Latest HIPAA News

Lack of Security Awareness Training Leaves Healthcare Organizations Exposed to Cyberattacks

Posted by HIPAA Journal

A recent study conducted by the Ponemon Institute on behalf of Merlin International has revealed healthcare organizations are failing to provide sufficient security awareness training to their employees, which is hampering efforts to improve security posture.

Phishing is a major security threat and the healthcare industry is being heavily targeted. Phishing offers threat actors an easy way to bypass healthcare organizations’ security defenses. Threat actors are now using sophisticated tactics to evade detection by security solutions and get their emails delivered. Social engineering techniques are used to fool employees into responding to phishing emails and disclose their login credentials or install malware.

Phishing is used in a high percentage of cyberattacks on healthcare organizations. Research conducted by Cofense (formerly PhishMe) suggests as many as 91% of cyberattacks start with a phishing email. While security solutions can be implemented to block the majority of phishing emails from being delivered to end users’ inboxes, it is not possible to block 100% of malicious emails. Security awareness training is therefore essential.

Healthcare employees should be trained how to recognize phishing emails and how to respond when potentially malicious messages are received. Training should be provided to help eliminate risky behaviors and teach cybersecurity best practices. The failure to provide sufficient training leaves healthcare organizations at risk of attack.

The Ponemon/Merlin International study on 627 healthcare executives in the United States suggests healthcare organizations are not doing enough to improve security awareness and develop a security culture.  More than half of respondents (52%) said the lack of security awareness was affecting their organization’s security posture.

The Merlin International report, 2018 Impact of Cyber Insecurity on Healthcare Organizations, revealed 62% of respondents have experienced a cyberattack in the past 12 months, with half of those incidents resulting in the loss of healthcare data. Poor security awareness is contributing to a high percentage of those breaches.

When asked about the biggest concerns, there was an equal split between external attacks by hackers and internal breaches due to errors and employee negligence – 63% and 64% respectively.

The main threats to the confidentiality, integrity, and availability of healthcare data were perceived to be unsecured medical devices (78%), BYOD (76%) and insecure mobile devices (72%).

57% of respondents felt use of the cloud, mobile, and IoT technologies has increased the number of vulnerabilities that could be exploited to gain access to healthcare data. 55% of respondents said medical devices were not included in their cybersecurity strategy and the continued use of legacy systems was seen to be a security issue by 58% of respondents.

Even though 62% of organizations have experienced a data breach in the last year and it is a requirement for HIPAA compliance, 51% of organizations have not developed an incident response program that allows them to rapidly respond and remediate breaches.

Staffing was seen to be the biggest roadblock preventing organizations from improving their security posture. 74% believed a lack of suitable staff was a major issue hampering efforts to improve cybersecurity. 60% of respondents do not believe they have the right cybersecurity qualifications in house and only 51% of surveyed organizations have appointed a CISO.

“Healthcare organizations must get even more serious about cybersecurity to protect themselves and their patients from losing access to or control of the proprietary and personal information and systems the industry depends on to provide essential care,” said Brian Wells, Director of Healthcare Strategy at Merlin International.

The post Lack of Security Awareness Training Leaves Healthcare Organizations Exposed to Cyberattacks appeared first on HIPAA Journal.

Virtua Medical Group Fined $418,000 for Violations of HIPAA and New Jersey Law

Posted by HIPAA Journal

Virtua Medical Group – A network of physicians affiliated to over 50 medical practices in New Jersey – has been financially penalized by the New Jersey Attorney General’s Office for failing to protect the privacy of more than 1,650 patients whose medical information was accessible online without the need for any authentication.

The electronic protected health information was exposed as a result of a misconfigured server. The error occurred at a business associate of the medical group – Best Medical Transcription – which had been provided with audio files to transcribe medical notes.

Best Medical Transcription was contracted to transcribe dictations of medical notes, reports, and letters from three New Jersey medical practices: Virtua Pain and Spine Specialists in Voorhees, Virtua Gynecological Oncology Specialists, and Virtua Surgical Group in Hainesport.

The transcribed notes were uploaded to a password-protected FTP website; however, in January 2016 during a software upgrade on the FTP server, the password protection was accidentally removed allowing patient data to be accessed by anyone without the need for authentication.

Further, the content of the FTP server was indexed by search engines and could be found by typing in search terms contained in the notes. For example, typing in a patient’s name would allow the information to be found, which happened on at least one occasion. A patient found portions of her medical records online after performing a Google search.

The types of information exposed included names, medical diagnoses, and prescriptions of as many as 1,654 patients who had previously received medical services at one of the three medical centers.

When the privacy breach was discovered, Best Medical Transcription reinstated the password protection on the FTP server, although caches of the information remained accessible online and could still be found by performing a Google search.  The password was reinstated on January 15, 2016, although a week later, Virtua Medical Group received a call from a patient whose daughter’s medical records were still accessible online.

