HHS Announces Proposed Rules to Modify 42 CFR Part 2 Restrictions
On February 5, 2016, the US Department of Health and Human Services announced new proposed regulations for Confidentiality of Alcohol and Drug Abuse Patient Records, 42 CFR Part 2. The goal of the proposed changes is to facilitate information exchange within new health care models while addressing the legitimate privacy concerns of patients seeking treatment for a substance use disorder. The press release is available at: http://www.hhs.gov/about/news/2016/02/05/hhs-proposes-changes-to-rules-governing-confidentiality-substance-use-disorder-records.html
The Proposed rules published in the Federal Register February 9, 2016 are at: https://www.federalregister.gov/articles/2016/02/09/2016-01841/confidentiality-of-substance-use-disorder-patient-records
The comment period is open until April 11, 2016.
New HHS Fact Sheets on Exchange of PHI for Treatment and Operations
On February 4, 2016, the US Department of Health and Human Services announced, via its blog, that it had released two fact sheets concerning Permitted Uses and Disclosures for the Exchange of Protected Health Information for purposes of Treatment and for purposes of Health Care Operations, in order to clarify HIPAA regulations and help enable permissible uses and disclosures under the rules.
• The blog entry is at https://www.healthit.gov/buzz-blog/electronic-health-and-medical-records/interoperability-electronic-health-and-medical-records/the-real-hipaa-supports-interoperability/
• The fact sheet on Exchange for Treatment is at https://www.healthit.gov/sites/default/files/exchange_treatment.pdf
• The fact sheet on Exchange for Health Care Operations is at https://www.healthit.gov/sites/default/files/exchange_health_care_ops.pdf
According to the blog post, this is the first in a series of postings of new guidance meant to clear confusion about HIPAA and promote proper compliance. "Blog #2 will be background on HIPAA’s Permitted Uses and Disclosures: what they are, and how they advance the national goal of interoperability. Blog #3 will give examples of exchange of health information for Care Coordination, Care Planning, and Case Management, both between providers, and between provider and payers. Finally, Blog #4 will give examples of interoperable, permissible exchange of PHI for Quality Assurance and Population-Based Activities, including via a health information exchange.”
HHS OCR Announces Fine for Insecure Handling of Paper PHI
On February 3, 2016, The US Department of Health and Human Services Office for Civil Rights announced that an HHS Administrative Law Judge (ALJ) has ruled that Lincare, Inc. (Lincare) violated the HIPAA Privacy Rule and granted summary judgment to OCR on all issues, requiring Lincare to pay $239,800 in civil money penalties. This is only the second time in its history that OCR has sought CMPs for HIPAA violations, and each time the CMPs have been upheld by the ALJ.
From the press release: "OCR’s investigation of Lincare began after an individual complained that a Lincare employee left behind documents containing the protected health information (PHI) of 278 patients after moving residences. Evidence established that this employee removed patients’ information from the company’s office, left the information exposed in places where an unauthorized person had access, and then abandoned the information altogether. Over the course of the investigation, OCR found that Lincare had inadequate policies and procedures in place to safeguard patient information that was taken offsite, although employees, who provide health care services in patients’ homes, regularly removed material from the business premises. Further evidence indicated that the organization had an unwritten policy requiring certain employees to store protected health information in their own vehicles for extended periods of time. Although aware of the complaint and OCR’s investigation, Lincare subsequently took only minimal action to correct its policies and strengthen safeguards to ensure compliance with the HIPAA Rules.”
The two messages here: Take proper care of paper records, and don’t ignore HHS Office for Civil Rights.
The Notice of Proposed Determination and the ALJ’s opinion may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/lincare/index.html
HHS OIG Report Says Utah Medicaid Systems Had Weaknesses
On February 2, 2016 FierceHealthIT reported that the HHS Office of Inspector General had completed a report in January entitled: INADEQUATE SECURITY MANAGEMENT PRACTICES LEFT UTAH DEPARTMENT OF HEALTH SENSITIVE MEDICAID DATA AT RISK OF UNAUTHORIZED DISCLOSURE. Once again, the OIG pretty much says it all right there in the title. This is a study of what happened when a contractor for Utah IT put up a server insecurely and 780,000 people in Utah had their PHI hacked. The population of Utah is only 2.9 million, so that’s 29% of the state affected. The news report is at http://www.fiercehealthit.com/story/oig-weaknesses-utah-department-healths-medicaid-it-systems-high-impact/2016-02-02
The OIG Report is at: http://oig.hhs.gov/oas/reports/region7/71500455.pdf
A report on the Utah Breaches is available at: http://www.fiercehealthit.com/story/health-department-breach-impacts-24k-medicaid-patients/2012-04-05
FDA Provides Cybersecurity Recommendations for Medical Devices
On January 15, 2016 the US Food and Drug Administration (FDA) announced draft guidance on important steps medical device manufacturers should take to continually address cybersecurity risks to keep patients safe and better protect the public health. The draft guidance details the agency’s recommendations for monitoring, identifying and addressing cybersecurity vulnerabilities in medical devices once they have entered the market. The announcement is available at: http://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm481968.htm and the guidance, posted January 22, 2016, is available at: http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf
In October 2014, the FDA issued guidance for medical device manufacturers regarding building cybersecurity into their product from the beginning of the development process, available at: http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf
HIMSS Announces its Healthcare Cybersecurity Community
On January 19, 2016, HIMSS launched its Healthcare Cybersecurity Community for its members, which will provide a forum where healthcare constituents can discuss and learn about advancing the state of cybersecurity in the healthcare industry.
