Privacy, Security, and Compliance News

Secure That Server Properly On Installation, OR ELSE!

On October 18, 2016, the HHS Office for Civil Rights announced that St. Joseph Health (SJH) has agreed to settle potential violations of the HIPAA Privacy and Security Rules following the report that files containing PHI were publicly accessible through internet search engines from 2011 until 2012.  A default file sharing application had been left open on installation of a server.  Risk Analyses had been performed but were patchwork and incomplete.  SJH will pay a settlement amount of $2,140,500 and adopt a comprehensive corrective action plan.  See the press release and agreement at:  

Yet another reminder that launching a server is like preparing for takeoff — you have to go through a complete checklist, like applicable sections of the CIS Controls for Effective Cyber Defense (, when launching a new server.  And make sure your Risk Analysis is complete!

Surprise! Ready for ACA Section 1557? New FAQs Available

On September 14, 2016, the HHS Office for Civil Rights announced New Section 1557 FAQs on Language Access Requirements and the Top 15 Languages and many providers weren’t even aware of the rule or the October 17, 2016 deadline for compliance.  Beginning on October 17, 2016, covered entities will be required to post Notices of Nondiscrimination and Taglines that alert individuals with limited English proficiency (LEP) to the availability of language assistance services.  Read the FAQs on the Language Access Requirements here:

In addition, HHS OCR has made available a table displaying the top 15 languages spoken by individuals with limited English proficiency (LEP) in each State, the District of Columbia, Puerto Rico and each U.S. Territory based on OCR’s research.  View the table of the top 15 languages in each state:  

HHS 2013-2014 Report to Congress on Breach Notification

On August 30, 2016, the Secretary of HHS reported to Congress on the status of the HIPAA Breach Notification program, for the 2013-2014 period, as required under the HITECH Act, section 13402.  The report shows the percentages of breaches by theft and loss are decreasing while unauthorized access and “other” are up, by a number of measures.  

This means the hackers are doing a lot more damage while we still have a significant problem with loose data.  There’s also a good summary of enforcement and audit activity in the 2013-2014 period.  Especially take note of the section on Lessons Learned to see what you can do to avoid breaches, on pages 28-30.  The report is available at:  

HHS Releases Long-Awaited Guidance on Cloud Computing

On October 7, 2016, the US Department of Health and Human Services Office for Civil Rights released guidance on using cloud-based solutions to help HIPAA-regulated CSPs (Cloud Service Providers — hello new acronym!) and their customers in understanding their responsibilities under the HIPAA Rules when they create, receive, maintain, or transmit electronic protected health information.  The guidance includes key questions and answers.  See:  Frequently Asked Questions about Business Associates are available at   

This is an area that has been begging for guidance ever since the new rules come out in 2013, as the rules and Preamble did not adequately consider such computing solutions.   Note that the guidance includes several references to the guidance in the story below, on availability of PHI.  With these guidance documents and the guidance on Individual Access of PHI, it is clear that HHS is quite serious about the availability of PHI.

HHS Releases New FAQ on Availability of PHI Maintained by BA

On September 28, 2016, the US Department of Health and Human Services Office for Civil Rights released a new set of Frequently Asked Questions about how Business Associates must maintain availability of PHI.  The FAQs address "whether a business associate of a HIPAA covered entity may block or terminate access by the covered entity to the protected health information maintained by the business associate”.  The short answer is, No.  Data may not be held hostage for non-payment of fees, for instance.  PHI must be returned upon termination of an agreement.  Also, if the covered entity signs an agreement that prevents it from ensuring the availability of its PHI, it is not in compliance.  Check your contracts!  See:

$400K Settlement for Breaches and Not Having BA Agreements

On September 23, 2016, the US Department of Health and Human Services Office for Civil Rights announced a settlement with Care New England Health System (CNE), on behalf of each of the covered entities under its common ownership or control, for the loss of a backup tape with information on 14,000 individuals, without an up-to-date Business Associate Agreement in place for handling the tapes.  Even if you are in the same corporate family, if you have a BA relationship, you need a compliant BAA.  If HHS asks and you don’t have one, you will be in trouble.  Easy as that!  For the press release and settlement agreement, please see:  

NIST Releases SP 800-177 on Trustworthy E-mail

On September 16, 2016, NIST released Special Publication 800-177, Trustworthy Email, which overs and gives recommendations for state of the art email security technologies to detect and prevent phishing and other malicious email messages. Most of these new technologies rely on publishing email infrastructure-related information in DNSSEC, a secure version of the established Domain Name System (DNS). The guide was written for email administrators and for those developing security policies for enterprise’s email infrastructure.  See:  

FTC Advises: Watch that Rental Car USB Port!

The Federal Trade Commission has advised people to be wary of using their smart phones with the USB ports in rental cars.  Cars can pull information out of your phone without your knowing it and can retain your contacts, etc. for the next renter.  Be sure to clear out your rental car’s memory when you turn it in!  See:  and  Always be careful using any USB ports you don’t control, in cars or at airports!

HHS Releases Updated HIPAA Security Risk Assessment Tool

In early September 2016, HHS Office of the National Coordinator for Health IT released an updated version of the HIPAA Security Risk Assessment Tool for Windows and iPad with new compatibility with Windows 10, and additional functionality for the iPad version.  For more information, see:  

HIMSS Releases 2016 Cybersecurity Survey Report

HIMSS has released its report on its 2016 Cybersecurity Survey which gathers information from a number of entities to develop a picture of the issues facing healthcare entities regarding cybersecurity, and some of the measures entities take to deal with the issues.  Available at:

HHS OCR Will Make More Investigations into Small Breaches

On August 18, 2016, the US Department of Health and Human Services Office for Civil Rights announced an “Initiative to More Widely Investigate Breaches Affecting Fewer than 500 Individuals”.  HHS regional offices will take on the load, and look into factors such as: 
• The size of the breach
• Theft of or improper disposal of unencrypted PHI
• Breaches that involve unwanted intrusions to IT systems (for example, by hacking)
• The amount, nature and sensitivity of the PHI involved
• Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.  

OCR noted that regions may also consider the lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates.  In other words, if everyone else like you reports breaches and you don’t, why not?