At that point, while Best Medical Transcription was aware of the lack of password and a potential breach, it had not notified Virtua Medical Group that data had been exposed. The investigation by Virtua Medical Group revealed 462 patients’ records had been indexed by the search engines. Virtua Medical Group submitted individual requests to Google to have the information taken down and patients were notified about the breach in March.

An investigation into the breach by the New Jersey Division of Consumer Affairs revealed there had been multiple failures to comply with Health Insurance Portability and Accountability Act (HIPAA) requirements. While the breach affected a business associate of Virtua Medical Group, it was the medical group that was penalized.

The Division of Consumer Affairs alleged there had been a failure to conduct a comprehensive risk analysis to identify threats to the confidentiality, integrity, and availability of ePHI and insufficient security protections had been implemented to reduce risk.

A security awareness and training program had not been implemented for the entire workforce, there were unacceptable delays in identifying and responding to the breach, no procedures had been established and implemented to create retrievable exact copies of the ePHI maintained on the FTP site, no written log of the number of times the FTP site was accessed had been maintained, and there had been an impermissible disclosure of patients’ ePHI.

Those errors and oversights constituted violations of the HIPAA Privacy and Security Rules and the New Jersey Consumer Fraud Act.

In addition to the financial penalty of $407,184 and $10,632 to reimburse attorney’s fees and investigation costs, Virtua Medical Group has agreed to implement a robust corrective action plan which includes hiring a third-party security professional to perform a comprehensive risk analysis relating to the storage, transmission and receipt of ePHI and to perform further risk assessments every two years.

The post Virtua Medical Group Fined $418,000 for Violations of HIPAA and New Jersey Law appeared first on HIPAA Journal.

Patient Guidebook on Health Record Access Published by ONC

Posted by HIPAA Journal

A new patient guidebook on health record access has been published by the Department of Health and Human Services’ Office of the National Coordinator for Health IT (ONC). The guidebook explains how patients can access their health data, offers tips for checking health records and correcting mistakes, and explains how patients can use their health records and share their health data.

The HIPAA Privacy Rule gave patients the right to obtain copies of health information held by their providers, yet even though the Privacy Rule became effective on April 14, 2001, many Americans are still not aware of their right to access their health data or how they can do so.

Improving patient access to health data is a top priority for the HHS and ONC. In 2016, ONC released a series of videos for patients in which their right to access their own health data was explained. The latest guidebook takes that guidance a step further and serves as a practical guide to obtaining copies of electronic heath data to make the process as easy as possible.

The ONC Guide to Getting and Using your Health Data is part of the ONC’s MyHealthEData initiative, which aims to improve patient engagement in their own healthcare and supports the 21st Century Cures Act goal of improving access to electronic health information.

“It’s important that patients and their caregivers have access to their own health information so they can make decisions about their care and treatments,” said Don Rucker, M.D., national coordinator for health information technology. “This guide will help answer some of the questions that patients may have when asking for their health information.”

While patients have the right to access their health data, many still face challenges getting access. One of the aims of the new online document is to explain how patients can overcome those challenges. One of those challenges is resistance from healthcare providers when patients request electronic copies of their health data.

By making sure patients are aware of their rights, if they encounter resistance from a provider – or health plan – they will be able to clearly explain their rights and will be empowered to overcome that resistance.

Ensuring patients can easily access their health record is only part of the problem. Many patients do not understand why they should view their health record and the importance of doing so. The guidebook helps to explain the benefits and why it is important to take a more active role in their own healthcare.

Figures recently released by ONC show that while 52% of patients have been offered access to their health records online, only half of those patients viewed their health record, equivalent to 28% of Americans.

When patients were asked why they did not view their medical record when they could do so online, 76% said they preferred to speak with their provider directly and 59% did not have a need to use their online record.

ONC’s figures show that when patients are encouraged to view their health data by their providers they are more likely to do so. 63% of patients who were encouraged to access their medical record online did so compared to just 38% who were not encouraged to check. Healthcare providers can therefore play a big part in improving patient engagement. The new guidebook will also help in that regard.

The guidebook also offers practical advice on the use of health apps and other technologies that can help patients manage their health data and improve their health.

The post Patient Guidebook on Health Record Access Published by ONC appeared first on HIPAA Journal.

Alabama Governor Enacts Data Breach Notification Act

Posted by HIPAA Journal

Alabama has become the 50th state to require companies to issue breach notifications to individuals whose personal information has been exposed or compromised as a result of a data breach. Governor Kay Ivey signed the act into law on March 28. The effective date is May 1, 2018.

The data breach notification law has taken a long time to be enacted although Alabama residents will now have some of the best protections in the country, with the law one of the strictest introduced in any state.

While every state now has a data breach notification law that requires notifications to be issued to all individuals impacted by a data breach, only 28% of U.S. states – including Alabama – also require ‘covered entities’ to maintain reasonable security measures to protect the confidentiality of sensitive personally identifying information of state residents. Service providers must also be contractually required to maintain appropriate safeguards.

