Latest HIPAA News

New Malware Detections at Record High: Healthcare Most Targeted Industry

Posted by HIPAA Journal

Throughout 2017, the volume of new malware samples detected by McAfee Labs has been steadily rising each quarter, reaching a record high in Q3 when 57.6 million new malware samples were detected. On average, in Q3 a new malware sample was detected every quarter of a second.

In the United States, the healthcare industry continues to be the most targeted vertical, which along with the public sector accounted for more than 40% of total security incidents in Q3. In Q3, account hijacking was the main attack vector, followed by leaks, malware, DDoS, and other targeted attacks.

There were similar findings from the recent HIMSS Analytics/Mimecast survey which showed email related phishing attacks were the greatest cause of concern among healthcare IT professionals, with email the leading attack vector.

In Q3, globally there were 263 publicly disclosed security breaches – a 15% increase from last quarter – with more than 60% of those breaches occurring in the Americas. Malware attacks increased 10% since last quarter bringing the total new malware samples in the past four quarters to 781 million – a 27% increase in the space of a year.

Ransomware continues to be a favored moneymaker for cybercriminals, with the number of new ransomware samples increasing by 36% in Q3 – 14% more than the previous quarter. In total, 12.2 million samples of ransomware were detected – a 44% increase over the past four quarters.  One notable ransomware variant was Lukitus – a new form of Locky ransomware that appeared in Q3. The campaign detected by McAfee involved an astonishing 23 million spam emails in the first 24 hours alone.

While not the biggest threat in Q3, fileless malware threats are still a major cause for concern. Script-based malware – written in VBS, JavaScript, PowerShell or PHP – has been steadily increasing over the past two years. The malware is easy to obfuscate and difficult to detect, and is increasingly being used in malware campaigns, with some campaigns consisting entirely of script-based malware.

McAfee reports that while there was a 36% fall in JavaScript malware since Q2, the level is still higher than at any point in 2016 and Q3 saw a 119% increase in PowerShell malware.

“Although many cyberattacks continue to rely on the exploitation of basic security vulnerabilities, exposures, and user behaviors, fileless threats leverage the utility of our own system capabilities,” said Vincent Weafer, Vice President for McAfee Labs. “By leveraging trusted applications or gaining access to native system operating tools such as PowerShell or JavaScript, attackers have made the development leap forward to take control of computers without downloading any executable files, at least in the initial stages of the attack.”

There was also a notable rise in mobile malware, with 21.1 million samples detected – 10% higher than Q2, the increase was largely due to a major rise in Android screen-locking ransomware variants. Macro malware increased by 8% in Q3, while Mac malware saw an increase of 7%. Web-based threats also increased significantly in Q3.

While malware continues to be a major threat, the Carbon Black’s 2017 Threat Report indicates 52% of attacks are non-malware related. Non-malware attacks are now increasing at a rate of 6.8% per month.

The financial services, healthcare providers, and retail stores were the verticals most affected by malware-related cyberattacks in 2017 according to Carbon Black. The main threats are the Kryptik Trojan, Strictor ransomware, the Nemucod downloader, the Emotet banking Trojan, and the Skeeyah Trojan. Carbon Black reports a 328% increase in attacks on endpoints in 2017 alone.

While the healthcare industry has had its fair share of ransomware attacks, it is well down the list of industries targeted with ransomware, coming in 9th out of 10 industries with just 4.6% of the total. The leading targets being tech firms, government organizations/NPOs and legal firms.

Ransomware will continue to be the dominant form of cybercrime in 2018, according to the report. Carbon Black estimates revenues from ransomware will rise to $5 billion by the end of the year, compared to just $24 million in 2015.

The post New Malware Detections at Record High: Healthcare Most Targeted Industry appeared first on HIPAA Journal.

Study Reveals Cybersecurity in Healthcare is Not Being Taken Seriously Enough

Posted by HIPAA Journal

A recent survey by Black Book Research indicates the healthcare industry is not doing enough to tackle the threat of cyberattacks, and that cybersecurity is still not being taken seriously enough.