The press release will be available at:  

Advocate Health Care Ignores Security Rule = $5.5 million

The flood of HIPAA settlements continues.  On August 4, 2016, the US Department of Health and Human Services Office for Civil Rights announced a $2.75 million resolution agreement with Advocate Health Care for potential violations of the HIPAA Security Rule leading in some cases leading to breaches, affecting four million people.  No complete RA, no physical controls at a data center, no BAA with a vendor holding PHI, and an unencrypted laptop stolen from an unlocked car overnight.  Let us count the violations!  Yes, it is a record settlement amount.  See:  

Annual NIST/OCR HIPAA Security Conference Announced

The NIST Information Technology Laboratory announced the next NIST/OCR HIPAA Security conference — Safeguarding Health Information: Building Assurance through HIPAA Security - 2016 — in Washington, DC, set for Wednesday and Thursday, October 19-20, 2016, at the Capital Hilton, and available by Webcast as well.  This is the ONLY conference that I ALWAYS attend every year — you get access to the best experts in a non-commercial setting, and insights you can gain nowhere else.  If you can, go, or at least attend the Webcast.  See:  

DHS Releases Cyber Incident Reporting Guide

On July 28, 2016, the US Department of Homeland Security released Cyber Incident Reporting:  A Unified Message for Reporting to the Federal Government, providing guidance on to which Federal agencies and departments certain Cyber Incidents should be reported.  Best to pay attention to this, if you suffer some kind of Cyber Incident!  The DHS page hosting the guidance is at:  and the guidance document is available at:  

HHS Issues New Guidance on HIPAA Audits and on Device IDs

On July 27, 2016, the HHS Office for Civil Rights provided new HIPAA Audit Guidance & FAQ on HIPAA and Unique Device Identifiers.

1) Guidance for 2016 HIPAA Desk Audits 

Covered entities received notification of their selection as the subjects of an Office for Civil Rights (OCR) desk audit of compliance with the HIPAA Security, Privacy and Breach Notification Rules on July 11, and were invited to participate in a webinar held on Wednesday, July 13, where OCR staff walked through the processes for the audit and expectations for their participation.  

To respond to questions, OCR developed three targeted guidance documents, available at  

 — One is a comprehensive question and answer listing.  

 — The second puts the specific audit document submission requests in context with the rule requirements and associated protocol audit inquiries, as well as the related questions asked by selected entities.  The entire protocols are available on the OCR website; for this guidance we extracted from those protocols the specific desk audit provisions, and added the audit inquiries and Q&A.  

 — Finally, OCR has posted the slides used in the webinar.  The guidance should be helpful to audited entities as well as other covered entities and business associates seeking assistance with improving their compliance with these important requirements of the HIPAA Rules.  

2) New FAQ: HIPAA and Unique Device Identifiers (Note: "Device Identifiers" is NOT a unique identifier — which one are you taking about?  Are you lost yet?  No?  Read on...)

OCR has posted a new FAQ on HIPAA and Unique Device Identifiers (UDI), which clarifies that the device identifier (DI) portion of a UDI can be part of a limited or de-identified data set as defined under HIPAA.  While the HIPAA Privacy Rule prohibits the inclusion of “device identifiers and serial numbers” in both limited data sets and data sets that are de-identified in accordance with the “de-identification safe harbor” provisions, the guidance explains that the DI portion of the UDI is not the type of “device identifier” to which these HIPAA Privacy Rule provisions refer.  (Oh Boy!  “Device Identifiers” that aren’t “Device Identifiers”!  Aren’t the regulations simple and unambiguous?  No, you say?)

You may find the new FAQ on OCR’s website at:

Ignoring Security Costs U Miss Med Center $2.75 million

On July 25, 2016, the US Department of Health and Human Services Office for Civil Rights announced a $2.75 million resolution agreement with University of Mississippi Medical Center for lack of attention to security, even after vulnerabilities and risks were noted.  The agreement announcement, available at:  cited a number of issues resulting in breaches and exposure of patient information.  Compliance would have been WAY cheaper than the agreement, shall we say. 

Joint Commission Says “Whoa!” to Removal of Texting Ban

On July 18, 2016, Health IT Security reported that the Joint Commission on Accreditation of Healthcare (JCAHO) has decided to delay the removal of a ban on the use of texting (even secure texting) for physician ordering that had been previously announced.  Instead, they will wait for guidance to be developed by JCAHO and CMS to ensure texting is done correctly and aligns with the Medicare Conditions of Participation.  

The ban had been put in place because “texting applications were unable to verify the identity of the person sending the text or to retain the original message as validation of the information entered into the medical record,” the Commission stated. - See more at:

Insufficient Risk Analysis and Risk Management Cost $2.7m

On July 18, 2016, (cue Sonny and Cher music, The Beat Goes On) the US Department of Health and Human Services Office for Civil Rights announced a $2.7 million resolution agreement with Oregon Health and Science University for a variety of issues, including insufficient risk analysis and risk management, lack of encryption, lack of a Business Associate Agreement with a cloud vendor hosting PHI, and breaches causing harm to individuals.  

I’ve always maintained that academic medical centers are the most difficult institutions to being into HIPAA compliance, and this is a perfect illustration.  

• The press release is available at:   
• The resolution agreement and corrective action plan are available at:  

FBI Issues Security Guidance for Healthcare Information

On July 13, 2016, Health Data Management reported that the FBI has issued guidance on best practices for protecting healthcare data, re-emphasizing some well-known precautions, but also including others that may not be widely used.  It is an excellent list to start with for your security improvement program that is essential today.  See:

HIPAA Audits for 167 Covered Entities Now Under Way

On July 11, 2016, the US Department of Health and Human Services Office for Civil Rights issued notices to the 167 HIPAA Covered Entities being audited in the round of 2016 desk audits.  If you are a CE and you have NOT been notified, you are not likely to be notified for a desk audit.  Some entities received a request for information on Privacy (in the areas of Notice of Privacy Practices and Access of PHI), and some received a request for information related to Risk Analysis and Risk Management under the Security Rule.  All received a request for a list of Business Associates and contact information.  

Information must be provided by July 22, 2016, and the process is expected to take roughly 90 days to complete for each entity (including time to respond to initial findings), with the program expected to completed by the end of December, 2016.

