Latest HIPAA News

OCR Head Expects Major HIPAA Settlement for a Big, Juicy, Egregious Breach in 2017

Posted by HIPAA Journal

Roger Severino, the Director of the Department of Health and Human Services’ Office for Civil Rights (OCR) has stated his main enforcement priority for 2017 is to find a “big, juicy, egregious” HIPAA breach and to use it as an example for other healthcare organizations of the dangers of failing to follow HIPAA Rules.

When deciding on which cases to pursue, OCR considers the opportunity to use the case as an educational tool to remind covered entities of the need to comply with specific aspects of HIPAA Rules.

At the recent ‘Safeguarding Health Information’ conference run by OCR and NIST, Severino explained that “I have to balance that law enforcement instinct with the educational component that we do.” Severino went on to say, “I really want to make sure people come into compliance without us having to enforce. I want to underscore that.”

Severino did not explain what aspect of noncompliance with HIPAA Rules OCR is hoping to highlight with its next big, juicy settlement, although no healthcare organization is immune to a HIPAA penalty if they are found to have violated HIPAA Rules. Severino said, “Just because you are small doesn’t mean we’re not looking and that you are safe if you are violating the law. You won’t be.”

Severino also explained that the number of complaints OCR is now receiving is colossal. More than 20,000 complaints about security incidents and privacy violations are received each year. OCR has many staff issuing technical assistance to help covered entities with their compliance programs.  The goal is to significantly reduce the number of complaints and enjoy a “culture of compliance” throughout the country.

The majority of HIPAA violations are resolved through technical assistance and voluntary compliance, but financial penalties are appropriate for egregious breaches of HIPAA Rules.

Already this year, OCR has agreed eight settlements with covered entities to resolve HIPAA violations discovered during investigations of complaints and data breaches and has issued one civil monetary penalty:

2017 HIPAA Enforcement Actions

  • Memorial Healthcare System – $5.5 million
  • Children’s Medical Center of Dallas- $3.2 million (Civil monetary penalty)
  • Cardionet – $2.5 million
  • Memorial Hermann Health System (MHHS) – $2.4 million
  • MAPFRE Life Insurance Company of Puerto Rico – $2.2 million
  • Presense Health – $475,000
  • Metro Community Provider Network – $400,000
  • Luke’s-Roosevelt Hospital Center Inc. – $387,000
  • The Center for Children’s Digestive Health – $31,000

The largest HIPAA settlement of 2017 was agreed with Memorial Healthcare System – a health system consisting of 6 hospitals and various other facilities in South Florida. The settlement of $5.5 million resolved potential violations of HIPAA Rules relating to the impermissible accessing of ePHI by employees and the impermissible disclosure of PHI to affiliated physician office staff.  The settlement underscored the importance of audit controls and the need to carefully control who has access to the ePHI.

The second largest HIPAA settlement of 2017 was for $2.5 million and resolved multiple potential violations of HIPAA Rules that contributed to a breach of 1,391 patient records. The incident involved the theft of an unencrypted laptop computer from healthcare services provider Cardionet. The settlement underscored the importance of conducting a comprehensive risk assessment and of addressing vulnerabilities to the confidentiality of ePHI.

In May, OCR announced a $2.4 million settlement with Memorial Hermann Health System. The settlement resolved HIPAA violations discovered during the investigation of an impermissible disclosure of a patient’s ePHI in a press release and during subsequent meetings with advocacy groups and state representatives.

In January, a $2.2 million settlement was agreed with MAPFRE Life Insurance Company of Puerto Rico. The incident that triggered the investigation involved the theft of an unencrypted pen drive containing the PHI of 2,209 individuals. The investigation revealed multiple violations of HIPAA Rules including the failure to conduct a thorough and accurate risk assessment, the failure to implement a security awareness training program, the failure to encrypt ePHI and the failure to implement appropriate policies to safeguard ePHI.