Participation in the community will include monthly discussions via WebEx with healthcare cybersecurity thought-leaders and discussion with peers in the healthcare sector. In addition, members of the Healthcare Cybersecurity Community can engage and dialogue with each other through a dedicated ListServ.
January Webinar Information: The first Healthcare Cybersecurity Community webinar will occur on January 28, 2016 from 2-3PM ET. The speaker will be Kevin A. McDonald, BSN, MEPD, GCIS, CISSP, Director of Clinical Information Security at the Office of Information Security of Mayo Clinic. He will discuss how healthcare providers can effectively address today’s people, process, and technology challenges as they pertain to cybersecurity. Mr. McDonald will also discuss best practices and reference standards which may be helpful in overcoming these challenges. Registration information for this event, along with other details about the community, can be found on the HMSS Cybersecurity Community web site, at http://www.himss.org/get-involved/community/cybersecurity.
How to join the community (you must be a member of HIMSS):
1. Log into the HIMSS member portal at https://marketplace.himss.org/My-Account/Participation
2. Under the “My Involvement” tab, click on the "Edit Participations” button.
3. Select "Healthcare Cybersecurity Community" and click on the “Save” button.
After you have completed steps 1 through 3, you will be automatically added to the HIMSS Healthcare Cybersecurity Community itself as well as the ListServ.
Report Shows 84% of Mobile Health Apps Are Insecure
On January 13, 2016, Healthcare IT News reported that a new report shows 84 percent of U.S. FDA-approved health apps tested by IT security vendor Arxan Technologies did not adequately address at least two of the Open Web Application Security Project top 10 risks. Most health apps are susceptible to code tampering and reverse-engineering, and 95% of the FDA-approved apps lack binary protection and have insufficient transport layer protection, leaving them open to hacks that could result in privacy violations, theft of personal health information, as well as device tampering and patient safety issues. The article is available at: http://www.healthcareitnews.com/news/8-out-10-mobile-health-apps-open-hipaa-violations-hacking-data-theft
HHS Issues Guidance on Individuals’ Right of Access to PHI
On January 7, 2016, The US Department of Health and Human Services issued new guidance on individuals’ right to access their health information. The guidance includes general information and specifics about the details of proper implementation, and also includes an extensive Q&A section providing additional information. If this guidance is an indication of the quality of information we should expect from HHS on the Web, it’s a good sign. If you have questions on providing access under HIPAA, look here first. http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html
By the way, this new guidance is provided on the completely revamped HHS Web site, which is now much easier to use and search for information, even on your smart phone. Happy exploring! (Yes, I have good things to say about the HHS Web site!)
HIPAA Rule Issued to Ease Reporting to the NICS re Firearms
On January 6, 2016, a new rule was published in the Federal Register to modify HIPAA §164.512, adding a new section (k)(7) to allow use or disclosure of PHI for purposes of reporting to the National Instant Criminal Background Check System the identity of an individual who is prohibited from possessing a firearm. Disclosures may include only the limited demographic and certain other information needed for purposes of reporting to the NICS, and may not include diagnostic or clinical information. The new rule is available at: https://www.federalregister.gov/articles/2016/01/06/2015-33181/health-insurance-portability-and-accountability-act-hipaa-privacy-rule-and-the-national-instant
NIST Releases Report on De-Identification of Personal Info
On December 17, 2015, the National Institute of Standards and Technology announced a report on De-Identification of Personal Information, in NIST Internal Report 8053. The report document summarizes two decades of de-identification research, discusses current practices, and presents opportunities for future research, including discussion of HIPAA methods for de-identification, and the effectiveness of the HIPAA Safe Harbor method. The report is available at http://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.8053.pdf If you are dealing with any issues of de-identifying PHI, READ THIS REPORT!
