ONC Expands TEFCA with Two Additional Health Information Networks

Posted by Steve Alder

The Office of the National Coordinator for Health Information Technology (ONC) at the Department of Health and Human Services (HHS) has announced that two new organizations have been designated as Qualified Health Information Networks (QHINs) and have been added to the nationwide data exchange governed by the Trusted Exchange Framework and Common Agreement (TEFCA).

TEFCA was envisioned by the 21st Century Cures Ac to support nationwide interoperability and became operational in December 2023 when the first five QHINs were designated by ONC – eHealth Exchange, Epic Nexus, Health Gorilla, KONZA, and MedAllies. The addition of two new QHINs – CommonWell Health Alliance and Kno2 – brings the total up to seven.

ONC has confirmed that CommonWell Health Alliance and Kno2 can immediately begin supporting the exchange of data under TEFCA and can provide shared services and governance to securely route queries, responses, and messages across networks for healthcare stakeholders including patients, providers, hospitals, health systems, payers, and public health agencies.

“These additional QHINs expand TEFCA’s reach and provide additional connectivity choices for patients, health care providers, hospitals, public health agencies, health insurers, and other authorized health care professionals,” said Micky Tripathi, Ph.D., national coordinator for health information technology. “On behalf of ONC, I want to congratulate CommonWell Health Alliance and Kno2 for their achievement.”

The post ONC Expands TEFCA with Two Additional Health Information Networks appeared first on HIPAA Journal.

5 Best Practices for Healthcare Data Breach Incident Response and Reporting

Posted by Steve Alder

Healthcare data breach incident response and reporting is a key area of regulatory compliance for organizations in the healthcare industry, yet there are many examples in HHS’ Breach Report where the Office of Civil Rights has had to “provide technical assistance regarding [compliance with] the HIPAA Breach Notification Rule”. This implies that covered entities and business associates are failing to respond to and report healthcare data breaches in a timely manner.  

The Archive section of HHS’ Breach Report is a mine of valuable information about the true causes of HIPAA data breaches. Most of the 5,000+ entries have a dropdown box which reveals the nature of the breach, how it occurred, and the steps taken by the notifying entity to mitigate the consequences of the breach and to prevent it happening again. However, in more than 1,500 cases it is noted the Office for Civil Rights provided technical assistance regarding the HIPAA Breach Notification Rule.

Most of the 5,000+ data breaches were avoidable. Had the covered entity or business associate responsible for the breach implemented reasonable safeguards and provided adequate HIPAA training, many would never have happened. But while there may be excuses for security shortcomings and human errors, there are no excuses for failing to comply with the HIPAA Breach Notification Rule because the few requirements of the Rule need little understanding.

A further cause for concern is that the 5,000+ data breaches in HHS’ Breach Report are data breaches affecting more than 500 individuals. Each year, HHS’ Office for Civil Rights is notified of more than 60,000 data breaches affecting fewer than 500 individuals. If approximately one-in-three of the accessible reports indicate failures of healthcare data breach incident response and reporting, this implies up to 20,000 data breaches each year are not responded to or reported in a timely manner.

What is a Healthcare Data Breach?

A HIPAA healthcare data breach is defined by HHS as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of Protected Health Information (PHI)”. As the Security Rule protects a subset of information covered by the Privacy Rule, the cause of a healthcare data breach can range from a nurse being overheard when discussing a patient’s health condition to a hacker misusing an employee’s credentials to access millions of records in a healthcare database.

It is important to be aware that since 2009, a healthcare data breach includes any event in which PHI is out of a covered entity’s or business associate’s control – i.e., due to a stolen laptop, ransomware attack, etc. Although it may not be possible to determine that an impermissible use or disclosure has occurred, a burden of proof exists for covered entities and business associates to demonstrate an impermissible use or disclosure has not occurred if not responding to or reporting the event.

It is also important to be aware that additional reporting requirements exist in some states, while other states exempt covered entities and business associates from reporting breaches of PHI, but not breaches of individually identifiable information maintained outside a designated record set (i.e., Colorado). Healthcare organizations should bear these additional requirements in mind when applying the following 5 best practices for healthcare data breach incident response and reporting.

5 Response and Reporting Best Practices

The following 5 best practices for healthcare data breach incident response and reporting are the minimum measures a healthcare organization should implement. The best practices follow a logical order and it is important they are conducted as quickly as possible. The longer an individual is unaware their personal information has been compromised, the less time they have to protect themselves against medical identity theft, fraud, and other misuses of the compromised data.

1.      Implement Internal Breach Reporting Procedures

The most important element of healthcare data breach incident response and reporting is getting a message to those responsible for response and reporting as soon as possible. In some cases, Security Incident and Event Management (SIEM) systems can be configured to automatically alert SOC teams to unauthorized network access, but it is more often the case a healthcare data breach is identified by a member of the workforce, a business associate, or a third party – such as a white hat hacker.

In such events, not only is it important for there to be an effective system of communication, but it is also important that internal breach reporting is encouraged by workforce members. It has been estimated that 40% of IT security incidents are “hidden” by workforce members because they believe they will get into trouble if they report them. Tougher sanctions will not resolve this issue, so organizations must develop a culture of forgiveness for IT incidents attributable to human error.