Sensitive personally identifying information is classed as a state resident’s first name or first initial and last name in combination with any of the following data elements:

  • A non-truncated Social Security or tax-identification number
  • A non-truncated driver’s license, passport, or other government identification number
  • A financial account number combined with security/access code, password, PIN or expiration date necessary to access or enter into a transaction that will “credit or debit the account”
  • An individual’s medical history, mental/physical condition, medical treatment/diagnosis by a health care professional, health insurance policy/subscriber number, or other insurance identifier
  • user name or email address combined with a password or security question/answer permitting access to an online account affiliated with the covered entity that is reasonably likely to contain or is used to obtain Sensitive personally identifying information.

The Data Breach Notification Act requires at least one employee to be designated to coordinate data security measures. Covered entities must determine ‘reasonable security measures’ by means of a risk assessment covering internal and external threats. Appropriate safeguards must then be implemented to address identified risks and reduce them to a reasonable level. The measures introduced must be reevaluated and adjusted when circumstances change.

When personal information is no longer required, covered entities must take reasonable steps to ensure the information is permanently destroyed.

In the event of a breach of personal information, the covered entity must conduct a “good faith and prompt investigation” to determine the nature and scope of the breach, the types of sensitive personally identifying information involved, the likelihood of the information being acquired by an unauthorized individual, and whether the acquisition of sensitive personally identifying information is likely to cause substantial harm. The covered entity must also ensure measures are introduced to restore the security of its systems after a breach has occurred.

Data breach notifications must be issued to all individuals impacted by the breach “without unreasonable delay” and no later than 45 days after the discovery of a breach of sensitive personally identifying information.

The breach notice must include the date – or estimated date – of the breach, the type of information exposed or stolen, a general description of remedial measures taken by the covered entity in response to the breach, and a list of actions that individuals can take to protect themselves against identity theft and fraud. Contact information must also be suppled to allow individuals to find out more about the breach should they wish to do so.

In addition to personal notifications, the Alabama state attorney general must also be notified of a breach within 45 days if it impacts more than 1,000 individuals.

HIPAA covered entities should note that they are not deemed to be in compliance with the Alabama Data Breach Notification Act by complying with HIPAA Rules.

Any entity that violates the Alabama Data Breach Notification Act will be subject to penalties for an unlawful trade practice under the Alabama Deceptive Trade Practices Act, although a violation would not be classed as a criminal offense. The maximum civil monetary penalty is $5,000 for each day past the 45-day deadline for issuing data breach notifications. The maximum civil monetary penalty for violations of the Act is $500,000.

The post Alabama Governor Enacts Data Breach Notification Act appeared first on HIPAA Journal.

Verizon PHI Breach Report Confirms Healthcare Has Major Problem with Insider Breaches

Posted by HIPAA Journal

Verizon has released its annual Protected Health Information Breach Report which delves deep into the main causes of breaches, why they occur, the motivations of internal and external threat actors, and the main threats to the confidentiality, integrity, and availability of PHI.

For the report, Verizon analyzed 1,368 healthcare data breaches and incidents where protected health information (PHI) was exposed but not necessarily compromised. The data came from 27 countries, although three quarters of the breached entities were based in the United States where there are stricter requirements for reporting PHI incidents.

In contrast to all other industry sectors, the healthcare industry is unique as the biggest security threat comes from within. Insiders were responsible for almost 58% of all breaches with external actors confirmed as responsible for just 42% of incidents.

The main reason for insider breaches is financial gain. PHI is stolen to commit identity theft, credit card fraud, insurance fraud, and tax fraud. Verizon determined that 48% of all internal incidents were conducted for financial gain. 31% involved accessing medical data out of curiosity or for fun, 10% of incidents were attributed to easy access to data, with 3% of incidents occurring due to a grudge and a further 3% for espionage. External attacks are primarily conducted for financial gain – extortion and the theft and sale of data.

Verizon also looked at the actions that lead to PHI incidents and data branches, with the most common problem being errors. Errors were behind 33.5% of incidents within this category, which included the misdelivery of emails and mailings, errors made disposing of PHI, publishing errors, loss of PHI, misconfigurations, programming mistakes and data entry errors. The main incident cause was misdelivery of documents, which accounted for 20% of all incidents in the error category.

The second biggest breach category is misuse, accounting for 29.5% of all incidents. 66% of incidents in this category were attributed to privilege abuse – accessing records without authorization. Data mishandling was behind 21.6% of incidents and possession abuse – the misuse of access to physical records – was behind 16.9% of incidents in the misuse category.

The physical category includes theft of records and devices, snooping, tampering, disabled controls, and surveillance. 16.3% of all healthcare PHI incidents were placed in this category, with theft accounting for 95.2% of all incidents. The theft of laptops was the main incident type. Almost half (47%) of laptop theft incidents involved the devices being taken from employees’ vehicles. The use of encryption would prevent the majority of these incidents from exposing PHI.