The survey was conducted on 323 strategic decision makers at U.S. healthcare firms in Q4, 2017. Even though the threat of cyberattacks is greater than ever, and the healthcare industry will remain the number one target for cybercriminals in 2018, only 11% of healthcare organizations plan to appoint a cybersecurity officer in 2018 to take charge of security. Currently 84% of provider organizations do not have a dedicated leader for cybersecurity.

Payer organizations are taking cybersecurity more seriously. 31% have appointed a manager for their cybersecurity programs and 44% said they would make an appointment next year. Overall, 15% of all surveyed organizations said they have a chief information security office in charge of cybersecurity.

The survey also revealed that cybersecurity best practices are not being widely adopted in the healthcare industry. Even though HIPAA calls for regular risk assessments to be conducted, 54% of respondents said risk assessments were not conducted regularly at their organization, while 39% said they do not carry out firewall penetration tests.

Further, while there have been increases in budgets, it would appear that cybersecurity is a low priority. 89% of respondents said that in 2018, budgeted IT funds were primarily being directed to business functions with provable business cases. Only a small percentage of those budgets are being allocated to cybersecurity.

In order for cybersecurity goals to be met, there needs to be C-Suite involvement, yet 92% of respondents said that cybersecurity and data breaches were not major talking points in board meetings. “Cybersecurity has to be a top-down strategic initiative as it’s far too difficult for IT security teams to achieve their goals without the board leading the charge,” said Doug Brown, Managing Partner of Black Book.

With two weeks left in December, there have been 331 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights. The total for 2016 was 327 breaches, having increased from 270 breaches in 2015. At the current rate, the milestone of 350 breaches for the year may even be reached. There is also no indication that the year on year increases in data breaches will not continue in 2018.

“The critical role of medical facilities, combined with poor security practices and lack of resources, make them vulnerable to financially and politically motivated attacks,” said Brown.

Unless more is done to ensure cybersecurity goals are met, next year is likely to be yet another record-breaking year for healthcare data breaches.

The post Study Reveals Cybersecurity in Healthcare is Not Being Taken Seriously Enough appeared first on HIPAA Journal.

OCR Launches New Tools to Help Address the Opioid Crisis

Posted by HIPAA Journal

OCR has launched new tools and initiatives as part of its efforts to help address the opioid crisis in the U.S., and fulfil its obligations under the 21st Century Cures Act.

Two new webpages have been released – one for consumers and one for healthcare professionals – that make information relating to mental/behavioral health and HIPAA more easily accessible.

OCR resources have been reorganized to make the HHS website more user-friendly, and the new webpages serve as a one-stop resource explaining when, and under what circumstances, health information can be shared with friends, families, and loved ones to help them deal with, and prevent, emergency situations such as an opioid overdose or a mental health crisis.

OCR has also released new guidance on sharing information related to substance abuse disorder and mental health with individuals involved in the provision of care to patients. The new resources include fact sheets, decision charts, an infographic, and various scenarios that address the sharing of information when an individual has an opioid overdose.  Some of the materials have been developed specifically for parents of children suffering from a mental health condition.

OCR is also collaborating with partner agencies within the HHS to identify and develop further programs and training materials covering the permitted uses and disclosures of PHI when patients seek, or undergo, treatment for mental health disorders or substance abuse disorder.

“HHS is using every tool at its disposal to help communities devastated by opioids including educating families and doctors on how they can share information to help save the lives of loved ones,” said OCR Director, Roger Severino.

The Information Related to Mental and Behavioral Health can be accessed on the links below:

Webpage for consumers

Webpage for healthcare professionals and caregivers

Guidance on HIPAA and Research

OCR has also released updated guidance on HIPAA and research, as required by the 21st Century Cures Act. The new guidance explains how the HIPAA Privacy Rule applies to research, including when protected health information can be shared without first obtaining authorization from patients.