2.      Conduct a Risk Assessment to See if a Breach is Notifiable

While every breach must be responded to, not all are notifiable to affected individuals, HHS’ Office for Civil Rights, and – where applicable – State Attorneys General. Before notifying a data breach, HHS’ Office for Civil Rights recommends conducting a risk assessment to determine whether PHI has been impermissibly used or disclosed. The risk assessment should consist of at least the following factors:

  • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.
  • The unauthorized person who used the PHI or to whom the disclosure was made.
  • Whether the PHI was actually acquired or viewed.
  • The extent to which the risk to the PHI has been mitigated.

It is not mandatory to conduct a risk assessment prior to notifying HHS’ Office for Civil Rights of a healthcare data breach; but if a risk assessment finds there is a low probability of PHI having been compromised – or that an exception exists to the HIPAA Breach Notification Rule – organizations can avoid the potential disruption of a compliance investigation. It is also a good business practice not to unnecessarily worry an individual that their personal data has been stolen if you don’t have to!

3.      Advise a Law Enforcement Agency of the Breach

There is a clause in the Breach Notification Rule (45 CFR §164.412) that permits organizations to delay making the required breach notifications if making the notifications would impede a criminal investigation. Without knowing what criminal investigations are ongoing – and notwithstanding that the FBI recommends reporting all Internet crime – it is impossible to determine whether a delay is justified without advising a law enforcement agency of the healthcare data breach.

In addition, it has been calculated that 35% of all data breaches in healthcare are attributable to “insider threats”. It may be in an organization’s best interests to request a law enforcement investigation in order to determine whether a breach is attributable to an insider, and whether it may be repeated. In all circumstances, the law enforcement agency will be able to advise the organization if the organization can go ahead with notifying the breach or if a delay would be advisable.

4.      Notify Individuals and Regulatory Agencies

Subject to the result of the risk assessment and law enforcement advice, individuals who are affected by the data breach should be notified of the data breach as quickly as possible. The content of the notifications and the method of notification are stipulated in 45 CFR §164.404, and it is important to note that the time allowed to notify affected individuals may be shorter in some states than the maximum of 60 days allowed by the by the HIPAA Breach Notification Rule.

With regards to notifying regulatory agencies, the notification requirements vary depending on the size and nature of the breach. For example, HHS’ Office for Civil Rights requires breaches affecting more than 500 individuals to be notified within 60 days, while the limit in Alabama is 1,000 individuals. In addition, in some states it is only necessary to notify data breaches attributable to cybercrime. In these cases, oral and paper data breaches do not have to be notified to the state.

5.      Address the Real Cause of the Breach

Returning to the Archive section of HHS’ Breach Report, many of the data breach descriptions claim the notifying entity or their business associate was the victim of an unspecified cyberattack, ransomware attack, or phishing attack. However, these events do not happen by themselves, and although cybercriminals have access to sophisticated malware, the cybercriminals still have to “get in the door” before the cybercriminals can deploy the malware and execute their attacks.

It has been reported that around 80% of data breaches categorized as “hacking and IT incidents” are attributable to weak, reused, and compromised passwords. Therefore, in terms of addressing the real cause of the breach, healthcare organizations should strengthen password policies, protect sensitive accounts with 2FA, and invest in susceptibility testing. Strengthening all users’ passwords – even those with no access to PHI – is the most effective way to prevent future data breaches.

Keeping Up To Date with Healthcare Data Breach Incident Response and Reporting Best Practices

Healthcare data security is an ongoing process – not only due to the increasing sophistication of internal and external threats, but also due to changing regulatory requirements. Keeping up to date with healthcare data breach incident response and reporting best practices could be vital to safeguard the confidentiality, integrity, and availability of PHI and – as has been proposed – to qualify for participation in CMS’ Medicare and Medicaid programs.

It can be difficult for healthcare organizations to monitor compliance with the healthcare data breach incident response and reporting requirements when compliance with other laws, regulations, and standards also has to be monitored. However, there are software solutions that can help resolve this issue, and organizations interested in investigating software solutions for keeping up to date with all healthcare compliance best practices are advised to seek professional compliance advice.

The post 5 Best Practices for Healthcare Data Breach Incident Response and Reporting appeared first on HIPAA Journal.

Bipartisan Bill Aims to Ensure the HHS is Implementing Effective Cybersecurity Measures

Posted by Steve Alder

A bipartisan Senate bill has been introduced that aims to improve healthcare cybersecurity and ensure that the Department of Health and Human Services (HHS) is implementing effective cybersecurity measures to combat evolving cyber threats. In 2023, record numbers of healthcare records were compromised, and more data breaches were reported than in any other year to date. More than 133 million healthcare records were compromised in 2023 across more than 725 reported breaches, the majority of which were hacking incidents.

