This page contains news stories from 2015
Click for the latest news stories
Click for the Directory of News Stories
NIST Releases Report on De-Identification of Personal Info
On December 17, 2015, the National Institute of Standards and Technology announced a report on De-Identification of Personal Information, in NIST Internal Report 8053. The report document summarizes two decades of de-identification research, discusses current practices, and presents opportunities for future research, including discussion of HIPAA methods for de-identification, and the effectiveness of the HIPAA Safe Harbor method. The report is available at http://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.8053.pdf If you are dealing with any issues of de-identifying PHI, READ THIS REPORT!
Also, see HHS’s guidance from 2012 on De-identification of PHI, available at: http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/De-identification/hhs_deid_guidance.pdf
And the Hits Keep On Coming — New HIPAA RA Settlement
Looks like we’re really seeing the fruits of all that pressure on the HHS Office for Civil Rights to enforce HIPAA. On December 14, 2015 HHS OCR announced a $750,000 settlement (and corrective action plan) with The University of Washington Medicine for not ensuring that Risk Analyses for its Affiliated Covered Entities were properly performed and not ensuring risks found were properly managed, as a result of a malware infection that led to a large breach of PHI. The agreement and corrective action plan are available at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/uwm/index.html
Pace of Settlements Increases — Two New Ones Announced
On November 25, 2015, the HHS Office for Civil Rights announced a settlement with Lahey Hospital and Medical Center of Burlington, Massachusetts, related to the theft of a laptop that was used as a medical device but was not included in the organization’s Risk Analysis, and widespread non-compliance with HIPAA revealed during the investigation, to the tune of $850,000 and a corrective action plan. The agreement and plan are available at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/LAHEY/index.html
Less than a week later, on November 30, 2015, HHS OCR announced a settlement with Triple-S Management Corporation for widespread non-compliance with HIPAA regulations in various subsidiaries, for a whopping $3.5 million plus a corrective action plan. No, you can’t ignore the rules any longer. The agreement and corrective action plan are available at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/triples/index.html
California Breach Notification Laws Beefed Up
On October 13, 2015, an article in Fierce Health IT indicated that California Governor Jerry Brown signed a new data breach notification law that defines encryption, describes the content of breach notices, and includes data captured by automated license plate readers. The article is available at: http://www.fiercehealthit.com/story/california-governor-signs-data-breach-notification-law/2015-10-13
OCR, FDA Security Enforcement in OIG 2016 Work Plan
In its FY 2016 Work Plan, the HHS Office of Inspector General plans to more closely scrutinize federal regulators' oversight of the security controls that healthcare providers and business associates use to protect electronic patient information. It also will review FDA oversight of medical device cybersecurity. The FY 2016 Work Plan is available at: http://oig.hhs.gov/reports-and-publications/workplan/ An article on the Work Plan in GovInfo Security is available at: http://www.govinfosecurity.com/ocr-fda-security-enforcement-to-be-scrutinized-a-8657
MS Office 2016 Includes New Data Privacy Features
On October 9, 2015, Healthcare IT News reported that the new release of MS Office 2016 includes several features geared toward healthcare providers including PHI recognition, smart attachments, encryption, single sign-on, and authentication, and more. The article is at: http://www.healthcareitnews.com/news/3-health-data-privacy-features-microsoft-office-2016-security-phi-pii
Another Settlement, News from NIST/OCR HIPAA Love-Fest
On September 2, 2015 at the annual NIST/OCR HIPAA Security conference in Washington, DC, the latest in the increasing number of HIPAA settlements was announced, this time for a doctor’s group with an unencrypted laptop and backup media that were stolen from an employee’s car, and not having performed HIPAA Security Rule activities such as a Risk Analysis, for $750K plus a corrective action plan. The settlement and press release are available at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cancercare.html
The word ENCRYPTION was emphasized by many of the speakers at the annual official NIST/OCR HIPAA Security conference, and the sessions will be available for public consumption at the conference web site: http://www.nist.gov/itl/csd/safeguarding-health-information-building-assurance-through-hipaa-security-2015.cfm Let me explain: this is the only conference I attend every year without fail because you can hear from, speak with, and ask questions of all the top people at HHS who deal with HIPAA, and then some. The sessions are definitely worth watching. You will learn a LOT! I learned a lot of details behind the headlines that you can read in any Health IT newsletter, which I will be sharing in an Occasional Client Update newsletter soon.