Also, see HHS’s guidance from 2012 on De-identification of PHI, available at: http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/De-identification/hhs_deid_guidance.pdf
And the Hits Keep On Coming — New HIPAA RA Settlement
Looks like we’re really seeing the fruits of all that pressure on the HHS Office for Civil Rights to enforce HIPAA. On December 14, 2015 HHS OCR announced a $750,000 settlement (and corrective action plan) with The University of Washington Medicine for not ensuring that Risk Analyses for its Affiliated Covered Entities were properly performed and not ensuring risks found were properly managed, as a result of a malware infection that led to a large breach of PHI. The agreement and corrective action plan are available at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/uwm/index.html
Pace of Settlements Increases — Two New Ones Announced
On November 25, 2015, the HHS Office for Civil Rights announced a settlement with Lahey Hospital and Medical Center of Burlington, Massachusetts, related to the theft of a laptop that was used as a medical device but was not included in the organization’s Risk Analysis, and widespread non-compliance with HIPAA revealed during the investigation, to the tune of $850,000 and a corrective action plan. The agreement and plan are available at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/LAHEY/index.html
Less than a week later, on November 30, 2015, HHS OCR announced a settlement with Triple-S Management Corporation for widespread non-compliance with HIPAA regulations in various subsidiaries, for a whopping $3.5 million plus a corrective action plan. No, you can’t ignore the rules any longer. The agreement and corrective action plan are available at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/triples/index.html
California Breach Notification Laws Beefed Up
On October 13, 2015, an article in Fierce Health IT indicated that California Governor Jerry Brown signed a new data breach notification law that defines encryption, describes the content of breach notices, and includes data captured by automated license plate readers. The article is available at: http://www.fiercehealthit.com/story/california-governor-signs-data-breach-notification-law/2015-10-13
OCR, FDA Security Enforcement in OIG 2016 Work Plan
In its FY 2016 Work Plan, the HHS Office of Inspector General plans to more closely scrutinize federal regulators' oversight of the security controls that healthcare providers and business associates use to protect electronic patient information. It also will review FDA oversight of medical device cybersecurity. The FY 2016 Work Plan is available at: http://oig.hhs.gov/reports-and-publications/workplan/ An article on the Work Plan in GovInfo Security is available at: http://www.govinfosecurity.com/ocr-fda-security-enforcement-to-be-scrutinized-a-8657
MS Office 2016 Includes New Data Privacy Features
On October 9, 2015, Healthcare IT News reported that the new release of MS Office 2016 includes several features geared toward healthcare providers including PHI recognition, smart attachments, encryption, single sign-on, and authentication, and more. The article is at: http://www.healthcareitnews.com/news/3-health-data-privacy-features-microsoft-office-2016-security-phi-pii
Another Settlement, News from NIST/OCR HIPAA Love-Fest
On September 2, 2015 at the annual NIST/OCR HIPAA Security conference in Washington, DC, the latest in the increasing number of HIPAA settlements was announced, this time for a doctor’s group with an unencrypted laptop and backup media that were stolen from an employee’s car, and not having performed HIPAA Security Rule activities such as a Risk Analysis, for $750K plus a corrective action plan. The settlement and press release are available at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cancercare.html
The word ENCRYPTION was emphasized by many of the speakers at the annual official NIST/OCR HIPAA Security conference, and the sessions will be available for public consumption at the conference web site: http://www.nist.gov/itl/csd/safeguarding-health-information-building-assurance-through-hipaa-security-2015.cfm Let me explain: this is the only conference I attend every year without fail because you can hear from, speak with, and ask questions of all the top people at HHS who deal with HIPAA, and then some. The sessions are definitely worth watching. You will learn a LOT! I learned a lot of details behind the headlines that you can read in any Health IT newsletter, which I will be sharing in an Occasional Client Update newsletter soon.
OCR Releases Handy Guide on HIPAA - Loads of Resource Links
In late July, 2015, the HHS Office for Civil Rights released a handy guide, HIPAA Basics for Providers: Privacy, Security, and Breach Notification Rules, that is a nice summary of how HIPAA applies and what is necessary for compliance at a basic level, and also includes a number of very useful links to other guidance.
If you’re just getting started in HIPAA, this is a good way to get a basic understanding of HIPAA and then look at the linked guidance for more. See: http://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/HIPAAPrivacyandSecurity.pdf
NIST Releases Draft Guidance for Health Info & Mobile Devices
On July 23, 2015, The National Cybersecurity Center of Excellence (NCCoE) has released a draft for public comment a step-by-step guide (the first in a new series) that demonstrates how health care providers can make mobile devices, such as smartphones and tablets, more secure, in order to better protect patient information and still take advantage of advances in communications technology.
Securing Electronic Records on Mobile Devices provides IT implementers and security engineers with a detailed architecture so that they can copy, or recreate with different but similar technologies, the security characteristics of the guide. It also maps to standards and best practices from NIST and others, and to Health Insurance Portability and Accountability Act (HIPAA) rules. The guide takes into account the need for different types of implementation for different circumstances such as when cyber security is handled in-house or is outsourced.
Comments on the draft are requested by September 25, 2015.
The NIST press release is available at: http://www.nist.gov/itl/20140723_nccoe_mobile_medical.cfm
An article in ComputerWorld on the draft guidance is available at: http://www.computerworld.com/article/2951831/healthcare-it/feds-look-to-bolster-security-for-mobile-devices-used-in-health-care.html
The draft document, a web form and a template for comments are available at https://nccoe.nist.gov/projects/use_cases/health_it/ehr_on_mobile_devices
Take note! This is incredibly useful information, to say the least, and if you have any comments, please submit them so it can be even better.
$218K Settlement for Internet-based File Sharing with no RA
On July 10, 2015, the US Department of Health and Human Services Office for Civil Rights announced a $218,000 monetary settlement and corrective action plan with St. Elizabeth’s Medical Center in Brighton, Mass., for using a Web-based document sharing application without having performed a risk analysis, and for a breach involving an unencrypted personal laptop and flash memory device of a former employee containing PHI.
The corrective action plan includes a thorough self-assessment of compliance, unannounced inspections of compliance and portable devices, and regular compliance progress reports to HHS. The settlement announcement, agreement, and action plan are available at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/SEMC/semc.html
The lesson here? Do your risk analysis before using new technologies, train your staff well, and encrypt all laptops or portable devices with any PHI!
