This page contains news stories from 2011
Click for the latest news stories
Click for the Directory of News Stories
NIST Releases HIPAA Security Rule Toolkit for Compliance
On November 22, 2011, the National Institute of Standards and Technology (NIST) released the HIPAA Security Rule Toolkit, a Java-based application available for Microsoft Windows, Red Hat Enterprise Linux, and Apple Mac OS. "The NIST HIPAA Security Toolkit Application is intended to help organizations better understand the requirements of the HIPAA Security Rule, implement those requirements, and assess those implementations in their operational environment.
"Target users include, but are not limited to, HIPAA covered entities, business associates, and other organizations such as those providing HIPAA Security Rule implementation, assessment, and compliance services. Target user organizations can range in size from large nationwide health plans with vast information technology (IT) resources to small health care providers with limited access to IT expertise."
This is a significant tool that bears exploration by anyone involved in HIPAA Security Rule compliance. See http://scap.nist.gov/hipaa/ for the User Guide, Installation Guide, and the three toolkit downloads.
Joint Commission Says Not To Use Text Messages for Orders
On November 21, 2011, iHealthBeat reported that the Joint Commission has issued a response to a frequently asked question on their Web site, stating that health care professionals should not use text messaging for orders, for reasons of security, authentication, and auditability. The story in iHealthBeat is at http://www.ihealthbeat.org/articles/2011/11/21/joint-commission-text-messages-should-not-be-used-in-patient-orders.aspx and the Joint Commission's statement is at http://www.jointcommission.org/standards_information/jcfaqdetails.aspx?StandardsFaqId=401&ProgramId=1
HHS Releases Updated HIPAA Enforcement Highlights
On November 14, 2011, the US Department of Health and Human Services issued revisions to the HIPAA Privacy and Security Rule Enforcement Highlights, as of October 31, 2011. The most common issues investigated are:
1. Impermissible uses and disclosures of protected health information;
2. Lack of safeguards of protected health information;
3. Lack of patient access to their protected health information;
4. Uses or disclosures of more than the Minimum Necessary protected health information; and
5. Complaints to the covered entity.
See: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/highlights/index.html
Ponemon Institute Study on Patient Privacy and Data Security
On November 9, 2011, the Ponemon Institute published a Benchmark Study on Patient Privacy and Data Security that paints a sobering picture of the state of information security and health information. From the executive summary:
• The top three causes of a data breach are: unintentional employee action, lost or stolen computing devices and third-party snafu.
• Forty-one percent discovered the data breach as a result of a patient complaint.
• More than half (58 percent) of organizations have little or no confidence that their organization has the ability to detect all patient data loss or theft.
A December 1, 2011 article on the report on iHealthBeat is available at: http://www.ihealthbeat.org/articles/2011/12/1/report-health-data-breaches-increased-by-32-in-last-year.aspx. The report is available (with registration) at: http://www2.idexpertscorp.com/ponemon-study-2011/
HHS OCR Announces New HIPAA Audit Program Details
On November 8, 2011, the US Department of Health and Human Services Office for Civil Rights announced details of the new HIPAA audit program called for by HITECH Act section 13411. The program will focus in this first phase on Covered Entities only, and not Business Associates, and the initial auditees (their word) have been selected and will be notified shortly. Auditees will have only 10 business days to respond to the initial inquiries and information requests. For details, see: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html
PWC Releases Report on Healthcare Info Privacy and Security
In September, Price Waterhouse Coopers released a useful report, Old data learns new tricks: Managing patient privacy and security on a new data-sharing playground that provides a great summary of the issues facing healthcare privacy and security today. Both the report and a chart pack that can be used alongside the report are available (with registration) at http://www.pwc.com/us/en/health-industries/publications/old-data-learns-new-tricks.jhtml
NIST Releases Draft of Risk Assessment Guide, Revision 1
On September 19, 2011, the National Institute of Standards and Technology released the initial public draft of Special Publication 800-30, Revision 1, Guide for Conducting Risk Assessments. The current SP 800-30 version is referred to in the HIPAA Security regulations preamble and guidance as the model to follow in conducting security risk analysis activities for HIPAA compliance.
The new version is not without its faults; it makes the simple process described in the current version into a much more complicated, harder-to-understand document, dense with text and completely out of scale for the vast majority of healthcare providers. Public comment is welcome through November 4, 2011.
For the press release and the e-mail address for submitting comments, see: http://csrc.nist.gov/news_events/index.html#sept19 and the draft is at: http://csrc.nist.gov/publications/drafts/800-30-rev1/SP800-30-Rev1-ipd.pdf
Amendments to CLIA and HIPAA for Access to Test Reports
On September 14, 2011, the US Department of Health and Human Services published proposed rule changes to allow patients access to their test reports, previously unavailable under the Clinical Laboratory Improvements Act of 1988 (CLIA) and HIPAA privacy regulations. Currently, patient access of PHI does not include laboratory test information; the proposed changes would put lab information in line with the remainder of PHI and patient access.
Two significant impacts spring to mind immediately, one is the provision of results to individuals without the interpretation and counseling of a physician or other trained care giver, and the other is the requirement for labs to establish authenticated patient-facing capabilities and provide results directly to patients.
