New HIPAA Settlement for Improper Disposal of PHI, more enforcement actions expected soon
On April 27, 2015, the US Department of Health and Human Services Office for Civil Rights announced a settlement with Cornell Prescription Pharmacy (Cornell), a small, single-location pharmacy that provides in-store and prescription services to patients in the Denver, Colorado metropolitan area, specializing in compounded medications and services for hospice care agencies, for potential HIPAA violations. Cornell will pay $125,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program.
A Denver news outlet notified HHS OCR of disposal of un-shredded, unsecured documents containing specific protected health information (PHI) of 1,610 patients in an unlocked, open container on Cornell's premises. Cornell had failed to implement and provide training to the workforce in any written policies and procedures as required by the HIPAA Privacy Rule.
The agreement requires Cornell to develop and implement a comprehensive set of policies and procedures to comply with the Privacy Rule, and develop and provide staff training. The Resolution Agreement can be found on the OCR website via: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cornell/index.html
Recent news reports and rumors indicate that HHS is just ramping up its enforcement work on HIPAA, and this may be only the first indication of a coming flood of settlement agreements for HIPAA violations. Take note!
Draft NIST Report Released on De-Identification of PII
On April 10, 2015 the National Institute of Standards and Technology released Draft NIST Interagency Report (NISTIR) 8053, De-Identification of Personally Identifiable Information, which is a topic near and dear to those of us who handle PHI. Draft NISTIR 8053 along with a summary and announcement is at: http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-8053
To submit comments to this draft, use the comment template available at the above URL. Send comments to: firstname.lastname@example.org The deadline to submit comments is May 15, 2015.
HHS OCR Looking for Someone to Lead HIPAA Audit Program
On April 9, 2015, the US Department of Health and Human Services announced a job opening for someone to lead the HHS Office for Civil Rights’s HIPAA Audit Program. Quote, "The Office for Civil Rights (OCR) has one Compliance Specialist (Auditing) position available within our Headquarters office located in Washington, DC. This position serves as the senior auditing subject matter expert who provides leadership, oversight, coordination, and advice necessary to design, plan and execute an audit program of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules.”
If they’re hiring someone to lead the HIPAA Audit Program, that probably means they’ll get around to doing some auditing again. How soon? Who knows… The job listing is open until April 17, and is available at: https://www.usajobs.gov/GetJob/ViewDetails/398661600
ONC Releases Version 2 of Privacy and Security Guide for ePHI
In April 2015, the Office of the National Coordinator for Health Information Technology released version 2 of its Guide to Privacy and Security of Electronic Health Information, providing a concise summary of the processes and requirements involved in assuring adequate privacy and security of electronic Protected Health Information. The guide is available at: http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf and Chapter 6, a Sample Seven Step Approach for Implementing a Security Management Process, is available separately at: http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide-chapter-6.pdf
Final Draft of NIST SP 800-171 (Security Summary) Issued
On April 3, 2015 the National Institute of Standards and Technology released the final public draft of SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, which provides an excellent summary of security actions to take to protect information systems, and provides a great checklist of security considerations.
To view the full announcement and link to this draft document, please visit the CSRC Drafts page at: http://csrc.nist.gov/publications/PubsDrafts.html#800-171
If you would like to submit comments on the draft, the deadline to submit comments is May 12, 2015, and Email your comments to: email@example.com
Excellent New PCI Guidance on Penetration Testing Released
In March 2015, the PCI Security Standards Council released a new Information Supplement: Penetration Testing Guidance. The guidance includes a great deal of useful information including a useful explanation of the difference between a penetration test and a vulnerability scan, as well as descriptions of test components, tester qualifications, and methodology, with a few case studies.
While the guidance is focused on payment card information protection, it is easy to apply to health information protection, which is, of course, a growing issue. See: https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf
Links to Two Key Resources Updated; Wall of Shame Updated
In early March 2015, Internet links to two key resources were changed. The old link to the HHS OCR “Wall of Shame” listing the breaches affecting more than 500 individuals, in typical HHS fashion, has simply stopped working, yielding a “page not found” error.
The information is now available in a much easier to use format using modern Web technologies on secure pages that are part of the new HHS OCR portal that will someday be used for submission of information requested in the random audit program, due to restart “real soon now.” The new-and-improved “Wall of Shame” is at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf The new format is much easier to read and search, with easy export of the data in multiple formats. See what happens to others -- make sure it doesn't happen to you.
Another key resource is the NIST Computer Security Incident Handling Guide, Special Publication 800-61 revision 2, which has been been relocated to: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
New Jersey Law Requires Encryption of Health Information
On January 9, 2015 a New Jersey law was enacted, going into effect August 1, 2015, requiring that health insurance companies doing business in New Jersey must encrypt personal data they transmit electronically a public network or retain on end-user computers, such as desktops, workstations, laptops, storage media, and smart phones. The law was prompted by health data breaches in New Jersey. The brief text of the bill is available at: http://www.njleg.state.nj.us/2014/Bills/S1000/562_R1.PDF
News stories on the new law are available at:
Security Alert for Windows Systems - Don’t be the next Sony!