Oregon Breach Law to Include Health Information as of 1/1/16
According to a report in Becker Hospital Review, as of January 1, 2016, Oregon's Consumer Identity Theft Protection Act of 2007 will include mandatory notification for individuals whose personal health information is breached, as a result of the passage of Senate Bill 601. On that date, the definition of sensitive identifying information will expand to include the following:
• Health insurance policy numbers
• Unique identifiers of any kind used by health
• Medical information history
• Any information about mental or physical conditions
• Information about a healthcare professional's medical diagnosis or treatment of an individual
The law also requires the state attorney general be notified in the instance of a data breaches or breaches of personal information involving 250 or more individuals.
The story is available at: http://www.beckershospitalreview.com/healthcare-information-technology/oregon-law-widens-personal-information-breach-umbrella-to-include-health-data.html and Oregon Senate Bill 601 is available at: https://olis.leg.state.or.us/liz/2015R1/Downloads/MeasureDocument/SB601/Enrolled
Annual NIST/OCR HIPAA Security Conference Announced
On July 8, 2015, the National Institute of Standards and Technology announced the 8th Annual Safeguarding Health Information: Building Assurance through HIPAA Security Conference, set for September 2-3, 2015 at the Grand Hyatt hotel in Washington, DC. If you are a HIPAA specialist, you MUST attend this if you go anywhere this year.
The conference will explore the current health information technology security landscape and the HIPAA Security Rule, with practical strategies, tips and techniques for implementing the HIPAA Security Rule, and offer sessions exploring security management and technical assurance of electronic health information. Presentations will cover a variety of current topics including updates on the Omnibus HIPAA/HITECH Final Rule, breach management, business associate liability, managing 3rd party risk, securing medical devices, and more.
Participants can choose to participate on-site, or through a live web cast. All registrations include access to archived webcast presentations and materials. For more information and registration, please see: http://www.nist.gov/itl/csd/safeguarding-health-information-building-assurance-through-hipaa-security-2015.cfm
Dates Set for Annual NIST/OCR HIPAA Security Conference
On June 11, 2015, Lewis Creek Systems learned through reliable sources that the dates for this year’s NIST/OCR HIPAA Security Conference will be September 2 and 3, 2015, and will be held at the Grand Hyatt in D.C. Sources indicated that a “save-the-date” announcement would be forthcoming within the week.
This is the only conference that I insist on attending every year, with all the leading experts and authorities from healthcare, NIST, and HHS in attendance or presenting. I highly recommend watching for the announcement and attending.
HHS OIG Refines 2015 Work Plan and Adds New EHR Issues
On June 8, 2015, FierceHealthIT reported that the US Department of Health and Human Services Office of the Inspector General has updated its work plan, adding several new items and removing some as well.
OIG will review the use of EHRs by accountable care organizations to coordinate care, will review the extent that providers participating in ACOs in the Medicare Shared Savings Program use EHRs to exchange health information to achieve their care coordination goals, and assess providers' use of EHRs to identify best practices and possible challenges in their progression toward interoperability.
OIG will also review EHR contingency planning required by HIPAA, whether providers that received Medicare and/or Medicaid Meaningful Use incentive payments were entitled to the money, and whether covered entities are adequately securing electronic PHI created or maintained by certified EHR technology. OIG specifically states that hospitals must conduct security risk analyses.
The updated plan no longer includes a review of whether business associates also are adequately securing electronic patient protected health information and no longer includes a review of CMS' oversight of hospitals' security controls over networked medical devices.
The story is available at: http://www.fierceemr.com/story/updated-oig-2015-work-plan-adds-ehr-issues-under-review/2015-06-08
2015 HIPAA Audits Appear to be Getting Started, Finally
On May 22, 2015, FierceHealthIT reported that HHS has begun verifying contact information for HIPAA Covered Entities who could be selected for the Phase 2 HIPAA Audits called for by the HTECH Act. Additional information is expected, and HHS advised watching its website for announcements.
Supposedly 550 to 800 entities will receive or have received surveys to determine their appropriateness for an audit, and 350 covered entities and 50 business associates are expected to be audited, according to reports.
New HIPAA Settlement for Improper Disposal of PHI, more enforcement actions expected soon
On April 27, 2015, the US Department of Health and Human Services Office for Civil Rights announced a settlement with Cornell Prescription Pharmacy (Cornell), a small, single-location pharmacy that provides in-store and prescription services to patients in the Denver, Colorado metropolitan area, specializing in compounded medications and services for hospice care agencies, for potential HIPAA violations. Cornell will pay $125,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program.
A Denver news outlet notified HHS OCR of disposal of un-shredded, unsecured documents containing specific protected health information (PHI) of 1,610 patients in an unlocked, open container on Cornell's premises. Cornell had failed to implement and provide training to the workforce in any written policies and procedures as required by the HIPAA Privacy Rule.
The agreement requires Cornell to develop and implement a comprehensive set of policies and procedures to comply with the Privacy Rule, and develop and provide staff training. The Resolution Agreement can be found on the OCR website via: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cornell/index.html
Recent news reports and rumors indicate that HHS is just ramping up its enforcement work on HIPAA, and this may be only the first indication of a coming flood of settlement agreements for HIPAA violations. Take note!