A selection of Business Associates will receive a desk audit in the fall, and there will still be some on-site audits for some Covered Entities yet to go.  Information on the HIPAA Audit Program is available at:  

HHS OCR Issues Fact Sheet on Dealing with Ransomware

On July 11, 2016, the HHS Office for Civil Rights released Fact Sheet: Ransomware and HIPAA, providing guidance to health care entities about what ransomware is and how good HIPAA compliance helps you deal with it, and indicates that a ransomware attack should be considered a breach, because control of the PHI has been compromised.  The fact sheet is available at:  

HIPAA Business Associate Gets $650K Settlement for Breach

On June 30, 2016, the US Department of Health and Human Services announced a $650,000 settlement agreement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) for potential violations of the HIPAA Security Rule after the theft of an unprotected CHCS iPhone compromised the PHI of hundreds of nursing home residents.  

The iPhone was unencrypted and was not password protected.  The information on the iPhone was extensive, and included social security numbers, information regarding diagnosis and treatment, medical procedures, names of family members and legal guardians, and medication information.  At the time of the incident, CHCS had no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of a security incident; OCR also determined that CHCS had no risk analysis or risk management plan.  In determining the resolution amount, OCR considered that CHCS provides unique and much-needed services in the Philadelphia region. 

Information on the settlement agreement is available at  

HHS Issues Ransomware Guidance for Healthcare Entities

In June, 2016, HHS issued new guidance on the protection of healthcare organizations from Ransomware attacks.  The guidance explains what Ransomware is, how to protect your networks from it, and how to respond to it.

An article on the guidance is available in Becker’s Hospital Review, at  and the guidance is available at  

Illinois Adds Health Information to Data Breach Notification

In May 2016, Illinois enacted a law expanding the Illinois Data Breach Notification law to include health insurance and medical information, beginning in 2017.  Note that the law is not limited to HIPAA-covered information; it also includes apps and Web sites that may be outside of HIPAA control.  Flexible notification is also included in the new law, providing more options in notification.

Perhaps most significantly, the law also includes requirements to “implement and maintain reasonable security measures,” including the addition of data security provisions to contracts that disclose personal information to another entity.  It’s time to review the SANS Top 20 Critical Security Controls, as that is becoming the accepted baseline for information security.

The news story in Health IT Security is available at:  and the Top 20 Critical Security Controls are available at:  

Watch That Public USB Outlet!  It could attack your device

In an article published June 1, 2016, the Sydney (Australia) Morning Herald reported that Kaspersky Lab warns that public USB outlets could transmit malicious code and be used for nefarious purposes.  After all, come to think of it, you wouldn’t let someone plug in their USB device to your network because of the risks; why would it be any safer to use a public USB charger?

See the article at:  

One solution: Using a cable or adapter that blocks data transfer and ONLY can be used for charging.  Much lighter and more portable than a power cube!  See:  

HHS OCR Adds Guidance re Fees for Electronic Records Access

On May 24, 2016, the US Department of Health and Human Services Office for Civil Rights issued an update to their guidance on Access of PHI by Individuals, further explaining the use of a $6.50 flat fee for electronic copies of records, and when that fee may or may not be appropriate.  The update is integrated into the Q&A section of the guidance, and is available within the guidance directly at:  while the guidance remains available at  

Steps for Prevention of Ransomware Attacks — Do these now!

On May 16, 2016, Health Data Management magazine’s Web site published a very useful, practical guide to preventing ransomware attacks by such means as:
  • Developing a plan for an end-user awareness program and implementing it across the hospital
  • Reviewing the server backup processes and evaluating users' network drive permissions
  • Auditing user privilege roles
  • Disabling macro scripts from MS Office files
  • Reviewing monthly patch management processes and inbound spam and malware protection
  • Installing a next-generation firewall and advanced endpoint protection

Go to the site, copy the entire list, and get to work, right now.  See:  

OCR Issues Cyber-Awareness Update on Business Associates

On May 3, 2016, the US Department of Health and Human Services Office for Civil Rights issued a Cyber-Awareness Monthly Update regarding the topic, Is Your Business Associate Prepared for a Security Incident?  The guidance indicates that entities should consider:
• Ensuring that agreements define appropriate uses and disclosures and include requirements to report any other use or disclosure including breaches
• Including in agreements the timeframe for reporting any incidents
• Identifying what must be included in any breach or incident reports
• Ensuring all workforce members are trained and Business Associate privacy and security practices are adequate

Additional details are provided.  The update is available via subscription from HHS OCR (see and the current update is available at a number of locations, including:  

Joint Commission Says Secure Texting OK for Orders, but…

On April 29, 2016, the Joint Commission released an update on its position on the use of texting for orders, in its May 2016 issue of Joint Commission Perspectives.  The update indicates the use of secure texting services for management of orders is acceptable practice, with some caveats.  The required components of an order must be included, and the messaging platform should include
• a secure sign-on process,
• encrypted messaging,
• delivery and read receipts,
• date and time stamp,
• customized message retention time frames, and
• a specified contact list for individuals authorized to receive and record orders

Communications must be documented, and organizations should:
• Develop an attestation documenting the capabilities of their secure text messaging platform
• Define when text orders are or are not appropriate
• Monitor how frequently texting is used for orders
• Assess compliance with texting policies and procedures
• Develop a risk management strategy and perform a risk assessment
• Conduct training for staff, licensed independent practitioners, and other practitioners on applicable policies and procedures

The update is available from the Joint Commission at:  and an article on the topic in is available at:  

Verizon 2016 Data Breach Investigations Report Released

Verizon Enterprise Solutions has released to insiders the ninth Data Breach Investigations Report, pulling together incident data from around the world to reveal insights based on over 100,000 incidents from 82 countries, including analysis of 2,260 confirmed data breaches.  Highlights include:
• 89% of breaches had a financial or espionage motive.
• Over 85% of all of security incidents fit into just nine categories.
• The biggest risks you face and what attacks look like.
• Practical steps you can take today to better protect your data.