OCR explains that HIPAA-covered entities are always permitted to disclose PHI for research purposes if it has been de-identified in accordance with 45 CFR 164.502(d), and 164.514(a)-(c).

If PHI is not de-identified, authorization from patients is required unless the covered entity has obtained Documented Institutional Review Board (IRB) or Privacy Board Approval. In the guidance, OCR explains the criteria that must be satisfied to receive such approval.

The guidance can be viewed here.

OCR has also formed a working group that includes representatives of several federal agencies, patients, researchers, healthcare providers, privacy, security and technology experts. The working group will study uses and disclosures of PHI for research and the group will report on whether those uses and disclosures should be modified to facilitate research while ensuring individuals’ privacy rights are protected.

The post OCR Launches New Tools to Help Address the Opioid Crisis appeared first on HIPAA Journal.

Medicaid Billing Company Settles Data Breach Case with Mass. Attorney General for $100,000

Posted by HIPAA Journal

A data breach experienced by New Hampshire-based Multi-State Billing Services (MBS) has resulted in a $100,000 settlement with the Massachusetts attorney general’s office.

MBS is a Medicaid billing company that provides processing services for 13 public school districts in Massachusetts –  Ashburnham-Westminster Regional, Bourne, Foxboro Regional Charter, Milford, Nauset Public Schools, Norfolk, Northborough-Southborough Regional, Plainville, Sutton, Truro, Uxbridge, Wareham, and Whitman-Hanson Regional.

In 2014, MBS learned that a password-protected, unencrypted laptop computer containing the sensitive personal information of Medicaid recipients had been stolen from a company employee. Data stored on the device included names, Social Security numbers, Medicaid numbers, and birth dates. As a result of the laptop theft, more than 2,600 Massachusetts children had their sensitive information exposed.

Following the data breach, MBS notified all affected individuals and offered to reimburse costs related to security freezes for three years following the breach. Security was also enhanced, including the use of encryption on all portable computers used to store the sensitive information of Medicaid recipients.

The Massachusetts attorney general’s office investigated the breach and determined that insufficient protections had been employed to ensure this type of breach did not occur. Under state law, companies doing business in Massachusetts must take “reasonable steps to safeguard the personal information from unauthorized access or use.” Had those measures been implemented prior to the laptop theft, a breach of sensitive information could have been avoided.

Specifically, MBS had failed to develop, implement, and maintain a written security information program, and did not ensure sensitive personal information stored on portable electronic devices was encrypted. MBS had also failed to train staff how to reasonably safeguard personal information.

A consent judgement against MBS was obtained by Massachusetts attorney General Maura Healey. That judgement requires MBS to pay a financial penalty and develop, implement, and maintain a comprehensive information security program and train staff how to handle and safeguard personal information.

Attorney general Healey said, “This settlement ensures that this company implements the necessary protections so this type of breach never happens again and sends a clear message about the importance of safeguarding the sensitive information of children and others.”

The post Medicaid Billing Company Settles Data Breach Case with Mass. Attorney General for $100,000 appeared first on HIPAA Journal.

$2.3 Million 21st Century Oncology HIPAA Settlement Agreed with OCR

Posted by HIPAA Journal

A 21st Century Oncology HIPAA settlement has been agreed with the Department of Health and Human Services’ Office for Civil Rights (OCR) to resolve potential HIPAA violations discovered during the investigation of a 2015 breach of 2.2 million patients’ PHI.

The breach in question was discovered by the Federal Bureau of Investigation (FBI) in 2015. The FBI informed 21st Century Oncology on November 13 and December 13, 2015, that an unauthorized individual accessed and stole information from one of its patient databases.

21st Century Oncology conducted an investigation with the assistance of a third-party computer forensics company and discovered the network SQL database was potentially first accessed on October 3, 2015. The database was accessed through Remote Desktop Protocol from an Exchange Server within 21st Century Oncology’s network. The database contained the protected health information of 2,213,597 individuals.