The civil monetary penalty against Children’s Medical Center of Dallas was issued for the impermissible disclosure of ePHI and multiple failures to comply with the HIPAA Security Rule over several years. The settlement resolves HIPAA failures that contributed to a breach of 3,800 records involving the loss of an unencrypted Blackberry device in 2009 and the loss of an unencrypted laptop containing 2,462 records in 2013.

There has been a period of quiet on the enforcement front over the summer, with the last settlement announced in May. The fall is likely to see more settlements announced and this year looks on track to be another record year for HIPAA enforcement. The big, juicy egregious breach that OCR is looking for may prove to be the largest HIPAA penalty yet.

The post OCR Head Expects Major HIPAA Settlement for a Big, Juicy, Egregious Breach in 2017 appeared first on HIPAA Journal.

HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone

Posted by HIPAA Journal

During emergencies such as natural disasters, complying with all HIPAA Privacy Rule provisions can be a challenge for hospitals and can potentially have a negative impact on patient care and disaster relief efforts.

In emergency situations, HIPAA Rules still apply. The HIPAA Privacy Rule allows patient information to be shared to help with disaster relief efforts and ensure patients get the care they need.

The Privacy Rule permits covered entities to share patient information for treatment purposes, for public health activities, to disclose patient information to family, friends and others involved in a patient’s care, to prevent or lessen a serious and imminent threat to the health and safety of a person or the public and, under certain circumstances, allows covered entities to share limited information with the media and other individuals not involved in a patient’s care (45 CFR 164.510(a)).

In such cases, any disclosures must be limited to the minimum necessary information to accomplish the purpose for which the information is being disclosed.

However, disasters often call for a relaxation of HIPAA Rules and the Secretary of the Department of Health and Human may choose to waive certain provisions of the HIPAA Privacy Rule under Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.

During the Ebola crisis in November 2014, OCR issued a waiver for certain requirements of HIPAA Rules, as was the case in the immediate aftermath of Hurricane Katrina when a waiver was issued for certain Privacy Rule provisions.

Yesterday, HHS Secretary Tom Price announced that OCR will waive sanctions and financial penalties for specific Privacy Rule violations against hospitals in Texas and Louisiana that are in the Hurricane Harvey disaster area.

The waiver only applies to the provisions of the HIPAA Privacy Rule as detailed below:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b)

These waivers only apply to hospitals in the emergency areas that have been identified in the public health emergency declaration.

The waiver only applies if hospitals have instituted a disaster protocol and the waiver applies for 72 hours after the disaster protocol has been implemented. The waiver will also only apply until the Presidential or Secretarial declaration terminates, even if the 72 hours has not elapsed.

Further information on the limited waiver of HIPAA sanctions and penalties as a result of Hurricane Harvey can be viewed in this HIPAA bulletin from HHS.

The post HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone appeared first on HIPAA Journal.

HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone

Posted by HIPAA Journal

During emergencies such as natural disasters, complying with all HIPAA Privacy Rule provisions can be a challenge for hospitals and can potentially have a negative impact on patient care and disaster relief efforts.

In emergency situations, HIPAA Rules still apply. The HIPAA Privacy Rule allows patient information to be shared to help with disaster relief efforts and ensure patients get the care they need.

The Privacy Rule permits covered entities to share patient information for treatment purposes, for public health activities, to disclose patient information to family, friends and others involved in a patient’s care, to prevent or lessen a serious and imminent threat to the health and safety of a person or the public and, under certain circumstances, allows covered entities to share limited information with the media and other individuals not involved in a patient’s care (45 CFR 164.510(a)).

In such cases, any disclosures must be limited to the minimum necessary information to accomplish the purpose for which the information is being disclosed.

However, disasters often call for a relaxation of HIPAA Rules and the Secretary of the Department of Health and Human may choose to waive certain provisions of the HIPAA Privacy Rule under Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.

During the Ebola crisis in November 2014, OCR issued a waiver for certain requirements of HIPAA Rules, as was the case in the immediate aftermath of Hurricane Katrina when a waiver was issued for certain Privacy Rule provisions.