Healthcare was listed as a top industry for issues in the categories of Insider and Privilege Misuse, Miscellaneous Errors, Physical Theft and Loss, and Everything Else.  As to the issue of Physical Theft and Loss, they offer the following haiku:

Employees lose things
Bad guys also steal your stuff
Full disk encryption

This is one of the most useful, practical, readable guides to dealing with current security and data breach issues and should be required reading in every IT department.  See:  

NY Presbyterian Gets $2.2 million Settlement for Allowing TV Crews to Film in the ED

The beat goes on!  On April 21, 2016, the US Department of Health and Human Services Office for Civil Rights announced that reached a $2.2 million settlement with New York Presbyterian Hospital (NYP) for the egregious disclosure of two patients’ PHI to film crews and staff during the filming of “NY Med,” an ABC television series, without first obtaining authorization from the patients. In particular, OCR found that NYP allowed the ABC crew to film someone who was dying and another person in significant distress, even after a medical professional urged the crew to stop

OCR also found that NYP failed to safeguard protected health information and allowed ABC film crews virtually unfettered access to its health care facility, effectively creating an environment where PHI could not be protected from impermissible disclosure to the ABC film crew and staff.

What were they thinking? How could this possibly be seen as OK?  Does anyone work in Compliance?  Academic medical centers tend to be out of control because of their complexity in responsibility and governance but this takes the cake. 

The announcement and agreement, and a link to a FAQ page on Media Access to PHI are available at  

FTC/OCR/ONC/FDA Release Developer Tool for Apps and Regs

On April 15, 2016, The Federal Trade Commission (FTC) announced a new web-based tool to help developers of health-related mobile apps understand what federal laws and regulations might apply to them, developed the tool in conjunction with OCR, the HHS Office of National Coordinator for Health Information Technology (ONC), and the Food and Drug Administration (FDA).

Based on the developer’s answers to a series of questions about the app, the guidance tool will point the developer toward information about federal laws that might apply, including the FTC Act, the FTC’s Health Breach Notification Rule, HIPAA, and the Federal Food, Drug and Cosmetics Act (FD&C Act).

Developers seeking more information about how the HIPAA Rules might apply to their apps should visit OCR’s health app developer portal.  One new resource on the portal is Health App Use Scenarios and HIPAA, which analyzes whether HIPAA applies to a range of example health app scenarios and offers questions to consider in determining when HIPAA’s regulations cover a particular health app. 


$750K Settlement for Lack of a Business Associate Agreement

On April 20, 2016, the US Department of Health and Human Services Office for Civil Rights announced that Raleigh Orthopaedic Clinic, P.A. of North Carolina (Raleigh Orthopaedic) has agreed to pay $750,000 for potential Privacy Rule violations by handing over protected health information (PHI) for approximately 17,300 patients to a potential business partner without first executing a business associate agreement, leaving this sensitive health information without safeguards and vulnerable to misuse or improper disclosure.  OCR initiated its investigation of Raleigh Orthopaedic following receipt of a breach report on April 30, 2013.  

In addition to the $750,000 payment, Raleigh Orthopaedic is required to revise its policies and procedures for managing business associate relationships, in an extensive Corrective Action Plan.

See the Bulletin and Resolution Agreement at  

HHS Releases New HIPAA Audit Protocol, Virtually Unusable!

On April 1, 2016, and I hope it wasn’t an April Fool’s joke, the US Department of Health and Human Services Office for Civil Rights updated their HIPAA Audit Protocol for the new HIPAA Audit Program, much to my, and others’ no doubt, frustration.  The old format allowed you to easily copy and paste the protocol into a spreadsheet so you could actually USE it, but no such luck with the new one, because the formatting on the Web site makes it virtually unusable, and impossible to easily paste into Excel in a usable way.  

THANKS HHS!  What a miserable job.  What an embarrassment.  They didn’t even announce the new page, and, by the way guys, if it’s not ready, DON’T POST IT.  You can’t even download an Excel copy.  If you look at the site and try to use it, you’ll see what I mean.  It looks like it might be a great tool for preparing for audits but NOT IN ITS CURRENT UNUSABLE FORMAT.  If you’d like to be as frustrated as I am about this, see  If you’d like to submit comments (and you can imagine the one I submitted) send an e-mail to .  PLEASE FIX THIS, HHS!  No joke!  (Yes, Jim, but what do you REALLY think?)

NIST Releases 2nd Draft of SP 800-177, on Trustworthy Email

On March 30, 2016, the National Institute of Standards and Technology released the second draft of the new Special Publication 800-177, focusing on how plain old insecure e-mail can be remade into Trustworthy E-mail.  This is an incredibly useful document for anyone slightly technically oriented, as it does cover a lot of technical topics but is very approachable, with several very real, very actionable security recommendations.  In this day and age, we ALL need to understand how encrypted email can work, and this SP does a great job of explaining the various protocols and processes behind bringing e-mail into the 21st century.

This is HIGHLY RECOMMENDED READING for anyone wrestling with securing e-mail.  Available at:  Comments on the new draft may be submitted until April 29, 2016 via e-mail to .

2016 HIPAA Audit Program Announced, Saying Not Much New

On March 21, 2016, The US Department of Health and Human Services Office for Civil Rights announced the launch of its 2016 HIPAA Audit Program, providing almost no information that was not already widely believed to be the case.  It hasn’t yet begun, the HIPAA Audit Protocol is not yet updated, and the start of any audits is still a “few months” away.  Yes, Business Associates will be targeted as well as Covered Entities, in “round two,” following the audits of Covered Entities.  Yes, the audits will be, for the most part, desk audits limited to selected areas of the rules, completed within 30 days, but there may be field audits as well.

Perhaps the most useful information is that contact will be made via e-mail from HHS OCR, so make sure your spam filter doesn’t toss them!  If you don’t reply to the e-mail, you may still be selected anyway.  And, the entire process will be completed by December 31, 2016.

The non-announcement is available at  and the HHS OCR page on the topic (with lots of actually useful Q&A) is available at:  

Two More Laptop-Related Settlements, re a BA, and Research

On March 16 and 17, 2016, The US Department of Health and Human Services Office for Civil Rights announced new resolution agreements related to the loss or theft of laptop computers, one in the hands of a HIPAA Business Associate and one managed by a research organization.  

