More than 90% of Hospitals and Physicians Say Mobile Technology is Improving Patient Safety and Outcomes

Posted by HIPAA Journal

90% of hospitals and 94% of physicians have adopted mobile technology and say it is helping to improve patient safety and outcomes, according to a recent survey conducted by Black Book Research.

The survey was conduced on 770 hospital-based users and 1,279 physician practices between Q4, 2017 and Q1, 2018.

The survey revealed 96% of hospitals are planning on investing in a new clinical communications platform this year or have already adopted a new, comprehensive communications platform.

85% of surveyed hospitals and 83% of physician practices have already adopted a secure communication platform to improve communications between care teams, patients, and their families. Secure text messaging platform are fast becoming the number one choice due to the convenience of text messages, the security offered by the platforms, and the improvements they make to productivity and profitability.

98% of hospitals and 77% of physician practices said they have implemented secure, encrypted email and are using intrusion detection systems to ensure breaches are detected rapidly.

Many providers of secure text messaging solutions have developed their platforms specifically for the healthcare industry. The platforms incorporate all the necessary safeguards to meet HIPAA requirements and ensure PHI can be transmitted safely and securely. Text messaging is familiar to almost all employees who are provided access to the platforms and they make communication quick and easy.

However, 63% of respondents to the survey said they are still facing ongoing challenges with buy-in of general mobile adoption strategies and related enterprise technology execution.

30% of respondents said that even though secure methods of communication have been implemented such as encrypted text messaging platforms and secure email, they are still receiving communications on a daily basis from unsecured sources that contain personally identifiable information such as patients’ names and birthdates.

Part of the study involved an assessment of cybersecurity and privacy software and services, allowing the company to identify the vendors that are most highly regarded by customers. TigerText, the market leading provider of secure text messaging solutions for the healthcare industry, was rated highly across the board, as were Vocera, Spok, Doc Halo, and Imprivata.

Doc Halo was the highest rated secure communications platform provider among physician organizations, with Perfect Serve, Patient Safe Solutions, OnPage, Telemediq, and Voalte also scoring highly. Spok ranked highest among hospital systems and inpatient organizations, with Qlik and Cerner also receiving high marks.

“Stakeholders across the healthcare industry are in the quest of finding solutions to use comprehensive real-time data and connectivity cleverly to advance patient safety, productivity and profitability,” Doug Brown, president of Black Book Market Research. “Organizations are adopting secure text messaging platforms because texts are convenient, as well.”

The post More than 90% of Hospitals and Physicians Say Mobile Technology is Improving Patient Safety and Outcomes appeared first on HIPAA Journal.

Colorado Governor Signs Data Protection Bill into Law

Posted by HIPAA Journal

Colorado Governor John Hickenlooper has signed a bill – HB 1128 – into law that strengthens protections for consumer data in the state of Colorado. The bipartisan bill, sponsored by Reps. Cole Wist (R) and Jeff Bridges (D) and Sens. Kent Lambert (R) and Lois Court (D), was unanimously passed by the Legislature. The bill will take effect from September 1, 2018.

The bill requires organizations operating in the state of Colorado to implement reasonable security measures and practices to ensure the personal identifying information (PII) of state residents is protected. The bill also reduces the time for notifying the state attorney general about breaches of PII and introduces new rules for disposing of PII when it is no longer required.

Personal information is classed as first name and last name or first initial and last name in combination with any of the following data elements (when not encrypted, redacted, or secured by another means that renders the information unreadable):

  • Social Security number
  • Student ID number
  • Military ID number
  • Passport number
  • Driver’s license number or ID card number
  • Medical information
  • Health insurance ID number
  • Biometric data
  • Email addresses in combination with passwords or security Q&As
  • Financial account numbers, and credit cards and debit cards with associated security codes that would permit access/use

Reasonable Security Measures Must be Implemented

Covered entities will be required to implement and maintain “Reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.” Those measures should protect PII from unauthorized access, modification, disclosure, and destruction. In cases where PII is passed to a third party, the covered entity must ensure the third party also has reasonable security measures in place.