Yesterday, HHS Secretary Tom Price announced that OCR will waive sanctions and financial penalties for specific Privacy Rule violations against hospitals in Texas and Louisiana that are in the Hurricane Harvey disaster area.

The waiver only applies to the provisions of the HIPAA Privacy Rule as detailed below:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b)

These waivers only apply to hospitals in the emergency areas that have been identified in the public health emergency declaration.

The waiver only applies if hospitals have instituted a disaster protocol and the waiver applies for 72 hours after the disaster protocol has been implemented. The waiver will also only apply until the Presidential or Secretarial declaration terminates, even if the 72 hours has not elapsed.

Further information on the limited waiver of HIPAA sanctions and penalties as a result of Hurricane Harvey can be viewed in this HIPAA bulletin from HHS.

The post HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone appeared first on HIPAA Journal.

Lawsuit Filed Against Aetna for Disclosure of HIV Status of Patients

Posted by HIPAA Journal

A class action lawsuit has been filed against Aetna following a privacy breach that saw the HIV positive status of up to 12,000 individuals impermissibly disclosed. The incident occurred during a recent mailing, when details of prescribed HIV medications were visible through the clear plastic windows of envelopes, along with individuals’ names and addresses.

The letters related to pharmacy benefits and information on how HIV medications could be received. As a result of an error, which has been attributed to letters slipping inside the envelopes, many individuals had had their HIV status disclosed to neighbors, family members and roommates. While breach notification letters have been sent to 12,000 individuals who received the mailing, it is unclear exactly how many individuals had details of their HIV medications disclosed.

Last week, Aetna announced that “this type of mistake is unacceptable,” and confirmed action was being taken to ensure proper safeguards are put in place to prevent similar incidents from happening. However, for individuals affected by the error, serious and irreparable harm has been caused.

The Legal Action Center and AIDS Law Project of Pennsylvania sent a letter to Aetna last week demanding the insurer stop sending mail that “illegally discloses” plan members are taking HIV medication.” Now, a class-action lawsuit has been filed in the U.S. District Court for the Eastern District of Pennsylvania by both organizations and their legal team from Berger & Montague, P.C. The lawsuit demands that Aetna cease the practice of sending information relating to HIV medications in the mail and that it reforms procedures and pays damages.

In a recent press release, the AIDS Law Project explained that the disclosure has caused turmoil for some Aetna members whose HIV positive status was disclosed. The press release cited one example of a couple in Florida who have been forced to move home as a result of the disclosure out of fear and embarrassment.

In another example, the sister of a 52-year old man from Bucks County, PA found out he was taking HIV medication after viewing the information through the envelope. That man is the lead plaintiff in the class action lawsuit. In his case, he does not have HIV, but takes the medication as part of a regimen of pre-exposure prophylaxis to prevent him from contracting the virus.

The purpose of the Aetna correspondence was to address alleged privacy violations raised in two lawsuits in 2014 and 2015, which were filed after the company required customers to receive their HIV medications in the mail. The plaintiffs claimed such actions could breach their privacy. The cases were settled, and the letter was sent on July 28, 2017 in relation to the change in its HIV medication procedures.

When the press release was issued, six AIDS service organizations across the United States had received “dozens” of complaints from customers about the mailing.

Sally Friedman, legal director of the Legal Action Center said, “Some have lost housing, and others have been shunned by loved ones because of the enormous stigma that HIV still carries. This case seeks justice for these individuals. Insurers like Aetna must be held accountable when they fail to vigorously protect people’s most private health information.”

The post Lawsuit Filed Against Aetna for Disclosure of HIV Status of Patients appeared first on HIPAA Journal.

Lawsuit Filed Against Aetna for Disclosure of HIV Status of Patients

Posted by HIPAA Journal

A class action lawsuit has been filed against Aetna following a privacy breach that saw the HIV positive status of up to 12,000 individuals impermissibly disclosed. The incident occurred during a recent mailing, when details of prescribed HIV medications were visible through the clear plastic windows of envelopes, along with individuals’ names and addresses.