North Memorial Health Care of Minnesota did not have an appropriate Business Associate agreement with a major contractor, and had not adequately performed a risk analysis prior to the BA's loss of a laptop full of patient information — $1.55 million settlement and corrective action plan.  See:  

Feinstein Institute for Medical Research did not implement appropriate security precautions or perform a complete risk analysis for HIPAA compliance and lost a laptop via theft from an employee — $3.9 million settlement and a corrective action plan.  See:  

In case you missed the memo, it’s a really good idea to encrypt all portable devices containing any PHI!

CIRCL Releases Guidance on Ransomware Defense & Response

On February 23, 2016 the Computer Incident Response Center Luxembourg (CIRCL) released TR-41 Crypto Ransomware - Proactive defenses and incident response, a guide to defending and recovering from Crypto Ransomware attacks.  The guidance provides actionable measures to prevent and repel ransomware incidents.  Highly recommended reading for all!  See:  

HHS OCR Updates Access Guidance with New Q&As regarding Fees for Providing Copies of PHI

On February 25, 2016, The US Department of Health and Human Services Office for Civil Rights updated its guidance on rights of individuals to access their PHI with an additional set of questions and answers, dealing with fees charged for providing access.  The announcement is available at:  and the guidance is available at

HHS OCR Releases Crosswalk for HIPAA Security vs. NIST Cybersecurity Framework

On February 24, 2016, The US Department of Health and Human Services Office for Civil Rights released a crosswalk between the HIPAA Security Rule and the NIST Cybersecurity Framework to show how the HIPAA Security Rule compares with the NIST Cybersecurity Framework and other security regulations.  For organizations needing to meet multiple security requirements, the crosswalk simplifies compliance by showing where there are overlaps in requirements.  See the announcement, with a link to the crosswalk at:  

$25K Settlement for Posting Pictures Without Authorizations

On February 16, 2016, The US Department of Health and Human Services Office for Civil Rights announced a resolution agreement for $25,000 with Complete P.T., Pool & Land Physical Therapy, Inc., operating in the Los Angeles area, for posting patient photographs and testimonials without obtaining a valid HIPAA Authorization on its website, and for not having appropriate policies and procedures for handling the authorization process.  See the announcement and resolution agreement at:  

HHS OCR Announces Guidance for Health App Developers

In February, 2016, the US Department of Health and Human Services Office for Civil Rights announced new guidance on the application of HIPAA rules to App Developers, and describes the typical circumstances when one may or may not be considered a HIPAA Business Associate.  The guidance is available at:  

HHS Announces Proposed Rules to Modify 42 CFR Part 2 Restrictions

On February 5, 2016, the US Department of Health and Human Services announced new proposed regulations for Confidentiality of Alcohol and Drug Abuse Patient Records, 42 CFR Part 2. The goal of the proposed changes is to facilitate information exchange within new health care models while addressing the legitimate privacy concerns of patients seeking treatment for a substance use disorder.  The press release is available at:  
The Proposed rules published in the Federal Register February 9, 2016 are at:  
The comment period is open until April 11, 2016.

New HHS Fact Sheets on Exchange of PHI for Treatment and Operations

On February 4, 2016, the US Department of Health and Human Services announced, via its blog, that it had released two fact sheets concerning Permitted Uses and Disclosures for the Exchange of Protected Health Information for purposes of Treatment and for purposes of Health Care Operations, in order to clarify HIPAA regulations and help enable permissible uses and disclosures under the rules.  
• The blog entry is at 
• The fact sheet on Exchange for Treatment is at 
• The fact sheet on Exchange for Health Care Operations is at  

According to the blog post, this is the first in a series of postings of new guidance meant to clear confusion about HIPAA and promote proper compliance.  "Blog #2 will be background on HIPAA’s Permitted Uses and Disclosures: what they are, and how they advance the national goal of interoperability. Blog #3 will give examples of exchange of health information for Care Coordination, Care Planning, and Case Management, both between providers, and between provider and payers. Finally, Blog #4 will give examples of interoperable, permissible exchange of PHI for Quality Assurance and Population-Based Activities, including via a health information exchange.” 

HHS OCR Announces Fine for Insecure Handling of Paper PHI

On February 3, 2016, The US Department of Health and Human Services Office for Civil Rights announced that an HHS Administrative Law Judge (ALJ) has ruled that Lincare, Inc. (Lincare) violated the HIPAA Privacy Rule and granted summary judgment to OCR on all issues, requiring Lincare to pay $239,800 in civil money penalties.  This is only the second time in its history that OCR has sought CMPs for HIPAA violations, and each time the CMPs have been upheld by the ALJ. 

From the press release: "OCR’s investigation of Lincare began after an individual complained that a Lincare employee left behind documents containing the protected health information (PHI) of 278 patients after moving residences.  Evidence established that this employee removed patients’ information from the company’s office, left the information exposed in places where an unauthorized person had access, and then abandoned the information altogether.  Over the course of the investigation, OCR found that Lincare had inadequate policies and procedures in place to safeguard patient information that was taken offsite, although employees, who provide health care services in patients’ homes, regularly removed material from the business premises. Further evidence indicated that the organization had an unwritten policy requiring certain employees to store protected health information in their own vehicles for extended periods of time.  Although aware of the complaint and OCR’s investigation, Lincare subsequently took only minimal action to correct its policies and strengthen safeguards to ensure compliance with the HIPAA Rules.” 

The two messages here: Take proper care of paper records, and don’t ignore HHS Office for Civil Rights.