As occurs after all data breaches that impact more than 500 individuals, OCR conducted an investigation into the 21st Century Oncology data breach. That investigation uncovered multiple potential violations of HIPAA Rules.

OCR determined that 21st Century Oncology failed to conduct a comprehensive, organization-wide risk assessment to determine the potential risks to the confidentiality, integrity, and availability of electronic protected health information, as required by 45 C.F.R. § 164.308(a)(1)(ii)(A).

21st Century Oncology was also determined to have failed to implement sufficient measures to reduce risks to an appropriate and acceptable level to comply with 45 C.F.R. § 164.306(A).

21st Century Oncology also failed to implement procedures to regularly review logs of system activity, including audit logs, access reports, and security incident tracking reports, as required by 45 C.F.R. §164.308(a)(1)(ii)(D).

The breach resulted in the impermissible disclosure of the protected health information of 2,213,597 patients.

Further, protected health information of patients was disclosed to business associates without first entering into a HIPAA-compliant business associate agreement and obtaining satisfactory assurances that HIPAA requirements would be followed.

To resolve those potential HIPAA violations, 21st Century Oncology agreed to pay OCR $2.3 million. In addition to the financial settlement, 21st Century Oncology has agreed to adopt a comprehensive corrective action plan (CAP) to bring its policies and procedures up to the standards demanded by HIPAA.

Under the CAP, 21st Century Oncology must appoint a compliance officer, revise its policies and procedures with respect to system activity reviews, access establishment, modification and termination, conduct an organization-wide risk assessment, develop internal policies and procedures for reporting violations of HIPAA Rules, and train staff on new policies.

21st Century Oncology is also required to engage a qualified, objective, and independent assessor to review compliance with the CAP.

Separate $26 Million Settlement Resolves Meaningful Use, Stark Law, and False Claims Act Violations

In addition to the OCR settlement to resolve potential HIPAA violations, 21st Century Oncology has also agreed to a $26 million settlement with the Department of Justice to resolve allegations that it submitted false or inflated Meaningful Use attestations in order to receive incentive payments. 21st Century Oncology self-reported that employees falsely submitted information relating to the use of EHRs to avoid downward payment adjustments. Fabricated reports were also submitted, and the logos of EHR vendors were superimposed on reports to make them appear genuine.

The settlement also resolves allegations that the False Claims Act was violated by submitting or enabling the submission of claims that involved kickbacks for physician referrals, and also violations of the Stark Law, which covers physician self-referrals.

According to the Department of Justice, “The Stark Law prohibits an entity from submitting claims to Medicare for designated health services performed pursuant to referrals from physicians with whom the entity has a financial relationship unless certain designated exceptions apply.”

“We appreciate that 21st Century Oncology self-reported a major fraud affecting Medicare, and we are also pleased that the company has agreed to accept financial responsibility for past compliance failures,” said Middle District of Florida Acting U.S. Attorney Stephen Muldrow.

In addition to paying the settlement amount, 21st Century Oncology has entered into a 5-year Corporate Integrity Agreement with the HHS’ Office of Inspector General (OIG).

The post $2.3 Million 21st Century Oncology HIPAA Settlement Agreed with OCR appeared first on HIPAA Journal.

November 2017 Healthcare Data Breach Report

Posted by HIPAA Journal

In November 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) received 21 reports of healthcare data breaches that impacted more than 500 individuals; the second consecutive month when reported breaches have fallen.

healthcare data breaches by month (November 2017)

While the number of breaches was down month on month, the number of individuals impacted by healthcare data breaches increased from 71,377 to 107,143.

breached healthcare records November 2017

Main Causes of November 2017 Healthcare Data Breaches

In November there was an even spread between hacking/IT incidents, unauthorized disclosures, and theft/loss of paper records or devices containing ePHI, with six breaches each. There were also three breaches reported involving the improper disposal of PHI and ePHI. Two of those incidents involved paper records and one involved a portable electronic device.