OCR Releases Handy Guide on HIPAA - Loads of Resource Links
In late July, 2015, the HHS Office for Civil Rights released a handy guide, HIPAA Basics for Providers: Privacy, Security, and Breach Notification Rules, that is a nice summary of how HIPAA applies and what is necessary for compliance at a basic level, and also includes a number of very useful links to other guidance.
If you’re just getting started in HIPAA, this is a good way to get a basic understanding of HIPAA and then look at the linked guidance for more. See: http://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/HIPAAPrivacyandSecurity.pdf
NIST Releases Draft Guidance for Health Info & Mobile Devices
On July 23, 2015, The National Cybersecurity Center of Excellence (NCCoE) has released a draft for public comment a step-by-step guide (the first in a new series) that demonstrates how health care providers can make mobile devices, such as smartphones and tablets, more secure, in order to better protect patient information and still take advantage of advances in communications technology.
Securing Electronic Records on Mobile Devices provides IT implementers and security engineers with a detailed architecture so that they can copy, or recreate with different but similar technologies, the security characteristics of the guide. It also maps to standards and best practices from NIST and others, and to Health Insurance Portability and Accountability Act (HIPAA) rules. The guide takes into account the need for different types of implementation for different circumstances such as when cyber security is handled in-house or is outsourced.
Comments on the draft are requested by September 25, 2015.
The NIST press release is available at: http://www.nist.gov/itl/20140723_nccoe_mobile_medical.cfm
An article in ComputerWorld on the draft guidance is available at: http://www.computerworld.com/article/2951831/healthcare-it/feds-look-to-bolster-security-for-mobile-devices-used-in-health-care.html
The draft document, a web form and a template for comments are available at https://nccoe.nist.gov/projects/use_cases/health_it/ehr_on_mobile_devices
Take note! This is incredibly useful information, to say the least, and if you have any comments, please submit them so it can be even better.
$218K Settlement for Internet-based File Sharing with no RA
On July 10, 2015, the US Department of Health and Human Services Office for Civil Rights announced a $218,000 monetary settlement and corrective action plan with St. Elizabeth’s Medical Center in Brighton, Mass., for using a Web-based document sharing application without having performed a risk analysis, and for a breach involving an unencrypted personal laptop and flash memory device of a former employee containing PHI.
The corrective action plan includes a thorough self-assessment of compliance, unannounced inspections of compliance and portable devices, and regular compliance progress reports to HHS. The settlement announcement, agreement, and action plan are available at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/SEMC/semc.html
The lesson here? Do your risk analysis before using new technologies, train your staff well, and encrypt all laptops or portable devices with any PHI!
Oregon Breach Law to Include Health Information as of 1/1/16
According to a report in Becker Hospital Review, as of January 1, 2016, Oregon's Consumer Identity Theft Protection Act of 2007 will include mandatory notification for individuals whose personal health information is breached, as a result of the passage of Senate Bill 601. On that date, the definition of sensitive identifying information will expand to include the following:
• Biometrics
• Health insurance policy numbers
• Unique identifiers of any kind used by health
• Medical information history
• Any information about mental or physical conditions
• Information about a healthcare professional's medical diagnosis or treatment of an individual
The law also requires the state attorney general be notified in the instance of a data breaches or breaches of personal information involving 250 or more individuals.
The story is available at: http://www.beckershospitalreview.com/healthcare-information-technology/oregon-law-widens-personal-information-breach-umbrella-to-include-health-data.html and Oregon Senate Bill 601 is available at: https://olis.leg.state.or.us/liz/2015R1/Downloads/MeasureDocument/SB601/Enrolled
Annual NIST/OCR HIPAA Security Conference Announced
On July 8, 2015, the National Institute of Standards and Technology announced the 8th Annual Safeguarding Health Information: Building Assurance through HIPAA Security Conference, set for September 2-3, 2015 at the Grand Hyatt hotel in Washington, DC. If you are a HIPAA specialist, you MUST attend this if you go anywhere this year.