Healthcare organizations must ensure that they are compliant with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, which sets minimum standards for cybersecurity. The HHS is the main enforcer of compliance with the HIPAA Rules and issues guidance on healthcare cybersecurity. The HHS also manages the health data of approximately 65 million Americans who receive healthcare services through Medicare. As such, it is vital that the cybersecurity measures at the HHS are robust and capable of defending against evolving cyber threats.

The Strengthening Cybersecurity in Health Care Act was introduced by Senator Angus King (I-MA), Co-Chair of the Cybersecurity Solarium Commission and a member of the Senate Armed Services (SASC) and Intelligence Committees (SSCI), and Senator Marco Rubio (R-FL) and takes aim at the HHS and the cybersecurity protocols and practices that the HHS has introduced to combat evolving cyber threats.

“In recent years, several of Maine’s major healthcare providers have been the victims of cyberattacks. This threat to America’s critical infrastructure is real, and could literally mean the difference between life and death — we must take proactive steps to enhance the cybersecurity of our healthcare and public health sectors,” said Senator King. “The bipartisan Strengthening Cybersecurity in Health Care Act would help ensure that health institutions have the resources to keep patient data safe. As the number of threats continues to grow, consistent evaluations will prove to be a lifeline to the medical community treating our family and friends.”

The Strengthening Cybersecurity in Health Care Act requires the Inspector General of the HHS to evaluate the cybersecurity practices and protocols of the HHS. At least every two years, cybersecurity reviews and penetration tests should be conducted on HHS IT systems, and biennial reports should be submitted to Congress on the current cybersecurity practices at the HHS and its progress on future security practices that it is working on.

The post Bipartisan Bill Aims to Ensure the HHS is Implementing Effective Cybersecurity Measures appeared first on HIPAA Journal.

FTC’s Amended Complaint Against Kochava Survives Motion to Dismiss

Posted by Steve Alder

An amended Federal Trade Commission (FTC) complaint against the data broker Kochava has survived a motion to dismiss. Idaho District Court Judge, B. Lynn Winmill, dismissed the first FTC complaint in May 2022 as the FTC failed to establish that the business practices of Kochava constituted a substantial injury to consumers. In dismissing the complaint, Judge Winmill permitted the FTC to file an amended complaint, which the FTC did in June 2023.

In its complaints, the FTC accused Kochava of invading consumers’ privacy and exposing them to risk by selling their precise geolocation information and other sensitive data to third parties. Geolocation data reveals consumers’ visits to sensitive locations such as abortion clinics, places of worship, addiction treatment facilities, and shelters for survivors of domestic abuse. The FTC explained in its complaint that Kochava obtains sensitive data from other data brokers and does not interact directly with consumers; however, the data amassed by Kochava and sold through its Kochava Collective product is highly granular and contains detailed information about the precise movements of consumers.

The precise geolocation information is obtained from mobile phones which are associated with a persistent and individual identifier. The geolocation data includes consumers’ movements over days, weeks, months, or even years and is accurate to a few meters. As such, it is possible to tell which buildings consumers are in, and in some cases, even the room they are in. The data sold by Kochava directly links to the geolocation data and can include information such as names, addresses, email addresses, and phone numbers. Kochava also collects and sells enormous amounts of additional private and sensitive information of consumers.

Kochava sells data in different forms in the Kochava Collective, which includes precise geolocation data, comprehensive profile of individual consumers (database graph), tracking consumers’ uses of mobile apps (App Graph), and audience segments, which categorize consumers based on identified sensitive and personal characteristics and attributes. The FTC explained in the amended complaint that Kochava’s customers can and do purchase that data and provided an example of the level of detailed information that can be purchased. “Kochava’s data identifies, for example, a woman who visits a particular building, the woman’s name, email address, and home address, and whether the woman is African-American, a parent (and if so, how many children), or has an app identifying symptoms of cancer on her phone.” The FTC said Kochava makes it clear to potential buyers that the purpose of the Kochava Collective is to sell this level of granular consumer data.

The FTC alleges the sale of this information harms consumers in two ways. Consumers are put at risk of suffering secondary harms such as discrimination, stigma, emotional distress, and physical violence, and secondly, it invades their privacy. While the initial complaint failed to sufficiently allege a substantial injury, Judge Winmill ruled that the FTC included sufficient facts in its amended complaint to support both types of harm and the detail was sufficient to satisfy the liberal plausibility standard that the alleged practices of Kochava may violate Section 5 of the FTC Act which covers unfair business practices.

While Kochava’s motion to dismiss was denied, the company still believes that it will prevail. A spokesperson for Kochava said, “Kochava has always operated consistently and proactively in compliance with all rules and laws, including those specific to privacy.” Prior to the FTC complaint being filed, Kochava had already implemented measures to protect consumer privacy, including implementing the Privacy Block feature, which blocks geolocation data from sensitive locations such as those stated in the FTC complaint.

The FTC has been pursuing data brokers over the sale of sensitive data to third parties and recently announced settlements with X-Mode Social/Outlogic and InMarket Media, which the FTC claims have put companies on notice that the period of unchecked monetization and surveillance of consumers’ sensitive data is over.

The post FTC’s Amended Complaint Against Kochava Survives Motion to Dismiss appeared first on HIPAA Journal.