A written policy must be developed by all businesses that maintain the personal information of Colorado residents covering the disposal of that information when it is no longer required. Electronic data and physical documents containing PII must be disposed of securely. The bill suggests “Shredding, erasing, or otherwise modifying the personal identifying information in the paper or electronic documents to make the personal identifying information unreadable or indecipherable through any means.”

30-Day Maximum Time Limit for Issuing Breach Notifications

When the bill was first introduced, it required the state attorney general to be notified of a breach of PII within 7 days of discovery. Such a short time frame for issuing notifications can help to ensure prompt action is taken to prevent harm or loss, although such a short time frame means notifications would need to be issued before it would be possible, in many cases, to determine whether there had been any misuse of data. This requirement of the bill attracted considerable criticism from large businesses operating in Colorado.

After careful consideration, this requirement was amended and the time limit for issuing notifications has been extended to 30 days following the discovery of the breach. Even so, this makes the notification requirements the strictest of any state.  The state attorney general only needs to be notified of the breach if it has impacted more than 500 Colorado residents. Regardless of the scale of the breach, affected individuals must be notified within 30 days.

HIPAA-covered entities should note that the 30-day time limit will apply even though HIPAA allows up to 60 days to issue notifications. HIPAA-covered entities and entities covered by the Gramm-Leach-Bliley Act are not exempt.

Breach notices are required for any security breach that exposes personal information, except a good faith acquisition of personal information by an employee or agent of a covered entity if the information is not used for a purpose unrelated to the lawful operation of the business and if that information is not subject to further unauthorized disclosure.

A notice must also be placed on the website of the breached entity and a notification issued to statewide media.

The post Colorado Governor Signs Data Protection Bill into Law appeared first on HIPAA Journal.

Could Law Firms Targeting Patients in ER Rooms Using Geofencing Technology Violate HIPAA?

Posted by HIPAA Journal

Questions are being raised about whether HIPAA Rules are being violated when attorneys send text messages and push notifications to patients who have visited emergency rooms and other medical facilities using geofencing technology.

Marketers are using a range of clever tactics to sell products and services such as remarketing – The displaying of advertisements on websites to individuals who have previously viewed products on another website but not made a purchase.

Similarly, the use of geofencing is growing in popularity. Geofencing is the creation of a digital fence around a specific location. When an individual crosses that invisible boundary, a push notification is sent to the users mobile phone. That location could be a store or any location. Retailers have been using the technology for some time, Google sends push notifications based on location, and now attorneys are getting in on the act.

This tactic of targeting specific individuals is being offered by at least one digital marketing firm and the service is being offered to attorneys. In this case the geofence is around healthcare facilities, specifically emergency rooms. When an individual enters the ER, they are sent a push notification through their phone offering them legal assistance.

NPR reports that Tell All Digital, a New York marketing firm, has been offering this service to law firms and there is no shortage of takers. It is one of the biggest growth areas for the firm and lawyers from several states are trialling the marketing tactic.

The benefits to attorneys are clear. The technology allows the attorney to be virtually in an Emergency Room or healthcare facility targeting individuals who have more than likely been injured. They are sent advertisements about the option of making a personal injury claim. While only a percentage of patients will have a valid claim, it certainly improves the odds of finding a prospective client.

As with remarketing, an individual can be targeted with adverts for a set period after the visit. Potentially ads or messages could be received for up to a month after a visit to an emergency room, according to the NPR report.

While it is certainly an innovative way for attorneys to find clients that have a higher than average chance of qualifying for a personal injury claim, many view this as an invasion of privacy. But could this also constitute a violation of HIPAA?

HIPAA Rules apply to healthcare providers, health plans, healthcare clearinghouses and business associates of HIPAA covered entities. While attorneys can certainly be business associates, HIPAA Rules would be unlikely to apply in this case.

HIPAA covered entities are not supplying any protected health information, the only information that is being supplied is the fact that an individual is in a medical facility, and that information is not passed over by any healthcare company.