On December 19 2014, the US Computer Emergency Readiness Team (US-CERT) issued Alert (TA14-353A) on Targeted Destructive Malware, about what can be done to help prevent an attack such as the recent attack on Sony. Healthcare institutions would be well advised to review the bulletin and implement measures accordingly. Make sure your technical security folks know about this! The Alert is available at: https://www.us-cert.gov/ncas/alerts/TA14-353A
NIST Announces Draft Rev’s to Small Business Security Guide
On December 16, 2014, the National Institute of Standards and Technology announced the draft of Revision 1 of NIST IR 7621, Small Business Information Security: The Fundamentals. The draft can be found on the NIST CSRC Draft publications page at: http://csrc.nist.gov/publications/PubsDrafts.html#ir7621r1
NIST, as a partner with the Small Business Administration and the Federal Bureau of Investigation in an information security awareness outreach to the small business community, developed this NISTIR as a reference guideline, intended to present the fundamentals of a small business information security program in non-technical language. Comments will be accepted through February 9, 2015. If you have any comments on the draft, please send comments or questions to: firstname.lastname@example.org.
$150K Settlement for Unpatched and Unsupported Software
On December 8, 2014, the US Department of Health and Human Services Office for Civil Rights announced that Anchorage Community Mental Health Services (ACMHS) has agreed to settle potential HIPAA violations by paying $150,000 and adopting a two-year corrective action plan, following investigation of a breach that revealed ACMHS had not implemented good security processes, had not regularly updated their IT resources with available patches, and were running outdated, unsupported software.
The bulletin and settlement agreement are available at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/acmhs/index.html
NIST Draft SP 800-171 Provides Excellent Summary of Security
On November 20, 2015, the National Institute of Standards and Technology released the first public draft of SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, which provides an excellent summary of security actions to take to protect information systems, and provides a great checklist of security considerations.
To view the full announcement and link to this draft document, please visit the CSRC Drafts page at: http://csrc.nist.gov/publications/PubsDrafts.html#800-171
If you would like to submit comments on the draft, the deadline to submit comments is January 16, 2015, and Email your comments to: email@example.com
HHS Announces Guidance on HIPAA in Emergency Situations
On November 10, 2014, the US Department of Health and Human Services (HHS) published new guidance on HIPAA Privacy Rule protections in emergency situations, such as an Ebola outbreak, to ensure that HIPAA-regulated entities are aware of the ways in which patient information may be shared under the HIPAA Privacy Rule in an emergency situation, and to serve as a reminder that the protections of the Privacy Rule are not set aside during an emergency. The HIPAA Privacy Rule protects the privacy of patients' health information but also ensures that appropriate uses and disclosures of the information still may be made to treat a patient, to protect the nation's public health, and for other critical purposes.
OCR's bulletin on HIPAA Privacy in Emergency Situations may be found at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/emergency/hipaa-privacy-emergency-situations.pdf
Additional guidance on HIPAA in Emergency Situations: Preparedness, Planning, and Response can be found at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/emergency/index.html
HHS OIG 2015 Work Plan Includes HIPAA Security Enforcement
The 2015 Work Plan of the US Department of Health and Human Services (HHS) Office of Inspector General (OIG) has been announced and includes items pertaining to HIPAA Security, including analyzing the IT security of community health centers funded by the Health Resources and Services Administration, and reviewing controls over networked medical devices at hospitals. The HHS OIG Work Plan for Fiscal Year 2015 is available at: http://oig.hhs.gov/reports-and-publications/archives/workplan/2015/FY15-Work-Plan.pdf
SANS-Norse Report: Healthcare Info Compromises Epidemic
A 2014 report developed by SANS and Norse indicates widespread compromises of healthcare information in the US, affecting all kinds of healthcare organizations, and all kinds of devices from firewalls and radiology imaging systems to Web cameras and mail servers. "A significant number of compromises were due to very basic issues such as not changing default credentials on firewalls.” The report is available at: http://www.norse-corp.com/HealthcareReport2014.html (requires registration)
Serious Security Flaw Affects Unix-based Systems - Urgent!
On September 25, 2014, several announcements were made concerning a recently discovered serious security flaw in all Unix-based system implementations, known as the Bash/Shellshock Vulnerability.
US-CERT is aware of a Bash vulnerability affecting Unix-based operating systems such as Linux and Mac OS X. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected system. The notification is available at: https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability
HHS OCR Issues Guidance on HIPAA and Same-Sex Marriage
On September 17, 2014, the US Department of Health and Human Services Office for Civil Rights (OCR) issued guidance in response to the Supreme Court decision on same-sex marriage, specifying that spouses include both same-sex and opposite-sex individuals who are legally married, whether or not they live or receive services in a jurisdiction that recognizes their marriage.