The Notice of Proposed Determination and the ALJ’s opinion may be found on the OCR website at

HHS OIG Report Says Utah Medicaid Systems Had Weaknesses

On February 2, 2016 FierceHealthIT reported that the HHS Office of Inspector General had completed a report in January entitled: INADEQUATE SECURITY MANAGEMENT PRACTICES LEFT UTAH DEPARTMENT OF HEALTH SENSITIVE MEDICAID DATA AT RISK OF UNAUTHORIZED DISCLOSURE.  Once again, the OIG pretty much says it all right there in the title.  This is a study of what happened when a contractor for Utah IT put up a server insecurely and 780,000 people in Utah had their PHI hacked.  The population of Utah is only 2.9 million, so that’s 29% of the state affected.  The news report is at  

The OIG Report is at:  

A report on the Utah Breaches is available at:   

FDA Provides Cybersecurity Recommendations for Medical Devices

On January 15, 2016 the US Food and Drug Administration (FDA) announced draft guidance on important steps medical device manufacturers should take to continually address cybersecurity risks to keep patients safe and better protect the public health. The draft guidance details the agency’s recommendations for monitoring, identifying and addressing cybersecurity vulnerabilities in medical devices once they have entered the market.  The announcement is available at:  and the guidance, posted January 22, 2016, is available at:  

In October 2014, the FDA issued guidance for medical device manufacturers regarding building cybersecurity into their product from the beginning of the development process, available at:  

HIMSS Announces its Healthcare Cybersecurity Community

On January 19, 2016, HIMSS launched its Healthcare Cybersecurity Community for its members, which will provide a forum where healthcare constituents can discuss and learn about advancing the state of cybersecurity in the healthcare industry.

Participation in the community will include monthly discussions via WebEx with healthcare cybersecurity thought-leaders and discussion with peers in the healthcare sector.  In addition, members of the Healthcare Cybersecurity Community can engage and dialogue with each other through a dedicated ListServ.

January Webinar Information: The first Healthcare Cybersecurity Community webinar will occur on January 28, 2016 from 2-3PM ET.  The speaker will be Kevin A. McDonald, BSN, MEPD, GCIS, CISSP, Director of Clinical Information Security at the Office of Information Security of Mayo Clinic.  He will discuss how healthcare providers can effectively address today’s people, process, and technology challenges as they pertain to cybersecurity.  Mr. McDonald will also discuss best practices and reference standards which may be helpful in overcoming these challenges.  Registration information for this event, along with other details about the community, can be found on the HMSS Cybersecurity Community web site, at

How to join the community (you must be a member of HIMSS):
1. Log into the HIMSS member portal at
2. Under the “My Involvement” tab, click on the "Edit Participations” button.
3. Select "Healthcare Cybersecurity Community" and click on the “Save” button.

After you have completed steps 1 through 3, you will be automatically added to the HIMSS Healthcare Cybersecurity Community itself as well as the ListServ. 

Report Shows 84% of Mobile Health Apps Are Insecure

On January 13, 2016, Healthcare IT News reported that a new report shows 84  percent of U.S. FDA-approved health apps tested by IT security vendor Arxan Technologies did not adequately address at least two of the Open Web Application Security Project top 10 risks.  Most health apps are susceptible to code tampering and reverse-engineering, and 95% of the FDA-approved apps lack binary protection and have insufficient transport layer protection, leaving them open to hacks that could result in privacy violations, theft of personal health information, as well as device tampering and patient safety issues.  The article is available at:  

HHS Issues Guidance on Individuals’ Right of Access to PHI

On January 7, 2016, The US Department of Health and Human Services issued new guidance on individuals’ right to access their health information. The guidance includes general information and specifics about the details of proper implementation, and also includes an extensive Q&A section providing additional information.  If this guidance is an indication of the quality of information we should expect from HHS on the Web, it’s a good sign.  If you have questions on providing access under HIPAA, look here first.  

By the way, this new guidance is provided on the completely revamped HHS Web site, which is now much easier to use and search for information, even on your smart phone.  Happy exploring!  (Yes, I have good things to say about the HHS Web site!)

HIPAA Rule Issued to Ease Reporting to the NICS re Firearms

On January 6, 2016, a new rule was published in the Federal Register to modify HIPAA §164.512, adding a new section (k)(7) to allow use or disclosure of PHI for purposes of reporting to the National Instant Criminal Background Check System the identity of an individual who is prohibited from possessing a firearm.  Disclosures may include only the limited demographic and certain other information needed for purposes of reporting to the NICS, and may not include diagnostic or clinical information.  The new rule is available at:  

NIST Releases Report on De-Identification of Personal Info

On December 17, 2015, the National Institute of Standards and Technology announced a report on De-Identification of Personal Information, in NIST Internal Report 8053.  The report document summarizes two decades of de-identification research, discusses current practices, and presents opportunities for future research, including discussion of HIPAA methods for de-identification, and the effectiveness of the HIPAA Safe Harbor method.  The report is available at  If you are dealing with any issues of de-identifying PHI, READ THIS REPORT!

Also, see HHS’s guidance from 2012 on De-identification of PHI, available at:  

And the Hits Keep On Coming — New HIPAA RA Settlement

Looks like we’re really seeing the fruits of all that pressure on the HHS Office for Civil Rights to enforce HIPAA.  On December 14, 2015 HHS OCR announced a $750,000 settlement (and corrective action plan) with The University of Washington Medicine for not ensuring that Risk Analyses for its Affiliated Covered Entities were properly performed and not ensuring risks found were properly managed, as a result of a malware infection that led to a large breach of PHI.  The agreement and corrective action plan are available at:  

Pace of Settlements Increases — Two New Ones Announced

On November 25, 2015, the HHS Office for Civil Rights announced a settlement with Lahey Hospital and Medical Center of Burlington, Massachusetts, related to the theft of a laptop that was used as a medical device but was not included in the organization’s Risk Analysis, and widespread non-compliance with HIPAA revealed during the investigation, to the tune of $850,000 and a corrective action plan.  The agreement and plan are available at:  

Less than a week later, on November 30, 2015, HHS OCR announced a settlement with Triple-S Management Corporation for widespread non-compliance with HIPAA regulations in various subsidiaries, for a whopping $3.5 million plus a corrective action plan.  No, you can’t ignore the rules any longer.  The agreement and corrective action plan are available at:  

California Breach Notification Laws Beefed Up

On October 13, 2015, an article in Fierce Health IT indicated that California Governor Jerry Brown signed a new data breach notification law that defines encryption, describes the content of breach notices, and includes data captured by automated license plate readers.  The article is available at:  

OCR, FDA Security Enforcement in OIG 2016 Work Plan

In its FY 2016 Work Plan, the HHS Office of Inspector General plans to more closely scrutinize federal regulators' oversight of the security controls that healthcare providers and business associates use to protect electronic patient information. It also will review FDA oversight of medical device cybersecurity.  The FY 2016 Work Plan is available at:  An article on the Work Plan in GovInfo Security is available at:  