While this tactic may not be a violation of HIPAA Rules, it could certainly violate state laws or federal laws other than HIPAA. NPR cites a settlement that was reached last year over similar tactics used by an advertising company to target women who had visited reproductive healthcare facilities. In that case, Copley Advertising set geofences around reproductive health centers and methadone clinics. They were sent messages such as ‘Pregnancy Help’, ‘You Have Choices’, and ‘You Are Not Alone’, with the clients including a Christian pregnancy counselling and adoption agency.

Massachusetts’ attorney general Maura Healey took action and reached a settlement with the advertising agency over potential violations of state consumer protection laws, which the use of geofencing allegedly violated. Under the settlement, Copley was prohibited from using geofencing technology in the state of Massachusetts at or near healthcare facilities to infer the health status or medical conditions of individuals. Healey claimed the actions were tantamount to digital harassment.

Whether the practice violates state laws is open to interpretation, although as the practice appears to be gaining momentum, regulators may have to step in, certainly with respect to visits to healthcare facilities.

While this may not be a matter for the HHS to deal with, it could be dealt with at the state level or it is possible this is more in the realm of the Federal Trade Commission. However, whether the practice actually violates any laws is unclear. What is clear is that unless action is taken, the practice will continue, and its popularity will likely grow.

The post Could Law Firms Targeting Patients in ER Rooms Using Geofencing Technology Violate HIPAA? appeared first on HIPAA Journal.

Aetna Files Further Lawsuit in an Attempt to Recover Costs from 2017 HIV Status Privacy Breach

Posted by HIPAA Journal

There have been further developments in the ongoing legal battles over a 2017 privacy breach experienced by Aetna involving the exposure of patients’ sensitive health information. A further lawsuit has been filed by the insurer in an attempt to recover the costs incurred as a result of the breach.

Ongoing Legal Battles Over the Exposure of Patients’ HIV Statuses

In 2017, the health insurer Aetna experienced a data breach that saw highly sensitive patient information impermissibly disclosed to other individuals. A mailing vendor sent letters to patients using envelopes with clear plastic windows and information about HIV medications were allegedly visible. The mailings related to HIV medications used to treat patients who had already contracted HIV and individuals who were taking drugs as pre-exposure prophylaxis. Approximately 12,000 patients received the mailing.

Lawsuits were filed on behalf of patients whose HIV positive status was impermissibly disclosed, which were settled in January for $17.2 million. A settlement was agreed with the New York state attorney general for a further $1.15 million to resolve the privacy violations.

Following on from those settlements, Aetna attempted to recover the cost of the settlements from Kurtzman Carson Consultants, the administrator who allegedly directed the mailing vendor to send the letters to patients that exposed their PHI. Aetna maintains that Kurtzman Carson Consultants did not communicate to Aetna that the mailing was being sent using windowed envelopes. The lawsuit is ongoing.

Further Lawsuit Filed Against Two Firms Representing Breach Victims

Now a lawsuit has been filed by Aetna against the law firm Whatley Kallas and the Californian advocacy group Consumer Watchdog in an attempt to recover at least part of the $20 million in settlements already paid. Consumer Watchdog and Whatley Kallas represented patients in a previous case that led to the sending of the notification letters that exposed patients’ sensitive information.

The privacy breach that led to the $20 million settlement occurred in response to a previous privacy incident that Aetna was sued over. That initial privacy breach related to a requirement for patients who had been prescribed HIV medication to receive the drugs by mail rather than collecting them in person. Since the drugs need to be kept refrigerated, and are dispatched in refrigerated containers, it was alleged that this would violate patients’ privacy as it would be clear to neighbors and co-workers that HIV drugs were being delivered.

The latest lawsuit alleges the plaintiffs were responsible for requiring Aetna to send sensitive information to the Kurtzman Carson Consultants, which Aetna was against and that after that information was passed to Kurtzman Carson Consultants, the plaintiffs failed to ensure the confidential information was protected.

