MGMA asks OCR: Hold UHG responsible for HIPAA breach notifications – Healthcare IT News
MGMA asks OCR: Hold UHG responsible for HIPAA breach notifications Healthcare IT News
FTC Finalizes Changes to Health Breach Notification Rule – HealthLeaders Media
FTC Finalizes Changes to Health Breach Notification Rule HealthLeaders Media
FTC Issues Final Rule Updating Health Breach Notification Rule – HIPAA Journal
FTC Issues Final Rule Updating Health Breach Notification Rule
The Federal Trade Commission (FTC) issued a final rule on April 26, 2024, that updates the FTC Health Breach Notification Rule. The update includes revised definitions that encompass health apps and other technologies not covered by the Health Insurance Portability and Accountability Act (HIPAA), clarification of what the FTC considers a breach of security, new requirements for the content of breach notifications, changes to the timeframe for issuing notifications, and an expansion of the permitted methods for notifying consumers. “Protecting consumers’ sensitive health data is a high priority for the FTC,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “With the increasing use of health apps and connected devices, the updated HBNR will ensure it keeps pace with changes in the health marketplace.”
The Health Breach Notification Rule applies to vendors of personal health records (PHRs) and related entities that are not covered by HIPAA and requires them to notify individuals in the event of a breach of unsecured personally identifiable health data, and in some cases, also notify the media. In the event of a breach of covered data at a third party that provides services to vendors of PHRs or PHR-related entities, they are required to notify the PHR vendor or PHR-related entity in the event of a breach. While the Health Breach Notification Rule has been in effect for more than a decade, the FTC has only recently started enforcing compliance. The first organizations to face action over alleged violations were GoodRx and Easy Healthcare (Premom).
After issuing a Notice of Proposed Rulemaking (NPRM) in May 2023, the FTC received around 120 comments on the proposed rule and considered those comments when finalizing changes to the Health Breach Notification Rule. The Final Rule takes effect 60 days after publication in the Federal Register.
The key changes implemented by the Final Rule are:
- Modifying the definition of “PHR identifiable health information” and adding two new definitions for “covered health care provider” and “health care services or supplies.” These changes make the Health Breach Notification Rule applicable to health apps and similar technologies not covered by HIPAA.
- Clarifying “breach of security,” which means “an unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure.”
- Revising the definition of “PHR-related entity” to make it clear that the rule applies to “entities that offer products and services through the online services, including mobile applications, of vendors of personal health records,” and that “only entities that access or send unsecured PHR identifiable health information to a personal health record — rather than entities that access or send any information to a personal health record — qualify as PHR related entities.”
- Updating the required content of consumer notifications to require third parties that acquired unsecured PHR identifiable health information as a result of a breach of security to be named, and expanding the means of providing clear and effective consumer notifications to include email and other electronic means of communication.
- Modifying requirements for notifying the FTC about a breach of security. In the event of a breach of 500 or more records, the FTC must be notified at the same time as issuing consumer notifications. Those notifications, like those required by the HIPAA Breach Notification Rule, must be issued without undue delay and no later than 60 days from the discovery of a breach of security.
The final rule did not have universal support within the FTC and was only narrowly passed with a vote of 3-2 in favor. Commissioners Melissa Holyoak and Andrew N. Ferguson voted against the update. Commissioners Holyoak and Ferguson issued a statement about the reason why they did not vote in favor of the final rule. They explained that they felt the final rule “exceeds the Commission’s statutory authority, puts companies at risk of perpetual noncompliance, and opens the Commission to legal challenge that could undermine its institutional integrity.”
The two Commissioners explained that “PHR identifiable health information” means “individually identifiable health information,” and individually identifiable health information is “information created or received by a healthcare provider, health plan, or healthcare clearinghouse.” Commissioners Holyoak and Ferguson have an issue with the FTC’s interpretation of “covered healthcare providers” and “healthcare services and supplies,” which they believe are capricious. They said the adopted definitions are not consistent with the statute that gave rise to the Health Breach Notification Rule, and the joint effect is “to sweep a large swath of apps and app developers under the purview of the Final Rule.”
The post FTC Issues Final Rule Updating Health Breach Notification Rule appeared first on HIPAA Journal.
Health Data Analytics Firm Reports 1.1-Million Record MSP Data Breach
A Portland, ME-based accounting and consulting firm has recently reported a data breach to the Maine Attorney General that involved the personal information of 1,107,354 individuals. Berry, Dunn, McNeil & Parker, LLC (BerryDunn) provides health data analytics services to healthcare providers, health insurers, and government regulatory and healthcare policy agencies and its clients provide BerryDunn with personal and health data to allow the firm to perform its contracted services.
BerryDunn’s Health Analytics Practice Group (HAPG) contracted with a managed service provider (MSP) called Reliable Networks of Maine, LLC (RMN), which manages systems on behalf of HAPG. On September 14, 2023, RMN notified HAPG that it had identified suspicious activity on its network, including in the systems it manages for HAPG. BerryDunn immediately initiated its incident response protocols and brought in third-party cybersecurity experts to investigate to determine the extent to which client data was involved.
The investigation confirmed that a threat actor gained access to the RMN network and used the vendor’s privileged access to steal data from the HAPG systems the MSP managed. A vendor was engaged to conduct a review of the affected files, and that process was completed on April 2, 2024. The information exposed or stolen in the incident included names, addresses, dates of birth, Social Security numbers, health insurance policy numbers, Medicare or Medicaid numbers, state or governmental ID numbers, passport numbers, and medical information. Notification letters were mailed to the affected individuals on April 25, 2024, and complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. Those services include a $1 million identity theft reimbursement policy.
It is unclear how many of BerryDunn clients have been affected. BerryDunn has confirmed that it has decommissioned all systems under the control of RMN, migrated all HAPG data to secure internal BerryDunn servers, and said those servers are continuously monitored for unauthorized access under its cybersecurity program.
The post Health Data Analytics Firm Reports 1.1-Million Record MSP Data Breach appeared first on HIPAA Journal.
MGMA asks OCR: Hold UHG responsible for HIPAA breach notifications – Healthcare IT News
MGMA asks OCR: Hold UHG responsible for HIPAA breach notifications Healthcare IT News
Medical records for out-of-state abortions will now be protected by HIPAA – Daily Kos
Medical records for out-of-state abortions will now be protected by HIPAA – Daily Kos
OCR Releases Details of Phase 2 HIPAA Audit Program – The National Law Review
OCR Releases Details of Phase 2 HIPAA Audit Program The National Law Review