The conference will explore the current health information technology security landscape and the HIPAA Security Rule, with practical strategies, tips and techniques for implementing the HIPAA Security Rule, and offer sessions exploring security management and technical assurance of electronic health information. Presentations will cover a variety of current topics including updates on the Omnibus HIPAA/HITECH Final Rule, breach management, business associate liability, managing 3rd party risk, securing medical devices, and more.
Participants can choose to participate on-site, or through a live web cast. All registrations include access to archived webcast presentations and materials. For more information and registration, please see: http://www.nist.gov/itl/csd/safeguarding-health-information-building-assurance-through-hipaa-security-2015.cfm
Dates Set for Annual NIST/OCR HIPAA Security Conference
On June 11, 2015, Lewis Creek Systems learned through reliable sources that the dates for this year’s NIST/OCR HIPAA Security Conference will be September 2 and 3, 2015, and will be held at the Grand Hyatt in D.C. Sources indicated that a “save-the-date” announcement would be forthcoming within the week.
This is the only conference that I insist on attending every year, with all the leading experts and authorities from healthcare, NIST, and HHS in attendance or presenting. I highly recommend watching for the announcement and attending.
HHS OIG Refines 2015 Work Plan and Adds New EHR Issues
On June 8, 2015, FierceHealthIT reported that the US Department of Health and Human Services Office of the Inspector General has updated its work plan, adding several new items and removing some as well.
OIG will review the use of EHRs by accountable care organizations to coordinate care, will review the extent that providers participating in ACOs in the Medicare Shared Savings Program use EHRs to exchange health information to achieve their care coordination goals, and assess providers' use of EHRs to identify best practices and possible challenges in their progression toward interoperability.
OIG will also review EHR contingency planning required by HIPAA, whether providers that received Medicare and/or Medicaid Meaningful Use incentive payments were entitled to the money, and whether covered entities are adequately securing electronic PHI created or maintained by certified EHR technology. OIG specifically states that hospitals must conduct security risk analyses.
The updated plan no longer includes a review of whether business associates also are adequately securing electronic patient protected health information and no longer includes a review of CMS' oversight of hospitals' security controls over networked medical devices.
The story is available at: http://www.fierceemr.com/story/updated-oig-2015-work-plan-adds-ehr-issues-under-review/2015-06-08
2015 HIPAA Audits Appear to be Getting Started, Finally
On May 22, 2015, FierceHealthIT reported that HHS has begun verifying contact information for HIPAA Covered Entities who could be selected for the Phase 2 HIPAA Audits called for by the HTECH Act. Additional information is expected, and HHS advised watching its website for announcements.
Supposedly 550 to 800 entities will receive or have received surveys to determine their appropriateness for an audit, and 350 covered entities and 50 business associates are expected to be audited, according to reports.
The article is available at: http://www.fiercehealthit.com/story/hhs-office-civil-rights-sends-preliminary-surveys-phase-2-hipaa-audit-progr/2015-05-22
New HIPAA Settlement for Improper Disposal of PHI, more enforcement actions expected soon
On April 27, 2015, the US Department of Health and Human Services Office for Civil Rights announced a settlement with Cornell Prescription Pharmacy (Cornell), a small, single-location pharmacy that provides in-store and prescription services to patients in the Denver, Colorado metropolitan area, specializing in compounded medications and services for hospice care agencies, for potential HIPAA violations. Cornell will pay $125,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program.
A Denver news outlet notified HHS OCR of disposal of un-shredded, unsecured documents containing specific protected health information (PHI) of 1,610 patients in an unlocked, open container on Cornell's premises. Cornell had failed to implement and provide training to the workforce in any written policies and procedures as required by the HIPAA Privacy Rule.
The agreement requires Cornell to develop and implement a comprehensive set of policies and procedures to comply with the Privacy Rule, and develop and provide staff training. The Resolution Agreement can be found on the OCR website via: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cornell/index.html
Recent news reports and rumors indicate that HHS is just ramping up its enforcement work on HIPAA, and this may be only the first indication of a coming flood of settlement agreements for HIPAA violations. Take note!