Whatley Kallas had recommended using Kurtzman Carson Consultants and Consumer Watchdog were involved to make sure Aetna made good on its promise to change the requirements for patients to have the drugs sent by mail.

Harvey Rosenfield and Jerry Flanagan of Consumer Watchdog explained to Reuters, that they “edited the text of the letter to make sure we held Aetna’s feet to the fire,” but did not receive any protected health information and were not aware that windowed envelopes were being used and maintain Aetna is making “frivolous claims.”

“If Aetna believes that an attack on lawyers for Consumer Watchdog and Whatley Kallas LLP will be a cost-free exercise in retaliation, it is deeply mistaken,” wrote Rosenfield and Flanagan in a letter to the insurer, concluding “Aetna would be well advised to focus on remediation of its privacy practices on a nationwide basis as we are seeking in this action, instead of pursuing abusive and retaliatory tactics that seek to evade liability for its own failings and suggest that Aetna still does not take responsibility for ensuring that its customers’ private medical information is protected.”

While this may appear to be a case of passing the buck at face value, the case is not as frivolous as it may sound. According to Aetna, the law firm representing the plaintiffs in the original case were allegedly party to a proposal that stated windowed envelopes were going to be used, but the law firm failed to raise a red flag.

The post Aetna Files Further Lawsuit in an Attempt to Recover Costs from 2017 HIV Status Privacy Breach appeared first on HIPAA Journal.

OCR Reminds Covered Entities Not to Overlook Physical Security Controls

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has reminded covered entities that HIPAA not only requires technical controls to be implemented to ensure the confidentiality, integrity, and availability of protected health information, but also appropriate physical security controls.

Physical controls are often the simplest and cheapest forms of protection to keep PHI private and confidential, yet these security controls are often overlooked. Some physical security controls cost nothing – such as ensuring portable electronic devices (laptop computers, portable storage devices, and pen drives) are locked away when they are not in use.

While this is a very basic form of security, it is one of the most effective ways of preventing theft and one that can prove incredibly costly if overlooked. OCR draws attention to a 2015 HIPAA breach settlement with Lahey Hospital and Medical Center. An unencrypted laptop computer was stolen from the Tufts Medical School affiliated teaching hospital resulting in the exposure 599 patients’ ePHI.

The laptop computer was used in connection with a computerized tomography (CT) scanner. The laptop was in an unlocked treatment room off an inner corridor of the radiology department. Lahey Hospital settled the case for $850,000. A high price to pay for failing to implement a free physical security control.

In 2014, QCA Health Plan agreed to settle potential HIPAA violations with OCR for $250,000. QCA Health plan failed to implement physical safeguards for all workstations to restrict access to ePHI to authorized users only. In that case, the workstation was an unencrypted laptop computer that was stolen from the vehicle of an employee.

In 2012, Massachusetts Eye and Ear Infirmary (MEEI) settled a HIPAA violation case with OCR for $1.5 million. This was another case of an unencrypted laptop computer being stolen that resulted in the impermissible disclosure of ePHI.

In 2016, OCR settled potential HIPAA violations with Feinstein Institute for Medical Research for $3.9 million. Feinstein Institute had failed to physically secure a laptop computer containing the ePHI of 13,000 patients. The device was also stolen from the vehicle of an employee.

In July 2016, University of Mississippi Medical Center settled a case with OCR for $2,750,000. An unencrypted laptop computer containing the ePHI of an estimated 10,000 patients was stolen from its Medical Intensive Care unit.

HIPAA requires covered entities and their business associates to implement “physical safeguards for all workstations that access ePHI to restrict access to authorized users.” Workstations include desktop computers, laptops, and other computing devices including portable storage devices, smartphones, and tablets.

It is up to HIPAA-covered entities and their business associates to decide on the most appropriate physical security controls to implement, which should be based on their risk analyses and risk management process.