The two largest data breaches reported in November – the 32,000-record breach at Pulmonary Specialists of Louisville and the 16,474-record breach at Hackensack Sleep and Pulmonary Center – were both hacking/IT incidents. The former involved an unauthorized individual potentially gaining access to electronic medical records, while the latter was a ransomware attack.

Seven of the 21 breaches reported in November impacted more than 5,000 individuals. The mean breach size was 5,102 records. The median breach size was 1,551 records.

 

causes of healthcare data breaches November 2017

records exposed by breach type

Location of Exposed and Stolen Protected Health Information

The OCR breach reports show the importance of implementing physical safeguards to ensure the confidentiality of paper records. In November, one third of reported data breaches (7 incidents) involved paper/films. Last month there were five reported incidents involving paper records.

A recent Accenture/HIMSS Analytics survey revealed email was the most common vector in cyberattacks on healthcare organizations. That was the case in October when email was the common location of breached data. In November, email was the second most common location of breached PHI behind paper films, with four email-related breaches reported.  There was an even spread between all other locations of breached PHI.

Location of PHI in November 2017 healthcare data breaches

 

November 2017 Healthcare Data Breaches by Covered Entity Type

November 2017 saw 19 data breaches reported by healthcare providers and two breaches affecting health plans. The breach reports indicate no business associates of covered entities were involved in any incidents reported in November.

 November 2017 Healthcare Data Breaches by Covered Entity Type

 

Largest Healthcare Data Breaches of November 2017

 

Breached Entity Entity Type Breach Type Individuals Affected
Pulmonary Specialists of Louisville, PSC Healthcare Provider Hacking/IT Incident 32,000
Hackensack Sleep and Pulmonary Center Healthcare Provider Hacking/IT Incident 16,474
Shop-Rite Supermarkets, Incorporated Healthcare Provider Improper Disposal 12,172
The Medical College of Wisconsin, Inc. Healthcare Provider Hacking/IT Incident 9,500
Valley Family Medicine Healthcare Provider Unauthorized Access/Disclosure 8,450
Sports Medicine & Rehabilitation Therapy, Inc. Healthcare Provider Hacking/IT Incident 7,000
Humana Inc Health Plan Unauthorized Access/Disclosure 5,764
Alere Toxicology Healthcare Provider Unauthorized Access/Disclosure 2,146
Family & Cosmetic Dentistry of the Rockies Healthcare Provider Improper Disposal 1,850
Aetna Inc. Health Plan Unauthorized Access/Disclosure 1,600

 

November 2017 Healthcare Data Breaches by State

The reported breaches in November were spread across 15 states. The states worst affected were Kentucky and Massachusetts with 3 breaches apiece, followed by Colorado and New Jersey each with 2 breaches. One breach was reported by healthcare organizations based in Alabama, California, Connecticut, Florida, Indiana, New York, Pennsylvania, Texas, Virginia, Washington, and Wisconsin.

The post November 2017 Healthcare Data Breach Report appeared first on HIPAA Journal.

Noncompliance with HIPAA Costs Healthcare Organizations Dearly

Posted by HIPAA Journal

Noncompliance with HIPAA can carry a significant cost for healthcare organizations, yet even though the penalties for HIPAA violations can be considerable, many healthcare organizations have substandard compliance programs and are violating multiple aspects of HIPAA Rules.

The Department of Health and Human Services’ Office for Civil Rights (OCR) commenced the much delayed second phase of HIPAA compliance audits last year with a round of desk audits, first on healthcare organizations and secondly on business associates of covered entities.

Those desk audits revealed many healthcare organizations are either struggling with HIPAA compliance, or are simply not doing enough to ensure HIPAA Rules are followed.

The preliminary results of the desk audits, released by OCR in September, showed healthcare organizations’ compliance efforts were largely inadequate. 94% of organizations had inadequate risk management plans, 89% were rated as inadequate on patients’ right to access their PHI, and 83% had performed inadequate risk analyses. It would appear that for many healthcare organizations, little has changed since the first phase of compliance audits were conducted in 2011/2012. Noncompliance with HIPAA is still widespread.