MS Office 2016 Includes New Data Privacy Features

On October 9, 2015, Healthcare IT News reported that the new release of MS Office 2016 includes several features geared toward healthcare providers including PHI recognition, smart attachments, encryption, single sign-on, and authentication, and more.  The article is at:  

Another Settlement, News from NIST/OCR HIPAA Love-Fest

On September 2, 2015 at the annual NIST/OCR HIPAA Security conference in Washington, DC, the latest in the increasing number of HIPAA settlements was announced, this time for a doctor’s group with an unencrypted laptop and backup media that were stolen from an employee’s car, and not having performed HIPAA Security Rule activities such as a Risk Analysis, for $750K plus a corrective action plan.  The settlement and press release are available at:  

The word ENCRYPTION was emphasized by many of the speakers at the annual official NIST/OCR HIPAA Security conference, and the sessions will be available for public consumption at the conference web site:    Let me explain: this is the only conference I attend every year without fail because you can hear from, speak with, and ask questions of all the top people at HHS who deal with HIPAA, and then some.  The sessions are definitely worth watching.  You will learn a LOT!  I learned a lot of details behind the headlines that you can read in any Health IT newsletter, which I will be sharing in an Occasional Client Update newsletter soon.

OCR Releases Handy Guide on HIPAA - Loads of Resource Links

In late July, 2015, the HHS Office for Civil Rights released a handy guide, HIPAA Basics for Providers: Privacy, Security, and Breach Notification Rules, that is a nice summary of how HIPAA applies and what is necessary for compliance at a basic level, and also includes a number of very useful links to other guidance.  

If you’re just getting started in HIPAA, this is a good way to get a basic understanding of HIPAA and then look at the linked guidance for more.  See:

NIST Releases Draft Guidance for Health Info & Mobile Devices

On July 23, 2015, The National Cybersecurity Center of Excellence (NCCoE) has released a draft for public comment a step-by-step guide (the first in a new series) that demonstrates how health care providers can make mobile devices, such as smartphones and tablets, more secure, in order to better protect patient information and still take advantage of advances in communications technology.

Securing Electronic Records on Mobile Devices provides IT implementers and security engineers with a detailed architecture so that they can copy, or recreate with different but similar technologies, the security characteristics of the guide. It also maps to standards and best practices from NIST and others, and to Health Insurance Portability and Accountability Act (HIPAA) rules. The guide takes into account the need for different types of implementation for different circumstances such as when cyber security is handled in-house or is outsourced.

Comments on the draft are requested by September 25, 2015.

The NIST press release is available at:  

An article in ComputerWorld on the draft guidance is available at:  

The draft document, a web form and a template for comments are available at  

Take note!  This is incredibly useful information, to say the least, and if you have any comments, please submit them so it can be even better.

$218K Settlement for Internet-based File Sharing with no RA

On July 10, 2015, the US Department of Health and Human Services Office for Civil Rights announced a $218,000 monetary settlement and corrective action plan with St. Elizabeth’s Medical Center in Brighton, Mass., for using a Web-based document sharing application without having performed a risk analysis, and for a breach involving an unencrypted personal laptop and flash memory device of a former employee containing PHI.  

The corrective action plan includes a thorough self-assessment of compliance, unannounced inspections of compliance and portable devices, and regular compliance progress reports to HHS.  The settlement announcement, agreement, and action plan are available at:  

The lesson here?  Do your risk analysis before using new technologies, train your staff well, and encrypt all laptops or portable devices with any PHI!

Oregon Breach Law to Include Health Information as of 1/1/16

According to a report in Becker Hospital Review, as of January 1, 2016, Oregon's Consumer Identity Theft Protection Act of 2007 will include mandatory notification for individuals whose personal health information is breached, as a result of the passage of Senate Bill 601.  On that date, the definition of sensitive identifying information will expand to include the following:
• Biometrics
• Health insurance policy numbers
• Unique identifiers of any kind used by health 
• Medical information history
• Any information about mental or physical conditions
• Information about a healthcare professional's medical diagnosis or treatment of an individual

The law also requires the state attorney general be notified in the instance of a data breaches or breaches of personal information involving 250 or more individuals.

The story is available at:  and Oregon Senate Bill 601 is available at:  

Annual NIST/OCR HIPAA Security Conference Announced

On July 8, 2015, the National Institute of Standards and Technology announced the 8th Annual Safeguarding Health Information: Building Assurance through HIPAA Security Conference, set for September 2-3, 2015 at the Grand Hyatt hotel in Washington, DC.  If you are a HIPAA specialist, you MUST attend this if you go anywhere this year.

The conference will explore the current health information technology security landscape and the HIPAA Security Rule, with practical strategies, tips and techniques for implementing the HIPAA Security Rule, and offer sessions exploring security management and technical assurance of electronic health information. Presentations will cover a variety of current topics including updates on the Omnibus HIPAA/HITECH Final Rule, breach management, business associate liability, managing 3rd party risk, securing medical devices, and more.

Participants can choose to participate on-site, or through a live web cast.  All registrations include access to archived webcast presentations and materials.  For more information and registration, please see:  

Dates Set for Annual NIST/OCR HIPAA Security Conference

On June 11, 2015, Lewis Creek Systems learned through reliable sources that the dates for this year’s NIST/OCR HIPAA Security Conference will be September 2 and 3, 2015, and will be held at the Grand Hyatt in D.C.  Sources indicated that a “save-the-date” announcement would be forthcoming within the week.

This is the only conference that I insist on attending every year, with all the leading experts and authorities from healthcare, NIST, and HHS in attendance or presenting.  I highly recommend watching for the announcement and attending.

HHS OIG Refines 2015 Work Plan and Adds New EHR Issues

On June 8, 2015, FierceHealthIT reported that the US Department of Health and Human Services Office of the Inspector General has updated its work plan, adding several new items and removing some as well.  

OIG will review the use of EHRs by accountable care organizations to coordinate care, will review the extent that providers participating in ACOs in the Medicare Shared Savings Program use EHRs to exchange health information to achieve their care coordination goals, and assess providers' use of EHRs to identify best practices and possible challenges in their progression toward interoperability.