Common physical security controls used to secure electronic devices and ePHI include:

  • Positioning desks to ensure screens cannot be easily viewed by anyone other than the user of a workstation
  • Privacy screens to prevent shoulder surfing
  • Cable locks to prevent electronic devices containing ePHI from being stolen
  • The use of security cameras to deter theft of electronic devices and physical PHI
  • Use of signage to remind employees about the need to use physical security controls
  • Use of port and device locks to prevent CD/DVD drives and USB connections from being used on workstations to copy ePHI and install unauthorized software.

The importance of preventing the use of USB drives by staff was highlighted in a recent study by Dtex Systems into insider threats. While the study was not conducted specifically on healthcare organizations, it did reveal that 90% of the risk assessments conducted on its customers and prospective customers revealed employees were transferring data to unencrypted USB devices.

As OCR explained in its May 2018 cybersecurity newsletter, “While the latest security solutions to combat new threats and vulnerabilities get much deserved attention, appropriate physical security controls are often overlooked.  Yet physical security controls remain essential and often cost-effective components of an organization’s overall information security program.”

The post OCR Reminds Covered Entities Not to Overlook Physical Security Controls appeared first on HIPAA Journal.

CMS Urged to Aggressively Enforce Compliance with HIPAA Administrative Simplifications

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights is the primary enforcer of HIPAA Rules and has issued numerous financial penalties for HIPAA violations in response to complaints and data breaches. State attorneys general are also permitted to fine HIPAA-covered entities when violations of HIPAA Rules are discovered, and several state attorneys general have exercised that right. While the HHS’ Centers for Medicare & Medicaid Services is mandated to assist OCR with the enforcement of HIPAA Rules related to compliance with the HIPAA Administrative Simplifications, to date the CMS has not issued any fines.

The Medical Group Management Association (MGMA) believes that should change and the CMS should start enforcing compliance with HIPAA Rules that aim to reduce the administrative burden on healthcare providers.

In a recent letter to CMS, the MGMA explained it has received many complaints from members related to the failure of health plans to comply with HIPAA and ACA administrative simplification requirements. The lack of enforcement activity by the CMS in this area means there is no incentive for health plans to comply with the requirements relating to mandated transactions, national identifiers, code sets, and operating rules.

The letter, written by Anders Gilberg, MGA, Senior Vice President, Government Affairs, was submitted in response to a call for comments on the CMS complaint form. While comments specific to the complaint form were included in the letter, the MGMA also took it as an opportunity to criticize the CMS HIPAA administrative simplification enforcement process.

The CMS compliant form allows physician practices to formally file complaints against healthcare clearinghouses and health plans and notify CMS about HIPAA violations, although little action appears to be taken in response to those complaints.

MGMA explained in the letter that many health plans are not supporting national standards. Use of X12 270/271 (Eligibility & Benefit Verification) remains below 80%, X12 835 (Remittance Advice) is around 56%, use of the Electronic Funds Transfer transaction for payments has fallen from 62% to 60%, and use of the X12 278 (Prior Authorization) transaction has fallen from 18% to 8%.

MGMA notes that health plans are also trying to move providers away from using HIPAA standards to online portals. While there are benefits to the use of online portals, MGMA notes that “proprietary portals create a manual workflow process for providers and decreased revenue cycle automation.”

MGMA suggests CMS should step up its enforcement efforts to encourage health plans to comply with the HIPAA and ACA administrative simplification regulations. OCR has conducted HIPAA compliance audits, investigates complaints, and has issued multiple fines. Those fines are clearly communicated to the industry through news posts and press releases, making it clear that non-compliance will not be tolerated. OCR’s enforcement activities motivate HIPAA-covered entities to step up their efforts to comply with HIPAA Rules and also encourage individuals to report violations knowing that action will be taken.

“Health plans and clearinghouses unable or unwilling to support the administrative simplification standards and operating rules force providers to employ manual methods such as phone calls, facsimiles, and web portals, thus diverting scarce provider resources away from patient care,” wrote MGMA. Potentially millions of dollars in saving opportunities are going unrealized.