Draft NIST Report Released on De-Identification of PII
On April 10, 2015 the National Institute of Standards and Technology released Draft NIST Interagency Report (NISTIR) 8053, De-Identification of Personally Identifiable Information, which is a topic near and dear to those of us who handle PHI. Draft NISTIR 8053 along with a summary and announcement is at: http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-8053
To submit comments to this draft, use the comment template available at the above URL. Send comments to: email@example.com The deadline to submit comments is May 15, 2015.
HHS OCR Looking for Someone to Lead HIPAA Audit Program
On April 9, 2015, the US Department of Health and Human Services announced a job opening for someone to lead the HHS Office for Civil Rights’s HIPAA Audit Program. Quote, "The Office for Civil Rights (OCR) has one Compliance Specialist (Auditing) position available within our Headquarters office located in Washington, DC. This position serves as the senior auditing subject matter expert who provides leadership, oversight, coordination, and advice necessary to design, plan and execute an audit program of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules.”
If they’re hiring someone to lead the HIPAA Audit Program, that probably means they’ll get around to doing some auditing again. How soon? Who knows… The job listing is open until April 17, and is available at: https://www.usajobs.gov/GetJob/ViewDetails/398661600
ONC Releases Version 2 of Privacy and Security Guide for ePHI
In April 2015, the Office of the National Coordinator for Health Information Technology released version 2 of its Guide to Privacy and Security of Electronic Health Information, providing a concise summary of the processes and requirements involved in assuring adequate privacy and security of electronic Protected Health Information. The guide is available at: http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf and Chapter 6, a Sample Seven Step Approach for Implementing a Security Management Process, is available separately at: http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide-chapter-6.pdf
Final Draft of NIST SP 800-171 (Security Summary) Issued
On April 3, 2015 the National Institute of Standards and Technology released the final public draft of SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, which provides an excellent summary of security actions to take to protect information systems, and provides a great checklist of security considerations.
To view the full announcement and link to this draft document, please visit the CSRC Drafts page at: http://csrc.nist.gov/publications/PubsDrafts.html#800-171
If you would like to submit comments on the draft, the deadline to submit comments is May 12, 2015, and Email your comments to: firstname.lastname@example.org
Excellent New PCI Guidance on Penetration Testing Released
In March 2015, the PCI Security Standards Council released a new Information Supplement: Penetration Testing Guidance. The guidance includes a great deal of useful information including a useful explanation of the difference between a penetration test and a vulnerability scan, as well as descriptions of test components, tester qualifications, and methodology, with a few case studies.
While the guidance is focused on payment card information protection, it is easy to apply to health information protection, which is, of course, a growing issue. See: https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf
Links to Two Key Resources Updated; Wall of Shame Updated
In early March 2015, Internet links to two key resources were changed. The old link to the HHS OCR “Wall of Shame” listing the breaches affecting more than 500 individuals, in typical HHS fashion, has simply stopped working, yielding a “page not found” error.
The information is now available in a much easier to use format using modern Web technologies on secure pages that are part of the new HHS OCR portal that will someday be used for submission of information requested in the random audit program, due to restart “real soon now.” The new-and-improved “Wall of Shame” is at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf The new format is much easier to read and search, with easy export of the data in multiple formats. See what happens to others -- make sure it doesn't happen to you.
Another key resource is the NIST Computer Security Incident Handling Guide, Special Publication 800-61 revision 2, which has been been relocated to: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
New Jersey Law Requires Encryption of Health Information
On January 9, 2015 a New Jersey law was enacted, going into effect August 1, 2015, requiring that health insurance companies doing business in New Jersey must encrypt personal data they transmit electronically a public network or retain on end-user computers, such as desktops, workstations, laptops, storage media, and smart phones. The law was prompted by health data breaches in New Jersey. The brief text of the bill is available at: http://www.njleg.state.nj.us/2014/Bills/S1000/562_R1.PDF
News stories on the new law are available at:
Security Alert for Windows Systems - Don’t be the next Sony!
On December 19 2014, the US Computer Emergency Readiness Team (US-CERT) issued Alert (TA14-353A) on Targeted Destructive Malware, about what can be done to help prevent an attack such as the recent attack on Sony. Healthcare institutions would be well advised to review the bulletin and implement measures accordingly. Make sure your technical security folks know about this! The Alert is available at: https://www.us-cert.gov/ncas/alerts/TA14-353A
NIST Announces Draft Rev’s to Small Business Security Guide
On December 16, 2014, the National Institute of Standards and Technology announced the draft of Revision 1 of NIST IR 7621, Small Business Information Security: The Fundamentals. The draft can be found on the NIST CSRC Draft publications page at: http://csrc.nist.gov/publications/PubsDrafts.html#ir7621r1
NIST, as a partner with the Small Business Administration and the Federal Bureau of Investigation in an information security awareness outreach to the small business community, developed this NISTIR as a reference guideline, intended to present the fundamentals of a small business information security program in non-technical language. Comments will be accepted through February 9, 2015. If you have any comments on the draft, please send comments or questions to: email@example.com.
$150K Settlement for Unpatched and Unsupported Software
On December 8, 2014, the US Department of Health and Human Services Office for Civil Rights announced that Anchorage Community Mental Health Services (ACMHS) has agreed to settle potential HIPAA violations by paying $150,000 and adopting a two-year corrective action plan, following investigation of a breach that revealed ACMHS had not implemented good security processes, had not regularly updated their IT resources with available patches, and were running outdated, unsupported software.