The letters related to pharmacy benefits and information on how HIV medications could be received. As a result of an error, which has been attributed to letters slipping inside the envelopes, many individuals had had their HIV status disclosed to neighbors, family members and roommates. While breach notification letters have been sent to 12,000 individuals who received the mailing, it is unclear exactly how many individuals had details of their HIV medications disclosed.

Last week, Aetna announced that “this type of mistake is unacceptable,” and confirmed action was being taken to ensure proper safeguards are put in place to prevent similar incidents from happening. However, for individuals affected by the error, serious and irreparable harm has been caused.

The Legal Action Center and AIDS Law Project of Pennsylvania sent a letter to Aetna last week demanding the insurer stop sending mail that “illegally discloses” plan members are taking HIV medication.” Now, a class-action lawsuit has been filed in the U.S. District Court for the Eastern District of Pennsylvania by both organizations and their legal team from Berger & Montague, P.C. The lawsuit demands that Aetna cease the practice of sending information relating to HIV medications in the mail and that it reforms procedures and pays damages.

In a recent press release, the AIDS Law Project explained that the disclosure has caused turmoil for some Aetna members whose HIV positive status was disclosed. The press release cited one example of a couple in Florida who have been forced to move home as a result of the disclosure out of fear and embarrassment.

In another example, the sister of a 52-year old man from Bucks County, PA found out he was taking HIV medication after viewing the information through the envelope. That man is the lead plaintiff in the class action lawsuit. In his case, he does not have HIV, but takes the medication as part of a regimen of pre-exposure prophylaxis to prevent him from contracting the virus.

The purpose of the Aetna correspondence was to address alleged privacy violations raised in two lawsuits in 2014 and 2015, which were filed after the company required customers to receive their HIV medications in the mail. The plaintiffs claimed such actions could breach their privacy. The cases were settled, and the letter was sent on July 28, 2017 in relation to the change in its HIV medication procedures.

When the press release was issued, six AIDS service organizations across the United States had received “dozens” of complaints from customers about the mailing.

Sally Friedman, legal director of the Legal Action Center said, “Some have lost housing, and others have been shunned by loved ones because of the enormous stigma that HIV still carries. This case seeks justice for these individuals. Insurers like Aetna must be held accountable when they fail to vigorously protect people’s most private health information.”

The post Lawsuit Filed Against Aetna for Disclosure of HIV Status of Patients appeared first on HIPAA Journal.

FDA Announces Voluntary Recall of St. Jude Medical Implantable Cardiac Pacemakers

Posted by HIPAA Journal

The U.S. Food and Drug Administration (FDA) is recommending all patients with vulnerable St. Jude Medical implantable cardiac pacemakers visit their providers to have the firmware on their devices updated. The update will make the devices more resilient to cyberattacks.

Last year, MedSec Holdings passed on the findings of a study of cybersecurity vulnerabilities in St. Jude Medical devices to the short-selling firm Muddy Waters Capital. The report identified a number of vulnerabilities that could be exploited to alter the functioning of the devices and drain batteries prematurely.

While St. Jude Medical initially denied the vulnerabilities existed, the FDA investigated the claims and confirmed that remotely exploitable vulnerabilities were present in certain St. Jude Medical Products.

Now, a year after the vulnerabilities were disclosed, the FDA has announced a voluntary recall of the devices to update the firmware to prevent the devices from being hacked via radio frequency communications.

There are between 450,000 and 500,000 vulnerable devices currently in use in the United States and a recall of this scale will almost certainly cause problems for healthcare providers. The FDA and Abbot Laboratories, which acquired St. Jude Medical last year, have suggested patients have the firmware upgrade applied at their next scheduled visit to their healthcare provider rather than make a separate visit.