OIG will also review EHR contingency planning required by HIPAA, whether providers that received Medicare and/or Medicaid Meaningful Use incentive payments were entitled to the money, and whether covered entities are adequately securing electronic PHI created or maintained by certified EHR technology.  OIG specifically states that hospitals must conduct security risk analyses.

The updated plan no longer includes a review of whether business associates also are adequately securing electronic patient protected health information and no longer includes a review of CMS' oversight of hospitals' security controls over networked medical devices. 

The story is available at:  

2015 HIPAA Audits Appear to be Getting Started, Finally

On May 22, 2015, FierceHealthIT reported that HHS has begun verifying contact information for HIPAA Covered Entities who could be selected for the Phase 2 HIPAA Audits called for by the HTECH Act.  Additional information is expected, and HHS advised watching its website for announcements.

Supposedly 550 to 800 entities will receive or have received surveys to determine their appropriateness for an audit, and 350 covered entities and 50 business associates are expected to be audited, according to reports.

The article is available at:  

New HIPAA Settlement for Improper Disposal of PHI, more enforcement actions expected soon

On April 27, 2015, the US Department of Health and Human Services Office for Civil Rights announced a settlement with Cornell Prescription Pharmacy (Cornell), a small, single-location pharmacy that provides in-store and prescription services to patients in the Denver, Colorado metropolitan area, specializing in compounded medications and services for hospice care agencies, for potential HIPAA violations.  Cornell will pay $125,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program.

A Denver news outlet notified HHS OCR of disposal of un-shredded, unsecured documents containing specific protected health information (PHI) of 1,610 patients in an unlocked, open container on Cornell's premises.  Cornell had failed to implement and provide training to the workforce in any written policies and procedures as required by the HIPAA Privacy Rule.

The agreement requires Cornell to develop and implement a comprehensive set of policies and procedures to comply with the Privacy Rule, and develop and provide staff training.  The Resolution Agreement can be found on the OCR website via:  

Recent news reports and rumors indicate that HHS is just ramping up its enforcement work on HIPAA, and this may be only the first indication of a coming flood of settlement agreements for HIPAA violations.  Take note!

Draft NIST Report Released on De-Identification of PII

On April 10, 2015 the National Institute of Standards and Technology released Draft NIST Interagency Report (NISTIR) 8053, De-Identification of Personally Identifiable Information, which is a topic near and dear to those of us who handle PHI.  Draft NISTIR 8053 along with a summary and announcement is at:

To submit comments to this draft, use the comment template available at the above URL.  Send comments to:  The deadline to submit comments is May 15, 2015.

HHS OCR Looking for Someone to Lead HIPAA Audit Program

On April 9, 2015, the US Department of Health and Human Services announced a job opening for someone to lead the HHS Office for Civil Rights’s HIPAA Audit Program.  Quote, "The Office for Civil Rights (OCR) has one Compliance Specialist (Auditing) position available within our Headquarters office located in Washington, DC. This position serves as the senior auditing subject matter expert who provides leadership, oversight, coordination, and advice necessary to design, plan and execute an audit program of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules.”

If they’re hiring someone to lead the HIPAA Audit Program, that probably means they’ll get around to doing some auditing again.  How soon?  Who knows…  The job listing is open until April 17, and is available at:  

ONC Releases Version 2 of Privacy and Security Guide for ePHI

In April 2015, the Office of the National Coordinator for Health Information Technology released version 2 of its Guide to Privacy and Security of Electronic Health Information, providing a concise summary of the processes and requirements involved in assuring adequate privacy and security of electronic Protected Health Information.  The guide is available at:  and Chapter 6, a Sample Seven Step Approach for Implementing a Security Management Process, is available separately at:  

Final Draft of NIST SP 800-171 (Security Summary) Issued

On April 3, 2015 the National Institute of Standards and Technology released the final public draft of SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, which provides an excellent summary of security actions to take to protect information systems, and provides a great checklist of security considerations.

To view the full announcement and link to this draft document, please visit the CSRC Drafts page at:

If you would like to submit comments on the draft, the deadline to submit comments is May 12, 2015, and Email your comments to:

Excellent New PCI Guidance on Penetration Testing Released

In March 2015, the PCI Security Standards Council released a new Information Supplement: Penetration Testing Guidance.  The guidance includes a great deal of useful information including a useful explanation of the difference between a penetration test and a vulnerability scan, as well as descriptions of test components, tester qualifications, and methodology, with a few case studies.

While the guidance is focused on payment card information protection, it is easy to apply to health information protection, which is, of course, a growing issue.  See:  

Links to Two Key Resources Updated; Wall of Shame Updated

In early March 2015, Internet links to two key resources were changed.  The old link to the HHS OCR “Wall of Shame” listing the breaches affecting more than 500 individuals, in typical HHS fashion, has simply stopped working, yielding a “page not found” error.  

The information is now available in a much easier to use format using modern Web technologies on secure pages that are part of the new HHS OCR portal that will someday be used for submission of information requested in the random audit program, due to restart “real soon now.”  The new-and-improved “Wall of Shame” is at  The new format is much easier to read and search, with easy export of the data in multiple formats.  See what happens to others -- make sure it doesn't happen to you.

Another key resource is the NIST Computer Security Incident Handling Guide, Special Publication 800-61 revision 2, which has been been relocated to:  

New Jersey Law Requires Encryption of Health Information

On January 9, 2015 a New Jersey law was enacted, going into effect August 1, 2015, requiring that health insurance companies doing business in New Jersey must encrypt personal data they transmit electronically a public network or retain on end-user computers, such as desktops, workstations, laptops, storage media, and smart phones.  The law was prompted by health data breaches in New Jersey.  The brief text of the bill is available at:

News stories on the new law are available at:

Click to view news stories from 2014

Click to view news stories from 2013

Click to view news stories from 2012

Click to view news stories from 2011

Click to view news stories from 2010

Click to view news stories from 2009

Click to view news stories from 2008

Click to view news stories from 2007 and earlier

              Copyright © 2002-2016 Lewis Creek Systems, LLC  Charlotte, Vermont, USA
Privacy Policy   Terms and Conditions of Use   Contact Us