The bulletin and settlement agreement are available at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/acmhs/index.html
NIST Draft SP 800-171 Provides Excellent Summary of Security
On November 20, 2015, the National Institute of Standards and Technology released the first public draft of SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, which provides an excellent summary of security actions to take to protect information systems, and provides a great checklist of security considerations.
To view the full announcement and link to this draft document, please visit the CSRC Drafts page at: http://csrc.nist.gov/publications/PubsDrafts.html#800-171
If you would like to submit comments on the draft, the deadline to submit comments is January 16, 2015, and Email your comments to: firstname.lastname@example.org
HHS Announces Guidance on HIPAA in Emergency Situations
On November 10, 2014, the US Department of Health and Human Services (HHS) published new guidance on HIPAA Privacy Rule protections in emergency situations, such as an Ebola outbreak, to ensure that HIPAA-regulated entities are aware of the ways in which patient information may be shared under the HIPAA Privacy Rule in an emergency situation, and to serve as a reminder that the protections of the Privacy Rule are not set aside during an emergency. The HIPAA Privacy Rule protects the privacy of patients' health information but also ensures that appropriate uses and disclosures of the information still may be made to treat a patient, to protect the nation's public health, and for other critical purposes.
OCR's bulletin on HIPAA Privacy in Emergency Situations may be found at: http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/special/emergency/hipaa-privacy-emergency-situations.pdf
Additional guidance on HIPAA in Emergency Situations: Preparedness, Planning, and Response can be found at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/emergency/index.html
HHS OIG 2015 Work Plan Includes HIPAA Security Enforcement
The 2015 Work Plan of the US Department of Health and Human Services (HHS) Office of Inspector General (OIG) has been announced and includes items pertaining to HIPAA Security, including analyzing the IT security of community health centers funded by the Health Resources and Services Administration, and reviewing controls over networked medical devices at hospitals. The HHS OIG Work Plan for Fiscal Year 2015 is available at: http://oig.hhs.gov/reports-and-publications/archives/workplan/2015/FY15-Work-Plan.pdf
SANS-Norse Report: Healthcare Info Compromises Epidemic
A 2014 report developed by SANS and Norse indicates widespread compromises of healthcare information in the US, affecting all kinds of healthcare organizations, and all kinds of devices from firewalls and radiology imaging systems to Web cameras and mail servers. "A significant number of compromises were due to very basic issues such as not changing default credentials on firewalls.” The report is available at: http://www.norse-corp.com/HealthcareReport2014.html (requires registration)
Serious Security Flaw Affects Unix-based Systems - Urgent!
On September 25, 2014, several announcements were made concerning a recently discovered serious security flaw in all Unix-based system implementations, known as the Bash/Shellshock Vulnerability.
US-CERT is aware of a Bash vulnerability affecting Unix-based operating systems such as Linux and Mac OS X. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected system. The notification is available at: https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability
HHS OCR Issues Guidance on HIPAA and Same-Sex Marriage
On September 17, 2014, the US Department of Health and Human Services Office for Civil Rights (OCR) issued guidance in response to the Supreme Court decision on same-sex marriage, specifying that spouses include both same-sex and opposite-sex individuals who are legally married, whether or not they live or receive services in a jurisdiction that recognizes their marriage.
The guidance clarifies that same-sex spouses are have the same HIPAA rights as other family members, no matter where services are provided. See: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/samesexmarriage/index.html
FBI Warns Healthcare is Now a Major Target of Hackers
On August 20, 2014, Reuters reported that the FBI has issued an alert through their Liaison Alert System specifically detailing a significant threat to healthcare information security posed by hackers. The FBI provides details about the threat, including information about how technical personnel can spot evidence of malicious activity related to the threat. The Reuters article is available at http://www.reuters.com/article/2014/08/20/us-cybersecurity-healthcare-fbi-idUSKBN0GK24U20140820 and the FBI warning is available here on this site.
Mass. AG Settles Breach Suit with RI Hospital for $150,000
On July 23, 2014, the Massachusetts Attorney General announced they had reached a $150,000 settlement with Women & Infants Hospital of Rhode Island to resolve issues concerning a breach in the Summer of 2011 of 12,000 Massachusetts patients’ names and health information that was not discovered until the Spring of 2012, and not reported until November of 2012. The breach occurred when unencrypted backup tapes went missing. Lessons here: #1: Encrypt your backup tapes. #2: Have a good system for managing your backup tape inventory. #3: Recognize that you may have issues with other states when you have a breach and your patients are residents of other states. #4: Don’t delay reporting your breaches properly — have a solid process! The settlement announcement is available at: http://www.mass.gov/ago/news-and-updates/press-releases/2014/2014-07-23-women-infants-hospital.html
7th Annual NIST/OCR HIPAA Security Conference Announced
On July 15, 2014, the US Department of Health and Human Services Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) announced the 7th annual NIST/OCR Safeguarding Health Information: Building Assurance through HIPAA Security conference, to be held September 23-24, 2014 at the Grand Hyatt Hotel, 1000 H Street NW, Washington, DC. If you are a HIPAA Security Officer, this is THE event to attend this year. Onsite attendance costs $345, and $200 for the webcast. For more information and registration, please see http://www.nist.gov/itl/csd/safeguarding-health-information-building-assurance-through-hipaa-security-2014.cfm
Settlements Continue: $800K for Poorly Handled Records
On June 24, 2014, the US Department of Health and Human Services Office for Civil Rights announced that Parkview Health System, Inc. (Parkview) has agreed to settle potential HIPAA violations by paying $800,000 and adopting a corrective action plan. Parkview employees had left 71 boxes of medical records in an open and accessible area, completely unsecured.