Hacking may make the headlines, but it accounted for relatively few breaches – just 14.8% of all healthcare PHI incidents were placed in this category. The main cause of breaches in the hacking category was the use of stolen credentials (49.3% of incidents), with credentials often stolen via phishing attacks. Brute force attacks taking advantage of weak passwords were behind 20.9% of incidents. 17.9% of hacking breaches involved the use of backdoors.

Malware was involved in 10.8% of all PHI incidents. While there were a wide range of malware types and variants used in attacks, by far the biggest category was ransomware, which accounted for 70.5% of attacks.

Social attacks accounted for 8% of all incidents. This category involves attacks on employees. Phishing was involved in 69.9% of incidents in this category, followed by pretexting (11.7%), and bribery (7.8%). Pretexting is the next stage on from phishing, when access to email accounts is used to send further emails – BEC attacks for example.

Verizon offers three suggestions which in the short term will help to reduce the number of PHI related incidents and data breaches.

Full disk encryption should be deployed on all portable electronic devices used to store PHI. This simple measure would prevent PHI from being accessed in the event of loss or theft of an electronic device.

The routine monitoring of medical record access – a requirement of HIPAA – will not prevent breaches, but it will reduce the severity of insider incidents and allow healthcare organizations to take corrective action quickly. When employees are aware that records are routinely monitored it can also act as a deterrent and reduce theft and unauthorized access incidents.

The final course of action is to implement solutions to combat ransomware and malware. While defenses can and should involve the use of spam filters and web filters, simple measures can also be taken such as not allowing laptops to access the Internet if they are used to store large quantities of PHI.

The post Verizon PHI Breach Report Confirms Healthcare Has Major Problem with Insider Breaches appeared first on HIPAA Journal.

How to Become HIPAA Compliant

Posted by HIPAA Journal

How to become HIPAA compliant is one of the biggest challenges for many businesses operating in the healthcare and health insurance industries. Nonetheless, businesses who operate in these industries – and service providers that do business with them – must understand what HIPAA compliance entails and how to become HIPAA compliant.

What is HIPAA Compliance?

For many businesses operating in the healthcare and health insurance industries – and for businesses outside these industries that collect individually identifiable health information – HIPAA compliance means complying with any standards of the HIPAA Administrative Simplification Regulations that are relevant to their operations and that are not preempted by any other state or federal regulations.

Not every business operating in the healthcare and health insurance industries is required to become HIPAA compliant. The HIPAA Administrative Simplification Regulations only apply to businesses that qualify as a HIPAA Covered Entity or Business Associate according to the definitions provided in the HIPAA General Provisions (45 CFR §160.103) and to health-related businesses regulated by the Federal Trade Commission.

Additionally, not every business operating in the healthcare and health insurance industry is required to comply with every standard of the HIPAA Administrative Simplification Regulations. For example, healthcare providers that outsource claims and billing operations do not have to comply with Part 162 of the Regulations – although it is necessary to know what they are in order to conduct due diligence on third party service providers.

Therefore, HIPAA compliance entails reviewing the HIPAA Administrative Simplification Regulations, identifying which standards are relevant to your business’s operations (and which you need to be aware of in order to conduct due diligence on third party service providers), and comparing these standards with any state or federal regulations you may be subject to. Thereafter, follow the steps in the next section to become HIPAA compliant.

How to Become HIPAA Compliant

After identifying which standards your business needs to comply with to become HIPAA compliant, there is no one-size-fits-all path to compliance. Most businesses will already have some of the required measures in place to protect the privacy of individually identifiable health information or to safeguard the confidentiality, integrity, and availability of electronic Protected Health Information. Most will also have processes in place to comply with state Breach Notification Rules.

Therefore, the way to become HIPAA compliant is to compare the measures you need to implement with those you already have in place. This may mean you only have to fine-tune a number of policies and implement additional security procedures to comply with the HIPAA Privacy and Security Rules, or it may mean a complete overhaul of your compliance strategy to address shortcomings in how the privacy of individual identifiable health information is protected.

It is important that both your existing measures and those you introduce to become HIPAA compliant are documented, that you conduct a risk analysis to identify any remaining potential vulnerabilities, and that you provide HIPAA training to members of the workforce that have experienced a “material change” to working practices. It may also be necessary to amend existing Notices of Privacy Practices and to review Business Associate Agreements to ensure they are compliant.

Service providers with whom you do business also need to be made aware they must become HIPAA compliant if the service involves the disclosure (to the service provider) of Protected Health Information. Although it is in the service providers’ best interests to take responsibility for their own compliance, it may be necessary for your business to get involved with explaining to them the measures they need to implement in order to become HIPAA compliant.