MGMA suggests CMS should implement random audits of health plans and healthcare clearinghouses to assess compliance with the administrative Simplifications, publish the names of covered entities that fail CMS audits, and list fines and corrective action plans that have been issued. MGMA also suggests the CMS should halt the voluntary Optimization Pilot for Administrative Simplification Transactions as it is likely to delay the commencement of an effective compliance-based audit program.

The post CMS Urged to Aggressively Enforce Compliance with HIPAA Administrative Simplifications appeared first on HIPAA Journal.

OCR Plans to Share HIPAA Violation Settlements with Breach Victims

Posted by HIPAA Journal

The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted in 2009 and includes a provision that calls for the Department of Health and Human Services to share a percentage of HIPAA settlements with victims of HIPAA violations and data breaches.

This month has seen some progress in that area. The Department of Health and Human Services’ Office for Civil Rights has announced it is planning on issuing an advance notice of proposed rulemaking in November about sharing a percentage of the fines it collects through its HIPAA enforcement activities with the victims of data breaches.

OCR officials have previously made it clear that steps will be taken to meet the requirements of this HITECH provision, but little progress has been made. This is not the first time that OCR has announced it plans to issue an advance notice of proposed rulemaking on the matter only for the advance notice of proposed rulemaking to be delayed.

If OCR follows through on its plans this fall, feedback will be sought from the public and industry stakeholders on how it can achieve that aim and the methodology that should be employed.

One thing is clear, such a step would certainly be a challenge. How would OCR decide on the percentage of any HIPAA settlement or fine that should be paid to the victims of HIPAA violations and data breaches and how would it be possible to share the money fairly between affected patients?

Should every individual affected by a violation/breach receive an equal share of any settlement or should the amount received be determined by the type of PHI that has been exposed or the level of harm caused? In the case of the latter, how would it be possible to quantify harm and ensure appropriate payments are made?

Settlements to resolve HIPAA violations are not only determined by the number of individuals affected and the severity of the violation. OCR also takes the ability of a covered entity to pay a penalty into account. The amount paid to breach victims of virtually carbon-copy HIPAA violations at different covered entities would likely be vastly different.

The more people impacted by a data breach, the less the share would likely be for affected individuals. For example, New York Presbyterian Hospital settled HIPAA violations with OCR for $2,200,000 in 2016 and MAPFRE Life Insurance Company of Puerto Rico settled its case with OCR for the same amount. The NYPH settlement resolved violations that affected a handful of patients, whereas the MAPFRE breach impacted 2,200 individuals. The relative payments if the percentage was fixed would differ considerably.

Potentially, HIPAA financial penalties could significantly increase if a percentage of funds are given to breach victims to ensure patients get a reasonable payment, especially for HIPAA violations and data breaches where considerable harm has been caused – The unauthorized disclosure of the HIV positive status of a patient for example or breaches where patients’ PHI has clearly been obtained by identity thieves and used for malicious purposes.

The methodology used would have to be very carefully considered to ensure funds are shared fairly. Even if the advance notice of proposed rulemaking is issued in November, it is likely to be some time before a fair methodology is decided and any payments are made.

OCR has also proposed other rules that could see HIPAA Rules modified in the near future. OCR has proposed a change to the HIPAA Privacy Rule provision requiring healthcare providers to obtain acknowledgment from patients of receipt of the notice of privacy practices. Currently healthcare providers are required to make a good faith effort to obtain written acknowledgements from patients, or must explain why acknowledgements have not been obtained. That requirement could well be removed.

Feedback will also be sought from the public on modifications to the HIPAA Privacy Rule to incorporate the accounting of protected health information disclosures of the HITECH Act, which has not yet been implemented due to the perceived cost to healthcare organizations.

OCR also proposes a change to the HIPAA Privacy Rule – Presumption of Good Faith of HealthCare Providers – that would “clarify that healthcare providers are presumed to be acting in the individual’s best interests when they share information with an incapacitated patient’s family members unless there is evidence that a provider has acted in bad faith.”

The post OCR Plans to Share HIPAA Violation Settlements with Breach Victims appeared first on HIPAA Journal.