The press release and settlement agreement are available on the HHS Web site at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/parkview.html and HHS provides FAQ on the proper disposal of protected health information at: http://www.hhs.gov/hipaa/for-professionals/faq/disposal-of-protected-health-information
HHS Releases New Reports on Breaches and HIPAA Compliance
On June 11, 2014, The U.S. Department of Health and Human Services, Office for Civil Rights, has issued two Reports to Congress called for by the HITECH Act: one on Breaches of Unsecured Protected Health Information, and the other on HIPAA Privacy, Security, and Breach Notification Rule Compliance. The reports cover relevant activities in calendar years 2011 and 2012.
The breach notification report provides an overview of the breach notification requirements and discusses the reports received as a result. The report on compliance with the HIPAA Rules summarizes complaints received of alleged violations of the HITECH Act and the HIPAA Privacy and Security Rules. These are the second reports on these topics in response to the HITECH Act requirement. See: http://www.hhs.gov/ocr/privacy/hitechrepts.html
Exposed PHI Costs Columbia/Presbyterian Record $4.8 million
On May 7, 2014, the US Department of Health and Human Services Office for Civil Rights announced that New York and Presbyterian Hospital (NYP) and Columbia University (CU), operating jointly as New York Presbyterian Hospital / Columbia University Medical Center, had settled a complaint for a total of $4.8 million, following the unintentional exposure of the PHI of 6,800 individuals through insecure management of server deployments. The settlement includes an extensive (and expensive) corrective action plan.
The message here is to be sure you use good, professional practices in the development and implementation of all systems handling PHI. The press release is at: http://www.hhs.gov/news/press/2014pres/05/20140507b.html and the Resolution Agreements are available at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/ny-and-presbyterian-hospital-settlement-agreement.pdf and http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/columbia-university-resolution-agreement.pdf
Stolen Laptops Lead To $2 million in Settlements for Entities
On April 22, 2014, it was announced that two entities have paid nearly $2 million total to the US Department of Health and Human Services Office for Civil Rights to resolve HIPAA issues around laptops that were stolen, that had PHI on them, and that were not encrypted, a scenario that is reported daily in the Health Information Technology press. In both cases, Concentra Health Services and QCA Health Plan, Inc. of Arkansas had not done the required complete and thorough risk analysis and implementation of a risk management plan. Both have corrective action plans that must be implemented, in addition to the monetary settlement. The press release is at: http://www.hhs.gov/news/press/2014pres/04/20140422b.html and the Resolution Agreements are available at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/stolenlaptops-agreements.html
The message here is clear: 1) Do a solid Risk Analysis, and 2) Encrypt your portable devices and provide training on their secure use, or you risk big fines and corrective action plans.
FBI Issues Alert to Healthcare Entities About Cyber Security
On April 8, 2014, the FBI Cyber Division issued a Private Industry Notification, Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain, a two-page overview of the state of information security in healthcare. The Notification references other research and reports to conclude that PHI is valuable ($50 per record, vs. $1 per record for financial information), security is insufficiently implemented, and breaches are widespread. This, combined with the rapid increase in the number of EHR implementations, leaves the healthcare industry vulnerable. The Notification is available at: http://www.illuminweb.com/wp-content/uploads/ill-mo-uploads/103/2418/health-systems-cyber-intrusions.pdf
The FBI encourages entities to report any suspicious or criminal activity to the local FBI field office; FBI regional phone numbers can be found online at http://www.fbi.gov/contact/fo/fo.htm
ONC & OCR Release Risk Assessment Tool for iPad & Windows
On March 28, 2014, the Office of the National Coordinator for Health IT, in collaboration with the HHS Office for Civil Rights and HHS Office of the General Counsel, released a new Risk Assessment tool for small and medium sized organizations that assists in the collection and analysis of data, and comes in iPad and Windows 7 versions.
In many ways, the tool is an evolution of the NIST HIPAA Security Rule Toolkit released in 2011. It doesn’t make the work any easier, but it makes organizing the information and producing reports a little easier if you’re new to Risk Analysis. Used well, it could help; used poorly, it could provide a false sense of security. The Tool, the user guide, and related videos are all available at: http://www.healthit.gov/providers-professionals/security-risk-assessment
WA County Gov’t Settles HIPAA Security Issues for $215K
On March 7, 2014, the US Department of Health and Human Services announced that Skagit County, Washington, has agreed to settle potential violations of the HIPAA Privacy, Security, and Breach Notification Rules for a $215,000 settlement and agreement to work closely with HHS to correct deficiencies in its HIPAA compliance program. The issues concern the deployment of PHI on insecure servers, exposing the information of 1581 individuals, and the lack of HIPAA-related policies, procedures, documentation, and training. The HHS press release is at: http://www.hhs.gov/news/press/2014pres/03/20140307a.html
The Resolution Agreement can be found on the OCR website at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/skagit-agreement.html
HHS Requests Comments on Plan to Send Audit Readiness Information Requests to 1200 HIPAA CEs and BAs
On February 24, 2014, the US Department of Health and Human Services issued a request for comment on the proposed collection of information to determine the suitability of 1200 HIPAA Covered Entities and Business Associates for being audited under the requirements of the HITECH Act.