Help with Becoming HIPAA Compliant

Becoming HIPAA compliant can be a daunting prospect, especially considering the severity of penalties for HIPAA violations and the consequences of a breach of Protected Health Information or patient privacy. Fortunately, there are a number of useful resources that can help businesses – both Covered Entities and Business Associates – become HIPAA compliant.

HIPAA Compliance Checklist

The first of these is a HIPAA compliance checklist. Although a comprehensive HIPAA checklist may cover more areas of compliance than is necessary for every business, one of the benefits of a comprehensive checklist is that it can help businesses identify areas of compliance they may have overlooked when reviewing the HIPAA Administrative Simplification Regulations.

HHS Guidance Materials

The second useful resource is the guidance materials published by the Department of Health and Human Services. This resource tends to deal with more specific areas of compliance (rather than general areas covered by a compliance checklist) and some businesses may find the depth of detail unnecessary while they are in the early stages of becoming HIPAA compliant.

HIPAA Compliance Software

Depending on where your business is on the path to becoming HIPAA compliant, HIPAA compliance software can help you identify gaps between your existing measures and those you need to implement, or double-check you have covered everything you need to. Additionally, adopting HIPAA compliance software indicates a good faith attempt to comply with HIPAA.

How to Remain HIPAA Compliant

Not only can becoming HIPAA compliant be a daunting prospect, remaining HIPAA compliant can also be a challenge. New threats to the confidentiality, integrity, and availability of electronic Protected Health Information are constantly emerging and poor compliance practices can creep in as members of the workforce take shortcuts “to get the job done”.

One of the best ways to remain HIPAA compliant is by using HIPAA compliance software to continually self-assess compliance. The auditing capabilities of the software will help you understand when additional security measures need to be implemented or when refresher training is necessary to remind members of the workforce of their compliance responsibilities.

HIPAA compliance software can also help your business comply with the requirement to conduct regular risk assessments and – all the time the software is being utilized – maintains the impression of a good faith attempt to comply with HIPAA. This may be essential if your business is only just taking its first steps on the path to becoming HIPAA compliant.

How to Become HIPAA Compliant: FAQs

Who are the federal and state regulators of the HIPAA Rules?

The federal and state regulators of the HIPAA Rules are the Department of Health and Human Services (HHS), the Federal Trade Commission (FTC), and State Attorneys General. Reports of HIPAA violations are investigated by HHS’ Office for Civil Rights. The agency has the authority to impose civil penalties or refer violations to the Department of Justice if criminal activity is suspected. Non-HIPAA covered organizations – such as vendors of health apps – are regulated by the FTC.

At a state level, HIPAA compliance is regulated by State Attorneys General. State Attorneys General can also initiate complaints from state residents relating to any failure to protect individually identifiable health information from impermissible uses and disclosures. Additionally, many states have privacy laws that pre-empt areas of HIPAA. Consequently, businesses need to be aware of which state laws apply to their activities in addition to HIPAA.

What sort of businesses would be regulated by the FTC rather than HHS?

The sort of business that would be regulated by the FTC rather than HHS is any business that is not a HIPAA covered entity or HIPAA business associate, but that creates, receives, maintains, or transmits individually identifiable health information. Since the passage of the HITECH Act in 2009, these businesses have had to comply with the Breach Notification Rule

Typically, these businesses include the manufacturers of health apps (i.e., fitness trackers) and connected devices (wearable blood pressure cuffs) if the products offer or maintain a personal health record (PHR) collected on consumers´ behalf. Additionally, vendors of software that accesses information in a PHR or sends information to a PHR are also subject to the Breach Notification Rule.

The Security Rule has “required” and “addressable” implementation specifications. What does this mean?

The Security Rule has “required” and “addressable” implementation specifications because some implementation specifications may not be reasonable or appropriate in all circumstances. In such circumstances, an addressable implementation specification allows Covered Entities to implement an alternative measure, provided the alternative measure is at least as effective and the reason for implementing it is documented.

Why doesn´t HHS recognize HIPAA certifications?

HHS doesn’t recognize HIPAA certifications because a HIPAA certification is a “point in time” accreditation that certifies a business complies with the HIPAA requirements at the time the certificate was issued. Under §164.308, businesses are required to conduct “periodic technical and non-technical evaluations”. Consequently, a point in time accreditation does not fulfil this requirement and – as HHS notes – does not “preclude HHS from subsequently finding a security violation”.

Where can I find the full text of the Administrative Simplification Regulations?

You can find the full text of the Administrative Simplification Regulations via a PDF compiled by the Department of Health and Human Services which can be downloaded from this page on the HHS website. For businesses unfamiliar with HIPAA, please note the PDF not only includes the Privacy, Security, and Breach Notification Rules (and the changes made to them by the HITECH Act), but also Transaction, Code Set, and Identifier Standards.

What are the Administrative Simplification Regulations?

The Administrative Simplification Regulations are Parts 160, 162, and 164 of the Code of Federal Regulations relating to Public Welfare. When HIPAA was passed in 1996, Congress instructed the Secretary of Health and Human Services to develop these Parts to cover compliance investigations and civil penalties (Part 160) and the transaction code sets (Part 162).