Comments may be submitted until 5 PM November 14, 2011; instructions and the proposed rule are at http://www.gpo.gov/fdsys/pkg/FR-2011-09-14/pdf/2011-23525.pdf . Pages 1-5 have the background information and page 13 has the actual proposed changes in language.
Stanford Hospital Data Breach of 20,000 by Business Associate
On September 8, 2011, Stanford Hospital & Clinics in California confirmed that a healthcare information privacy breach caused by a business associate affected more than 20,000 patients when their information was publicly posted to a website for about a year. This breach points up the importance of making sure your business associates engage in safe computing practices and have good security policies and procedures in place. An article on the breach is at: http://www.ihealthbeat.org/articles/2011/9/9/breach-exposes-data-on-20k-patients-at-stanford-hospital.aspx
HHS Submits Report on 2009-2010 Breaches to Congress
In mid-August, 2011, HHS submitted its report for calendar years 2009-2010 on breaches of unsecured protected health information to congress, pursuant to the HITECH Act requirements. While the report summarizes a lot of information that has already been widely discussed about large breaches, it also includes information on small breaches, which tend to be misdirected communications affecting one individual. The report is available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachreptmain.html
McAfee Security Releases Report on Operation Shady RAT
In August, 2011, McAfee, Inc. released the report, "Revealed: Operation Shady RAT - An investigation of targeted intrusions into 70+ global companies, governments and non-profit organizations during the last 5 years" available at http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf
In it, Dmitri Alperovitch, VP Threat Research at McAfee notes, "I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know." This sobering report should be read by anyone responsible for protection of information security.
HHS in $865,500 HIPAA Settlement With UCLA Health System
On July 6, 2011, the US Department of Health and Human Services announced that the University of California at Los Angeles Health System (UCLAHS) has agreed to settle HIPAA violations for $865,500 and has committed to a corrective action plan aimed at remedying gaps in its compliance with the rules. The investigation follows two separate complaints filed on behalf of two celebrity patients alleging that UCLAHS employees repeatedly and without permissible reason looked at the electronic protected health information of these and other UCLAHS patients. For the press release, resolution agreement, corrective action plan, and other information, please see http://www.hhs.gov/ocr/privacy/hipaa/news/uclahs.html and for an article on the settlement in iHealthBeat please see: http://www.ihealthbeat.org/articles/2011/7/8/ucla-health-system-agrees-to-pay-865k-over-privacy-breaches.aspx
HHS Awards Contract for 150 HIPAA Audits Over 18 Months
Here come the HIPAA audits! On June 20, 2011, the US Department of Health and Human Services award of a contract to KPMG to provide HIPAA audit services was posted on the FedBizOpps.gov Web site. The contract calls for the development of methodology and audits at 150 HIPAA entities by the end of 2012. For an advisory on the topic from Davis, Wright, Tremaine, LLP, see: http://www.dwt.com/LearningCenter/Advisories?find=424919 For the posting, please see https://www.fbo.gov/index?s=opportunity&mode=form&id=9e045aa4f7e6f8499c5b6f74d5b211e9&tab=core&_cview=0
U.S. Postal Inspectors Arrest HIPAA Identity Thief in Alabama
On June 2, 2011, U.S. Postal Inspectors arrested a woman on charges that she stole identifying information on about 4,500 patients from a Birmingham hospital. According to the complaint, the individual stole the patient information from Trinity Medical Center while an associate of hers was a patient at the hospital. This arrest is significant for the involvement of the U.S. Postal Inspectors in the enforcement of HIPAA. Enforcement -- it's not just for HHS anymore! The press release from the U.S. Attorney's Office is available at: http://www.justice.gov/usao/aln/News/June%202011/June%203,%202011%20Postal%20Inspectors.html
HHS Releases Proposed Accounting of Disclosures Rule
On May 27, 2011, the US Department of Health and Human Services released the text of the proposed changes to HIPAA for meeting the requirements of the HITECH Act calling for changes to the regulations for Accounting of Disclosures, to be published in the Federal Register May 31, 2011. The proposed rule goes beyond the legislation to establish a new right to to find out who has accessed electronic records for both use and disclosure, and the access report includes ALL electronic records, not just those in an official EHR. A news story on the release in the Journal of AHIMA is available at http://journal.ahima.org/2011/05/27/ocr-releases-proposed-rule-on-accounting-of-disclosure/, and a story in iHealthBeat is available at: http://www.ihealthbeat.org/articles/2011/5/27/hhs-issues-proposed-rule-on-disclosures-of-electronic-medical-data.aspx
Reaction by compliance professionals has been mixed. While the proposed rule limits all accountings of disclosures to three years (instead of the six in the HIPAA Privacy Rule) and limits the contents of the accounting to PHI held in a Designated Record Set (instead of any and all PHI), it expands coverage to ALL electronic information and establishes a new right to receive an Access Report showing all electronic accesses for both use and disclosure. There will be a 60-day comment period.