A few years ago, the risk of the discovery of a HIPAA violation was relatively low. Even when HIPAA violations were discovered, OCR rarely issued financial penalties. Similarly, even though the HITECH Act permits state attorneys general to issue fines for HIPAA violations, relatively few have exercised that right.

Today, the risk of HIPAA violations being discovered is significantly higher. Patients are now much more knowledgeable about their rights under HIPAA, and OCR has made it easy for them to file complaints about suspected HIPAA violations. HIPAA complaints are investigated by OCR.

The rise in cyberattacks on healthcare organizations mean data breaches are now far more likely to occur. A recent study by HIMSS Analytics/Mimecast showed 78% of healthcare organizations have experienced a ransomware or malware attack in the past 12 months, while an Accenture/AMA report showed 83% of physicians have experienced a cyberattack.

OCR investigates all breaches of more than 500 records to determine whether HIPAA Rules are being followed. When a breach occurs, organizations’ HIPAA compliance programs will be scrutinized.

OCR has also stepped up enforcement of HIPAA Rules and financial penalties are far more common. Since January 1, 2016, there have been 20 settlements reached between OCR and HIPAA covered entities and their business associates, and two civil monetary penalties issued.

OCR has yet to state whether financial penalties will be pursued as a result of the HIPAA audits, but OCR is not expected to turn a blind eye to major HIPAA failures. Multiple violations of HIPAA Rules could well see financial penalties pursued.

The higher likelihood of a data breach occurring or a complaint being filed means noncompliance with HIPAA is likely to be discovered. But what are the costs of noncompliance with HIPAA? What are the incentives for ensuring all HIPAA Rules are followed?

The Cost of Noncompliance with HIPAA

The high cost of HIPAA noncompliance has been summarized in the infographic below:

 

The Cost of Noncompliance with HIPAA

The post Noncompliance with HIPAA Costs Healthcare Organizations Dearly appeared first on HIPAA Journal.

AMA Study Reveals 83% of Physicians Have Experienced a Cyberattack

Posted by HIPAA Journal

Following the HIMSS Analytics/Mimecast survey that revealed 78% of healthcare organizations have experienced a ransomware or malware attack in the past 12 months, comes a new report on healthcare cybersecurity from the American Medical Association (AMA) and Accenture.

The Accenture/AMA survey was conducted on 1,300 physicians across the United States and aimed to take the ‘physician’s pulse on cybersecurity.’ The survey confirmed that it is no longer a case of whether a cyberattack will be experienced, it is just a matter of when cyberattacks will occur and how frequently.

83% of physicians who took part in the survey said they had previously experienced a cyberattack. When asked about the nature of the cyberattacks, the most common type was phishing. 55% of physicians who had experienced a cyberattack said the incident involved phishing – A similar finding to the HIMSS Analytics survey which revealed email was the top attack vector in healthcare.

48% of physicians who experienced a cyberattack said computer viruses such as malware and ransomware were involved. Physicians at medium to large practices were twice as likely to experience those types of cyberattacks than those at small practices.

When cyberattacks occur, they can result in considerable downtime. 64% of physicians said they experienced up to 4 hours of downtime following an attack, while 29% of physicians at medium-sized practices experienced downtime of up to one day.

Given the frequency of cyberattacks and the difficulty physician practices have at preventing those attacks, it is not surprising that the threat of attack is a major cause of concern. 55% of physicians were very or extremely worried about further cyberattacks at their practice. 74% said they were most concerned that future attacks would disrupt clinical practices and the same percentage were concerned that cyberattacks would result in breaches of patients’ protected health information. 53% were concerned that cyberattacks would have an impact on patient safety.

Physicians are aware that HIPAA compliance is important for cybersecurity, but simply doing the minimum and ensuring HIPAA requirements are met is not sufficient to prevent attacks. 83% of physicians said a more holistic approach to prioritizing risks is required than simply complying with HIPAA.