Part 164 of the Administrative Simplification Regulations contains the Rules most Covered Entities are familiar with – the Privacy, Security, and Breach Notification Rule – although rather than being included in HIPAA at the time the first two Rules were developed, the Breach Notification Rule was added following the passage of the HITECH Act in 2009.

Why do some businesses operating in the healthcare industry not have to comply with HIPAA?

Some businesses operating in the healthcare industry do not have to comply with HIPAA because they do not qualify as HIPAA Covered Entities. This may be because they do not conduct transactions for which HHS has published standards (i.e., a counsellor that bills clients directly), or because they do not conduct the transactions electronically (i.e., claims are sent via the mail).

However, if these businesses work for a Covered Entity as a Business Associate, they are required to comply with HIPAA to the extent agreed in the Business Associate Agreement. Furthermore, even if a healthcare provider does not have to comply with HIPAA because they do not qualify as a Covered Entity, they may still have to comply with other state and federal privacy regulations.

How might some businesses already have measures in place to comply with the Privacy Rule?

Some businesses might already have measures in place to comply with the Privacy Rule if, for example, they have areas of the waiting room sectioned off so healthcare professionals can discuss diagnoses with patients and their families in private, if they already have a “minimum necessary” policy, or if they allow patients to request a copy of their medical records.

How might some businesses already have measures in place to comply with the Security Rule?

Some businesses might already have measures in place to comply with the Security Rule if, for example, they enforce a password policy that requires users to create unique and complex passwords, if they run a security and awareness training program (which includes all members of the workforce), and if they maintain on-premises servers in a secure, access-controlled environment.

Why will most businesses have processes in place to comply with the Breach Notification Rule?

Most businesses will have processes in place to comply with the Breach Notification Rule because all 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have laws requiring private businesses, and – in most states – governmental entities to notify individuals of security breaches of information involving personally identifiable information.

Security breach laws typically have provisions regarding who must comply with the law (i.e., businesses, data or information brokers, healthcare providers, etc.), definitions of “personal information” (i.e., name combined with SSN, driver’s license or state ID, account numbers, etc.), what constitutes a breach (i.e., unauthorized acquisition of data), requirements for notice (i.e., timing or method of notice, who must be notified), and exemptions (i.e., for encrypted data).

How many states have medical privacy laws that can preempt HIPAA?

Forty-four states have medical privacy laws that can preempt HIPAA, but generally there may only be one or two clauses in the state regulations HIPAA Covered Entities have to be aware of. For example, in many states, a patient authorization is required before the patient’s HIV/AIDS status can be revealed by a healthcare provider (not required by HIPAA), or it may be the case that reports of child and elder abuse are mandatory (compared to being permitted by HIPAA).

What is a material change to policies and procedures that requires refresher HIPAA training?

A material change to policies and procedures that requires refresher HIPAA training is any change to a policy or procedure that affects the roles of members of the workforce. For example, if you change the procedures for requesting an accounting of disclosures, members of the workforce who respond to patients’ requests for an accounting of disclosures will have to be trained in the new procedures.

Is HIPAA refresher training mandatory?

HIPAA refresher training is mandatory when there is a material change to policies and procedures, but it is a best practice for Covered Entities to provide refresher training at least annually to prevent poor compliance practices creeping in. In addition, it is important to be aware that the security and awareness program required by the Security Rule is a “program” and not a one-off session. This implies security and awareness training should be ongoing and include references to HIPAA policies.

What difference does “a good faith attempt” at HIPAA compliance make following a data breach?

The difference a good faith attempt at HIPAA compliance can make following a data breach is significant. In January 2021, President Trump signed an amendment to the HITECH Act which gives HHS’ Office for Civil Rights enforcement discretion when calculating a civil monetary penalty following a data breach. Although the amendment doesn’t provide immunity from HIPAA penalties, HHS’ Office for Civil Rights has the authority to refrain from enforcing a penalty if there has been a good faith attempt to comply with HIPAA in the twelve months previous to a data breach.

Why is it in service providers’ best interests to take responsibility for their own compliance?

Since the publication of the Final Omnibus Rule in 2013, service providers operating as Business Associates have been directly liable for compliance with certain Privacy Rule and Security Rule requirements. Therefore, even though Business Associates are required to report all security incidents to the Covered Entity they are providing a service to, if it transpires that a data breach was attributable to the Business Associate’s failure to comply with the Privacy Rule and Security Rule requirements, the Business Associate – rather than the Covered Entity – will be considered liable.

The post How to Become HIPAA Compliant appeared first on HIPAA Journal.

South Dakota Enacts Data Breach Notification Law as Congress Considers Federal Breach Notice Bill

Posted by HIPAA Journal

South Dakota has been slow to introduce legislation to improve protections for consumers affected by breaches of their personal information. Laws have already been introduced in 48 states that require individuals and companies that store personal information to issue notifications to breach victims when that information is compromised.