The survey will gather information about respondents to enable OCR to assess the size, complexity, and fitness of a respondent for an audit. Information collected includes, among other things, recent data about the number of patient visits or insured lives, use of electronic information, revenue, and business locations. See: https://www.federalregister.gov/articles/2014/02/24/2014-03830/agency-information-collection-activities-proposed-collection-public-comment-request
This means that the 2014 HIPAA random audit program is now ramping up, with the first wave of contacts going out once the comment period is over. The time to get ready is NOW.
UPDATE: Beginning in late March, 2014, HHS OCR began presenting its plan for resumption of the HIPAA Audit Program, Phase 2 of which will be getting under way in 2014 and expanding to include Business Associates in 2015. A PDF of a PowerPoint presentation by HHS OCR Senior Adviser Linda Sanches at the HCCA Compliance Institute March 31, 2014 is available at: http://www.hcca-info.org/Portals/0/PDFs/Resources/Conference_Handouts/Compliance_Institute/2014/tue/710print2.pdf
UPDATE #2: On May 12, 2014 HHS reissued its request for comment on its plan to survey 1200 entities for their suitability, gathering additional information until June 11, 2014. The reissued request for comment is available at: https://www.federalregister.gov/articles/2014/05/12/2014-10829/agency-information-collection-activities-submission-to-omb-for-review-and-approval-public-comment
HHS Issues HIPAA Guidance on Sharing Mental Health Info
On February 20, 2014, the U.S. Department of Health and Human Services announced new guidance explaining how the HIPAA Privacy Rule operates to protect individuals' privacy rights with respect to their mental health information and in what circumstances the Privacy Rule permits health care providers to communicate with patients' family members and others to enhance treatment and assure safety. This important guidance is available at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/mhguidance.html
HHS Publishes Model Notice of Privacy Practices in Spanish
On February 19, 2014, the US Department of Health and Human Services announced it has created Spanish language versions of their new model HIPAA Notices of Privacy Practices. The model notices, in English and Spanish, are available at: http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html
HHS Launches Competition for Best Online Privacy Notice
In the hopes of finding a better model, on February 10, 2014, the US Department of Health and Human Services announced a call for designers, developers, and patient privacy experts to create an online model notice of privacy practices that is compelling, readable, and understandable by patients and is easily integrated into existing entity Web sites. Public voting on the the contestants will determine the winner, with a $15,000 prize for first place. See: http://oncchallenges.ideascale.com and http://www.gpo.gov/fdsys/pkg/FR-2014-02-10/html/2014-02785.htm
HHS Releases CLIA & HIPAA Rules Allowing Lab Info Access
The US Department of Health and Human Services is releasing a new final rule concerning the access of laboratory information by individuals, to be officially published February 6, 2014. The new rule amends CLIA to allow access of authenticated information by authenticated individuals or their authorized representatives under HIPAA, and amends HIPAA to remove laboratory information from the list of information to which individuals may be denied access.
As usual, the Preamble is well worth reading. Individuals may still access results via their physician, and results may still be accessed for the usual treatment purposes; the new rules simply add new access rights, but create a whole new world for labs and patient communications. See: https://www.federalregister.gov/articles/2014/02/06/2014-02280/patients-access-to-test-reports-clia-program-and-hipaa-privacy-rule
FTC Gets Into Healthcare Privacy & Security Enforcement
On January 16, 2014, the US Federal Trade Commission unanimously asserted that it has authority to enforce consumer protection laws concerning the privacy and security of healthcare information, even when the concerned business is also covered under the HIPAA regulations. FTC sees no conflict with HHS activity and finds no problems with enforcing the rules alongside HHS.
This means that, whether or not a privacy or security problem is noted by HHS, the FTC could become involved involved if they feel there have been deceptive trade practices, e.g, promising security and then not providing it.
The FTC order is at http://op.bna.com/hl.nsf/id/psts-9fmms7/$File/lab.pdf . An accompanying story in Bloomberg BNA is available at: http://www.bna.com/ftc-affirms-data-n17179881620/
HHS Proposes HIPAA Changes to Allow NICS Communication
On January 3, 2014, the US Department of Health and Human Services issued a Notice of Proposed Rule Making (NPRM) intended to make it easier to report information to the National Instant Criminal Background Check System (NICS). The NPRM would modify the HIPAA Privacy Rule to permit certain HIPAA-covered entities to disclose to the NICS the identities of persons prohibited by federal law from possessing or receiving a firearm for reasons related to mental health.
The information is reported to the NICS would not include clinical, diagnostic, or other mental health information. Instead, certain covered entities would be permitted to disclose the minimum necessary identifying information about individuals who have been involuntarily committed to a mental institution or otherwise have been determined by a lawful authority to be a danger to themselves or others or to lack the mental capacity to manage their own affairs.
The NPRM and additional information are available at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/NICS/index.html