Kaveh Safavi, head of Accenture’s global practice said “Physician practices should not rely on compliance alone to enhance their security profile. Keeping pace with the sophistication of cyberattacks demands that physicians strengthen their capabilities, build resilience and invest in new technologies to support a foundation of digital trust with patients.”

Interestingly, while 87% of physicians believed their practice was compliant with HIPAA Rules, two thirds of physicians still have basic questions about HIPAA, suggesting their compliance programs may not be quite as comprehensive as they believe.

While the sharing of ePHI can introduce new risks, 85% believed PHI sharing was important, and 2 in 3 physicians thought that more access to patient data could improve the care provided to patients.

“New research shows that most physicians think that securely exchanging electronic data is important to improve health care. More support from the government, technology and medical sectors would help physicians with a proactive cybersecurity defense to better ensure the availability, confidentially and integrity of health care data,” said AMA President David. O. Barbe.

The post AMA Study Reveals 83% of Physicians Have Experienced a Cyberattack appeared first on HIPAA Journal.

City of Portland Apologizes for Sharing PHI of HIV Positive Patients Without Prior Consent

Posted by HIPAA Journal

information with third parties without first obtaining consent from patients. That has led some patients and healthcare officials to believe the City of Portland violated HIPAA by sharing information on HIV-positive patients with the University of Southern Maine without first obtaining consent.

Portland runs a HIV-positive health program, and individuals enrolled in that program were not informed that some of their information – their name, address, phone number and HIV positive status – would be shared with USM’s Muskie School of Public Service (MSPS).

The information was shared in order for MSPS to conduct a survey on behalf of the city.  When that survey was conducted, it became clear to patients that some of their PHI had been shared without their knowledge. Two patients complained that their privacy had been violated.  Following receipt of the complaints, the city suspended its survey and conducted an investigation into the alleged privacy violation.

While the HIPAA Privacy Rule does restrict the sharing of PHI with third parties, there are exceptions. Officials at the City of Portland maintain that HIPAA Rules were not violated. HIPAA does permit healthcare organizations to share PHI with third parties for research programs, and in such cases, consent from patients is not a requirement, provided certain conditions are met.

While HIPAA Rules may not have been violated, the City of Portland will be issuing a written apology to all affected patients – which number more than 200 – about the privacy violation. The letter, written by Portland’s public health director, Dr. Kolawole Bankole, said, “We have learned important lessons from this experience and are implementing new and updated policies and procedures for ensuring that our health care entities and programs better communicate with patients regarding uses and disclosures of their patient’s [PHI] for these types of research, program evaluation and business associate-related purposes going forward.”

While some city officials do not believe HIPAA Rules have been violated, that view is not shared by all. Dr. Ann Lemire, a former director of Portland’s India Street clinic had previously warned the city not to share the list of patients with USM researchers as doing so would be a violation of HIPAA. Lemire told the Press Herald, “I feel our patients have been violated and continue to be treated poorly and without respect.”

While HIPAA Rules may allow Portland to share PHI in this instance, information appears to have been shared before both parties entered into a business associate agreement. According to USM’s assistant provost for research, Ross Hickey, the list of patients was shared before a business associate agreement was obtained. After receiving the list, USM requested a BAA. That BAA was subsequently provided, in which the responsibilities USM had with respect to PHI were detailed.

In this case, the BAA made no difference to how USM secured the list and restricted access to the shared PHI, as strict privacy and security policies were already in place. However, the sharing of the list before entering into a BAA is something the Department of Health and Human Services’ Office for Civil Rights may choose to investigate, in addition to determining whether consent should have been obtained from patients before the information was shared.

If it is discovered that HIPAA Rules were violated there is potential for a financial penalty, either from OCR or the Maine attorney general, who since the HITECH Act was passed, is also permitted to take action against organizations discovered to have violated HIPAA Rules.

The post City of Portland Apologizes for Sharing PHI of HIV Positive Patients Without Prior Consent appeared first on HIPAA Journal.