Last week, South Dakota residents were given similar protections to those in place in neighboring states. On March 21, 2018, South Dakota attorney general Marty Jackley issued a statement confirming SB 62 had been signed by Governor Daugaard and will take effect on July 1, 2018.

The bipartisan bill requires entities that experience a breach of personal information to issue notifications to affected state residents within 60 days of discovery of the breach – The same time frame as HIPAA.

Personal information is classed as the full name or first initial and last name of a state resident in combination with either a government ID number, Social Security number, driver’s license number, credit/debit card number (with an associated code that allows the card to be used), employment ID number (with authentication information), and health information (the same definition as HIPAA 45 CFR 160.103). A notification must also be issued to the state attorney general if the breach impacts more than 250 state residents, also within 60 days of discovery of the breach.

In contrast to many states, there is a risk of harm exception in the South Dakota data breach notification law. If a breached entity “reasonably determines that the breach will not likely result in harm to the affected person,” notifications do not need to be issued.

Delaying breach notifications could attract a fine up to $10,000 per day plus state attorneys’ fees, with a fine of $10,000 possible for each violation.

Now that the South Dakota data breach notification law has been enacted, Alabama is the only state that has not yet introduced state-level data breach notification regulations. That is likely to change soon as data breach legislation is currently under consideration by the House of Representatives following the unanimous passing of the Alabama Data Breach Notification Act of 2018 by the Alabama Senate earlier this month.

State Attorneys General Oppose Federal Data Breach Notification Regulations

Just as the patchwork of data breach notification regulations approaches completion, federal regulations are being considered that could see those state level laws rendered obsolete. A discussion draft of the Data Acquisition and Technology Accountability and Security Act was issued in February, which if signed into law, would apply to “any person, partnership, corporation, trust, estate, cooperative, association, or other entity that accesses, maintains, or stores personal, or handles personal information.”

The Data Acquisition and Technology Accountability and Security Act would require security safeguards to be implemented to protect personal information stored by any entity included in the above definition. Data breach notifications would need to be issued if, following a risk assessment, the breached entity determines there is a “reasonable risk that the breach of data security has resulted in or will result in identity theft, fraud, or economic loss to the consumers to whom the personal information involved in the incident relates.” The notifications would need to be issued without unreasonable delay.

The discussion draft of the bill has attracted criticism from state attorneys general who have already enacted their own laws to protect residents in their respective states. A bipartisan group of 32 (20 Democrats / 12 Republicans) state attorneys general, led by Illinois attorney general Lisa Madigan, sent a joint letter to the House Financial Services Committee on March 19 opposing the Data Acquisition and Technology Accountability and Security Act.

The proposed Data Acquisition and Technology Accountability and Security Act preempts state regulations and appears to place credit reporting agencies such as Equifax outside the scope of state regulation. While the above definition of entities appears to be comprehensive, a notable exception is any entity covered by the Gramm-Leach-Bliley Act – Namely financial institutions and credit reporting agencies.

Further, the proposed bill would see protections for consumers lessened in most states, since the breach reporting requirements in the Data Acquisition and Technology Accountability and Security Act are far less stringent. Not only does the DATAS Act allow a breached entity to determine the level of risk to consumers – and whether data breach notifications are required – breached entities would have much longer to issue notifications. Those notifications could even be issued after consumers have experienced identity theft and fraud due to a breach of their personal information.

The post South Dakota Enacts Data Breach Notification Law as Congress Considers Federal Breach Notice Bill appeared first on HIPAA Journal.

Research Suggests Healthcare Data Breaches Cause 2,100 Deaths a Year

Posted by HIPAA Journal

A researcher at Vanderbilt University has conducted a study that suggests mortality rates at hospitals increase following a data breach as a result of a drop in the standard of care. The researcher estimates healthcare data breaches may cause as many as 2,100 deaths a year in the United States.

The study was conducted by Owen Graduate School of Management researcher, Dr. Sung Choi. The findings of the study were presented at a recent cyberrisk quantification conference at Philadelphia’s Drexel University LeBow College of Business.

Cyberattacks can have a direct impact on patient care, which has been clearly highlighted on numerous occasions over the past 12 months. Ransomware and wiper malware attacks have crippled information systems and have forced healthcare providers to cancel appointments, while the lack of access to patient health records can cause treatment delays. Notable attacks that caused major disruption were the NotPetya wiper and WannaCry ransomware attacks last year, with the latter causing major problems for the National Health Service in the UK.

Choi explained that data breaches can be a distraction for physicians and the after affects of breaches can last for years. HIPAA covered entities face investigations and litigation which Choi suggests could result in disruption to medical services and delays in providing treatment. The cost of mitigating attacks, including purchasing additional security solutions and dealing with the fallout from data breaches can see resources diverted away from patient care.