On May 31, 2011, the proposed rule was published in the Federal Register, and is available at: http://www.gpo.gov/fdsys/pkg/FR-2011-05-31/pdf/2011-13297.pdf
HHS Says Massive HIPAA Update Due by Year-end
On May 10, 2011, Sue McAndrew, Deputy Director for Health Information Privacy at the US Department of Health and Human Services' Office for Civil Rights, noted in a presentation at the annual NIST-OCR HIPAA Security conference that there will be a final rule released by year end encompassing all the changes to HIPAA brought about by the HITECH act, including all proposed and interim final rules, with the exception of the Accounting for Disclosures changes, which will be released and finalized separately. Also included in the rollup will be other HIPAA changes, such as those required by the Genetic Information Nondiscrimination Act (GINA). This final rule was originally expected last year, and then around May-June of this year, and is now delayed again.
For more information, see the story in Government Health IT magazine at: http://www.govhealthit.com/news/delay-hipaa-privacy-security-rules-almost-over
Verizon 2011 Data Breach Investigations Report Released
On April 19, 2011 the Verizon RISK Team with cooperation from the U.S. Secret Service and the Dutch High Tech Crime Unit released the 2011 Data Breach Investigations Report, which contained some surprising changes in trends (hacking, malware, and physical attacks by outsiders are up, misuse of privileges by insiders is down).
The executive summary should be read by every person responsible for security or risk analysis. The information in this report is essential in guiding risk analysis and mitigation prioritization right now. The press release is available at: http://newscenter.verizon.com/press-releases/verizon/2011/verizon-2011-data-breach.html and the report is available at: http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf
Healthcare Data Breach Costs Rise to $345 per Record in 2010
Ponemon Institute, LLC has released its "2010 Annual Study: U.S. Cost of a Data Breach" which finds that the average cost per record of a Healthcare industry data breach has increased from $301 in 2009 to $345 per record in 2010. The report contains a wealth of information on recent breach and security risk trends and should be required reading for all security and compliance personnel. The report is available at: http://tinyurl.com/4hprqtk and a related article in Computerworld is available at: http://tinyurl.com/4ppzjgy
HHS OCR and NIST Announce HIPAA Security Conference
The US Department of Health and Human Services Office for Civil Rights (HHS OCR) and the National Institute of Standards and Technology have announced the annual HIPAA Security conference, "Safeguarding Health Information: Building Assurance through HIPAA Security," to be held in Washington, DC, May 10-11, 2011. This is THE HIPAA Security conference to attend – you'll have access to all the best people in health information security, from regulators to implementers, as well as all the latest news and rumors about regulations, at a GREAT price. For more information and registration, see: http://www.nist.gov/itl/csd/hipaasec.cfm
New Timelines for HIPAA Final Rule Releases - May-June 2011
February 25, 2011: Officials within the US Department of Health and Human Services indicate that new final rules to update HIPAA under the HITECH Act are expected to be issued by May or June, and not the March date previously expected. The Final Rule rolling up most of the changes already proposed or in the interim rule stage has not gone to the Office of Management and Budget yet, so the earliest we can expect to see the Final Rule on the federal register is June 1, 2011 if it goes to the OMB on March 1, 2011. And since the proposed rule on Accounting for Disclosures when using an EHR went to OMB in the past few weeks this will be published at earliest mid-May 2011.
Mass General Loses Files, Settles with HHS for $1 million
On February 24, 2011, just two days after announcing a ground-breaking HIPAA fine in another case, the HHS Office for Civil Rights (OCR) announced a settlement with Massachusetts General Hospital for $1 million to settle potential HIPAA violations that arose when an employee left a set of files for 192 patients on the subway. This is an old-fashioned breach of hard copy information for a relatively small number of people, but the information was very sensitive, hence the size of the settlement. The press release and resolution agreement are available at: http://www.hhs.gov/ocr/privacy/hipaa/news/mghnews.html
Year of Breach Reporting Reveals Low-Tech Threats as Worst
A February 22, 2011 article posted on the Journal of AHIMA Web site presents a good summary of the most prevalent threats leading to breaches of more than 500 individuals' records based on the first year's reporting of breaches to HHS. Low-tech threats, including theft, loss, and improper disposal, accounted for a whopping 76% of all reported incidents. Hacking showed up at only 6% of incidents, but a review of those violations shows generally higher numbers of affected individuals per incident. See the article (with links to the HHS page with all the source information) at: http://journal.ahima.org/2011/02/22/after-one-year-of-breach-reporting-theft-still-leads/
HHS Fines Cignet $4.3 Million for HIPAA Privacy Violations
On February 22, 2011, the HHS Office for Civil Rights (OCR) announced it has issued a Notice of Final Determination finding that Cignet Health of Maryland violated the HIPAA Privacy Rule and has imposed a civil money penalty (CMP) of $4.3 million for the violations, representing the first CMP issued for violations of the HIPAA Privacy Rule. The fine stems from repeated refusal to release medical records of 41 individuals and refusal to cooperate with HHS investigators. (Word is, when the records were finally turned over, they turned over records for more than 4500 other individuals as well. What are they thinking???) Read the press release and notices at: http://www.hhs.gov/ocr/privacy/hipaa/news/cignetnews.html
Click for the latest news stories
Click for the Directory of News Stories