Draft NIST Report Released on De-Identification of PII
On April 10, 2015 the National Institute of Standards and Technology released Draft NIST Interagency Report (NISTIR) 8053, De-Identification of Personally Identifiable Information, which is a topic near and dear to those of us who handle PHI. Draft NISTIR 8053 along with a summary and announcement is at: http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-8053
To submit comments to this draft, use the comment template available at the above URL. Send comments to: draft-nistir-deidentify@nist.gov The deadline to submit comments is May 15, 2015.
HHS OCR Looking for Someone to Lead HIPAA Audit Program
On April 9, 2015, the US Department of Health and Human Services announced a job opening for someone to lead the HHS Office for Civil Rights’s HIPAA Audit Program. Quote, "The Office for Civil Rights (OCR) has one Compliance Specialist (Auditing) position available within our Headquarters office located in Washington, DC. This position serves as the senior auditing subject matter expert who provides leadership, oversight, coordination, and advice necessary to design, plan and execute an audit program of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules.”
If they’re hiring someone to lead the HIPAA Audit Program, that probably means they’ll get around to doing some auditing again. How soon? Who knows… The job listing is open until April 17, and is available at: https://www.usajobs.gov/GetJob/ViewDetails/398661600
ONC Releases Version 2 of Privacy and Security Guide for ePHI
In April 2015, the Office of the National Coordinator for Health Information Technology released version 2 of its Guide to Privacy and Security of Electronic Health Information, providing a concise summary of the processes and requirements involved in assuring adequate privacy and security of electronic Protected Health Information. The guide is available at: http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf and Chapter 6, a Sample Seven Step Approach for Implementing a Security Management Process, is available separately at: http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide-chapter-6.pdf
Final Draft of NIST SP 800-171 (Security Summary) Issued
On April 3, 2015 the National Institute of Standards and Technology released the final public draft of SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, which provides an excellent summary of security actions to take to protect information systems, and provides a great checklist of security considerations.
To view the full announcement and link to this draft document, please visit the CSRC Drafts page at: http://csrc.nist.gov/publications/PubsDrafts.html#800-171
If you would like to submit comments on the draft, the deadline to submit comments is May 12, 2015, and Email your comments to: sec-cert@nist.gov
Excellent New PCI Guidance on Penetration Testing Released
In March 2015, the PCI Security Standards Council released a new Information Supplement: Penetration Testing Guidance. The guidance includes a great deal of useful information including a useful explanation of the difference between a penetration test and a vulnerability scan, as well as descriptions of test components, tester qualifications, and methodology, with a few case studies.
While the guidance is focused on payment card information protection, it is easy to apply to health information protection, which is, of course, a growing issue. See: https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf
Links to Two Key Resources Updated; Wall of Shame Updated
In early March 2015, Internet links to two key resources were changed. The old link to the HHS OCR “Wall of Shame” listing the breaches affecting more than 500 individuals, in typical HHS fashion, has simply stopped working, yielding a “page not found” error.
The information is now available in a much easier to use format using modern Web technologies on secure pages that are part of the new HHS OCR portal that will someday be used for submission of information requested in the random audit program, due to restart “real soon now.” The new-and-improved “Wall of Shame” is at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf The new format is much easier to read and search, with easy export of the data in multiple formats. See what happens to others -- make sure it doesn't happen to you.
Another key resource is the NIST Computer Security Incident Handling Guide, Special Publication 800-61 revision 2, which has been been relocated to: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
New Jersey Law Requires Encryption of Health Information
On January 9, 2015 a New Jersey law was enacted, going into effect August 1, 2015, requiring that health insurance companies doing business in New Jersey must encrypt personal data they transmit electronically a public network or retain on end-user computers, such as desktops, workstations, laptops, storage media, and smart phones. The law was prompted by health data breaches in New Jersey. The brief text of the bill is available at: http://www.njleg.state.nj.us/2014/Bills/S1000/562_R1.PDF
News stories on the new law are available at:
http://www.natlawreview.com/article/new-jersey-law-to-impose-encryption-obligations-health-insurance-carriers
http://www.scmagazine.com/christie-signs-bill-to-protect-personal-information/article/392123/
http://www.govinfosecurity.com/nj-law-requires-insurers-to-encrypt-a-7780