For the study, Choi compared mortality rates at hospitals before and immediately after a data breach had occurred. One of the metrics used to assess a potential fall in the quality of care was the percentage of heart attack patients who died within 30 days of admission to hospital.

Choi notes that the control group and breached hospitals had similar mortality rates, although after a data breach, the mortality rate for the control group remained the same but increased at hospitals that had experienced a breach. Choi’s analysis showed there was a 0.23% increase in the mortality rate one year following a data breach and an increase of 0.36% two years after a breach. That equates to 2,160 deaths a year.

Choi also noted that the time taken to administer electrocardiographs was longer for newly admitted patients after a hospital had experienced a data breach.

The study was presented just a few days before the Department of Health and Human Services’ Office for Civil Rights issued a reminder to HIPAA covered entities about the need to develop contingency plans for emergencies such as cyberattacks and ransomware incidents. OCR explained that HIPAA Rules on contingency planning help to ensure a fast recovery from a natural disaster, cyberattack, or other emergency situation.

This research suggests that the development of an effective contingency plan and a rapid response to data breaches can save lives.

The post Research Suggests Healthcare Data Breaches Cause 2,100 Deaths a Year appeared first on HIPAA Journal.

HIPAA Rules on Contingency Planning

Posted by HIPAA Journal

In its March 2018 cybersecurity newsletter, OCR explained HIPAA Rules on contingency planning and urged healthcare organizations to plan for emergencies to ensure a return to normal operations can be achieved in the shortest possible time frame.

A contingency plan is required to ensure that when disaster strikes, organizations know exactly what steps must be taken and in what order.

Contingency plans should cover all types of emergencies, such as natural disasters, fires, vandalism, system failures, cyberattacks, and ransomware incidents. The steps that must be taken for each scenario could well be different, especially in the case of cyberattacks vs. natural disasters. The plan should incorporate procedures to follow for specific types of disasters.

Contingency planning is not simply a best practice. It is a requirement of the HIPAA Security Rule. Contingency planning should not be considered a onetime checkbox item necessary for HIPAA compliance. It should be an ongoing process with plans regularly checked, updated, and tested to ensure any deficiencies are identified and addressed.

What are the HIPAA Rules on Contingency Planning?

HIPAA Rules on contingency planning are concerned with ensuring healthcare organizations return to normal operations as quickly as possible and the confidentiality, integrity, and availability of PHI is safeguarded.

HIPAA Rules on contingency planning can be found in the Security Rule administrative safeguards -45 CFR § 164.308(a)(7)(ii)(A-E).

  • Develop and Implement a Data Backup Plan – 308(a)(7)(ii)(A)
  • Develop a Disaster Recovery Plan – 308(a)(7)(ii)(B)
  • Develop and Emergency Mode Operation Plan – 308(a)(7)(ii)(C)
  • Develop and Implement Procedures for Testing and Revision of Contingency Plans – 308(a)(7)(ii)(D)
  • Perform an Application and Data Criticality Analysis – 308(a)(7)(ii)(E)

A data backup plan ensures that when disaster strikes, PHI is not lost or destroyed. A viable copy of all ePHI must be created that allows exact copies of ePHI to be restored, which includes all forms of ePHI such as medical records, diagnostic images, test results, case management information, and accounting systems.  It is a good best practice to adopt a 3-2-1 approach for backups: Create three copies of data, store them on at least two different media, and have one copy stored securely offsite. Backups must also be tested to ensure the recovery of data is possible.

A disaster recovery plan should establish the procedures that must be followed to restore access to data, including how files should be restored from backups. A copy of the plan should be readily available and stored in more than one location.

The emergency mode operation plan must ensure critical business processes continue to maintain the security of ePHI when operating in emergency mode, for example when there is a technical failure or power outage.

All elements of the contingency plan must be regularly tested and revised as necessary. OCR recommends conducting scenario-based walkthroughs and live tests of the complete plan.

Covered entities should “assess the relative criticality of specific applications and data in support of other contingency plan components.” All software applications that are used to store, maintain, or transmit ePHI must be assessed to determine the level of criticality to business functions as it will be necessary to prioritize each when data is restored.

Summary of Key Elements of Contingency Planning

OCR has provided a summary of the key elements of contingency planning:

  • The primary goal is to maintain critical operations and minimize loss.
  • Define time periods – What must be done during the first hour, day, or week?
  • Establish Plan Activation – What event(s) will cause the activation of the contingency plan?  Who has the authority to activate the contingency plan?
  • Ensure the contingency plan can be understood by all types of employees.
  • Communicate and share the plan and roles and responsibilities with the organization.
  • Establish a testing schedule for the plan to identify gaps.
  • Ensure updates for plan effectiveness and increase organizational awareness.
  • Review the plan on a regular basis and situationally when there are technical, operational, environmental, or personnel changes in the organization.

The post HIPAA Rules on Contingency Planning appeared first on HIPAA Journal.