The recall does not apply to implantable cardiac defibrillators or cardiac resynchronization ICDs, only to the following St. Jude Medical pacemakers:

  • Accent SR RF™
  • Accent MRI™
  • Assurity™
  • Assurity MRI™
  • Accent DR RF™
  • Anthem RF™
  • Allure RF™
  • Allure Quadra RF™
  • Quadra Allure MP RF™

The update will require any device attempting to communicate with the implanted pacemaker to be authenticated via the Merlin Programmer and Merlin@home Transmitter. All Abbott Laboratories devices manufactured after August 28, 2017 will include the updated firmware. The firmware update was released on August 29.

The FDA has not recommended devices be removed and replaced as the firmware update will make the devices secure. The update is a quick and simple process that takes just three minutes, although patients will be required to visit their providers to have the update applied. The update cannot be issued remotely as there is “a low risk [<0.023%] of update malfunction”.  During the update, the device will continue to function in backup mode and life-saving functionality will be maintained. The devices will return to normal settings after the update has been applied.

It has been more than a year since the report of the vulnerabilities was published, although during that time there have been no reported attacks or harm caused to patients. The Department of Homeland Security says exploiting the vulnerabilities would require “a highly complex set of circumstances.”

“All industries need to be constantly vigilant against unauthorized access,” said Robert Ford, executive vice president, Medical Devices at Abbot Laboratories. He explained, “[cybersecurity] isn’t a static process, which is why we’re working with others in the healthcare sector to ensure we’re proactively addressing common topics to further advance the security of devices and systems.”

The post FDA Announces Voluntary Recall of St. Jude Medical Implantable Cardiac Pacemakers appeared first on HIPAA Journal.

FDA Announces Voluntary Recall of St. Jude Medical Implantable Cardiac Pacemakers

Posted by HIPAA Journal

The U.S. Food and Drug Administration (FDA) is recommending all patients with vulnerable St. Jude Medical implantable cardiac pacemakers visit their providers to have the firmware on their devices updated. The update will make the devices more resilient to cyberattacks.

Last year, MedSec Holdings passed on the findings of a study of cybersecurity vulnerabilities in St. Jude Medical devices to the short-selling firm Muddy Waters Capital. The report identified a number of vulnerabilities that could be exploited to alter the functioning of the devices and drain batteries prematurely.

While St. Jude Medical initially denied the vulnerabilities existed, the FDA investigated the claims and confirmed that remotely exploitable vulnerabilities were present in certain St. Jude Medical Products.

Now, a year after the vulnerabilities were disclosed, the FDA has announced a voluntary recall of the devices to update the firmware to prevent the devices from being hacked via radio frequency communications.

There are between 450,000 and 500,000 vulnerable devices currently in use in the United States and a recall of this scale will almost certainly cause problems for healthcare providers. The FDA and Abbot Laboratories, which acquired St. Jude Medical last year, have suggested patients have the firmware upgrade applied at their next scheduled visit to their healthcare provider rather than make a separate visit.

The recall does not apply to implantable cardiac defibrillators or cardiac resynchronization ICDs, only to the following St. Jude Medical pacemakers:

  • Accent SR RF™
  • Accent MRI™
  • Assurity™
  • Assurity MRI™
  • Accent DR RF™
  • Anthem RF™
  • Allure RF™
  • Allure Quadra RF™
  • Quadra Allure MP RF™

The update will require any device attempting to communicate with the implanted pacemaker to be authenticated via the Merlin Programmer and Merlin@home Transmitter. All Abbott Laboratories devices manufactured after August 28, 2017 will include the updated firmware. The firmware update was released on August 29.

The FDA has not recommended devices be removed and replaced as the firmware update will make the devices secure. The update is a quick and simple process that takes just three minutes, although patients will be required to visit their providers to have the update applied. The update cannot be issued remotely as there is “a low risk [<0.023%] of update malfunction”.  During the update, the device will continue to function in backup mode and life-saving functionality will be maintained. The devices will return to normal settings after the update has been applied.

It has been more than a year since the report of the vulnerabilities was published, although during that time there have been no reported attacks or harm caused to patients. The Department of Homeland Security says exploiting the vulnerabilities would require “a highly complex set of circumstances.”

“All industries need to be constantly vigilant against unauthorized access,” said Robert Ford, executive vice president, Medical Devices at Abbot Laboratories. He explained, “[cybersecurity] isn’t a static process, which is why we’re working with others in the healthcare sector to ensure we’re proactively addressing common topics to further advance the security of devices and systems.”

The post FDA Announces Voluntary Recall of St. Jude Medical Implantable Cardiac Pacemakers appeared first on HIPAA Journal.

Researchers Call for Updates to Guidelines for Emailing Patients

Posted by HIPAA Journal

Researchers from Indiana University have conducted a study of current guidelines on emailing patients and have identified major weaknesses, a lack of up-to-date best practices, and outdated security practices that are no longer required due to changes in technology. Additionally, they confirmed there is a lack of information on new methods of communication such as secure texting and a lack of evidence showing the effectiveness of proposed practices for emailing and texting patients.

There was little to no evidence on how using email or text messages to communicate with patients could improve patient outcomes and a lack of information on how new communication tools could be used effectively by practitioners.

The researchers studied 11 sets of guidelines on electronically communicating with patients and found weaknesses across the board. The pace of change of technology is not reflected in the available guidelines, with many of the recommendations no longer required. The researchers were unsure if any of the valid recommendations in the guidelines are actually being followed.

The researchers said providers would benefit from having up-to-date guidance on effective messaging practices in the context of healthcare teams and detailed information on how messaging platforms could be incorporated into workflows. Current guidelines have a focus on technical issues such as platform specifications, when providers would benefit more from guidelines focused on the relational challenges of electronic communication. Practitioners are trained on effective face-to-face communication. The researchers suggest similar training should be provided on electronic communication.

Updates to the guidelines are long overdue, with several guidelines dating back more than a decade. However, before new guidelines can be developed, further research is required to evaluate and identify best practices. The researchers also call for “A framework to evaluate quality of communication, and assess the relationship between electronic communication and quality of care.”

The study – A critical appraisal of guidelines for electronic communication between patients and clinicians: the need to modernize current recommendations – was recently published in the Journal of the American Medical Informatics Association (JAMIA).

The post Researchers Call for Updates to Guidelines for Emailing Patients appeared first on HIPAA Journal.

Researchers Call for Updates to Guidelines for Emailing Patients

Posted by HIPAA Journal

Researchers from Indiana University have conducted a study of current guidelines on emailing patients and have identified major weaknesses, a lack of up-to-date best practices, and outdated security practices that are no longer required due to changes in technology. Additionally, they confirmed there is a lack of information on new methods of communication such as secure texting and a lack of evidence showing the effectiveness of proposed practices for emailing and texting patients.

There was little to no evidence on how using email or text messages to communicate with patients could improve patient outcomes and a lack of information on how new communication tools could be used effectively by practitioners.

The researchers studied 11 sets of guidelines on electronically communicating with patients and found weaknesses across the board. The pace of change of technology is not reflected in the available guidelines, with many of the recommendations no longer required. The researchers were unsure if any of the valid recommendations in the guidelines are actually being followed.

The researchers said providers would benefit from having up-to-date guidance on effective messaging practices in the context of healthcare teams and detailed information on how messaging platforms could be incorporated into workflows. Current guidelines have a focus on technical issues such as platform specifications, when providers would benefit more from guidelines focused on the relational challenges of electronic communication. Practitioners are trained on effective face-to-face communication. The researchers suggest similar training should be provided on electronic communication.

Updates to the guidelines are long overdue, with several guidelines dating back more than a decade. However, before new guidelines can be developed, further research is required to evaluate and identify best practices. The researchers also call for “A framework to evaluate quality of communication, and assess the relationship between electronic communication and quality of care.”

The study – A critical appraisal of guidelines for electronic communication between patients and clinicians: the need to modernize current recommendations – was recently published in the Journal of the American Medical Informatics Association (JAMIA).

The post Researchers Call for Updates to Guidelines for Emailing Patients appeared first on HIPAA Journal.