The guidance clarifies that same-sex spouses are have the same HIPAA rights as other family members, no matter where services are provided. See: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/samesexmarriage/index.html
FBI Warns Healthcare is Now a Major Target of Hackers
On August 20, 2014, Reuters reported that the FBI has issued an alert through their Liaison Alert System specifically detailing a significant threat to healthcare information security posed by hackers. The FBI provides details about the threat, including information about how technical personnel can spot evidence of malicious activity related to the threat. The Reuters article is available at http://www.reuters.com/article/2014/08/20/us-cybersecurity-healthcare-fbi-idUSKBN0GK24U20140820 and the FBI warning is available here on this site.
Mass. AG Settles Breach Suit with RI Hospital for $150,000
On July 23, 2014, the Massachusetts Attorney General announced they had reached a $150,000 settlement with Women & Infants Hospital of Rhode Island to resolve issues concerning a breach in the Summer of 2011 of 12,000 Massachusetts patients’ names and health information that was not discovered until the Spring of 2012, and not reported until November of 2012. The breach occurred when unencrypted backup tapes went missing. Lessons here: #1: Encrypt your backup tapes. #2: Have a good system for managing your backup tape inventory. #3: Recognize that you may have issues with other states when you have a breach and your patients are residents of other states. #4: Don’t delay reporting your breaches properly — have a solid process! The settlement announcement is available at: http://www.mass.gov/ago/news-and-updates/press-releases/2014/2014-07-23-women-infants-hospital.html
7th Annual NIST/OCR HIPAA Security Conference Announced
On July 15, 2014, the US Department of Health and Human Services Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) announced the 7th annual NIST/OCR Safeguarding Health Information: Building Assurance through HIPAA Security conference, to be held September 23-24, 2014 at the Grand Hyatt Hotel, 1000 H Street NW, Washington, DC. If you are a HIPAA Security Officer, this is THE event to attend this year. Onsite attendance costs $345, and $200 for the webcast. For more information and registration, please see http://www.nist.gov/itl/csd/safeguarding-health-information-building-assurance-through-hipaa-security-2014.cfm
Settlements Continue: $800K for Poorly Handled Records
On June 24, 2014, the US Department of Health and Human Services Office for Civil Rights announced that Parkview Health System, Inc. (Parkview) has agreed to settle potential HIPAA violations by paying $800,000 and adopting a corrective action plan. Parkview employees had left 71 boxes of medical records in an open and accessible area, completely unsecured.
The press release and settlement agreement are available on the HHS Web site at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/parkview.html and HHS provides FAQ on the proper disposal of protected health information at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/disposalfaqs.pdf
HHS Releases New Reports on Breaches and HIPAA Compliance
On June 11, 2014, The U.S. Department of Health and Human Services, Office for Civil Rights, has issued two Reports to Congress called for by the HITECH Act: one on Breaches of Unsecured Protected Health Information, and the other on HIPAA Privacy, Security, and Breach Notification Rule Compliance. The reports cover relevant activities in calendar years 2011 and 2012.
The breach notification report provides an overview of the breach notification requirements and discusses the reports received as a result. The report on compliance with the HIPAA Rules summarizes complaints received of alleged violations of the HITECH Act and the HIPAA Privacy and Security Rules. These are the second reports on these topics in response to the HITECH Act requirement. See: http://www.hhs.gov/ocr/privacy/hitechrepts.html
Exposed PHI Costs Columbia/Presbyterian Record $4.8 million
On May 7, 2014, the US Department of Health and Human Services Office for Civil Rights announced that New York and Presbyterian Hospital (NYP) and Columbia University (CU), operating jointly as New York Presbyterian Hospital / Columbia University Medical Center, had settled a complaint for a total of $4.8 million, following the unintentional exposure of the PHI of 6,800 individuals through insecure management of server deployments. The settlement includes an extensive (and expensive) corrective action plan.
The message here is to be sure you use good, professional practices in the development and implementation of all systems handling PHI. The press release is at: http://www.hhs.gov/news/press/2014pres/05/20140507b.html and the Resolution Agreements are available at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/ny-and-presbyterian-hospital-settlement-agreement.pdf and http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/columbia-university-resolution-agreement.pdf
Stolen Laptops Lead To $2 million in Settlements for Entities
On April 22, 2014, it was announced that two entities have paid nearly $2 million total to the US Department of Health and Human Services Office for Civil Rights to resolve HIPAA issues around laptops that were stolen, that had PHI on them, and that were not encrypted, a scenario that is reported daily in the Health Information Technology press. In both cases, Concentra Health Services and QCA Health Plan, Inc. of Arkansas had not done the required complete and thorough risk analysis and implementation of a risk management plan. Both have corrective action plans that must be implemented, in addition to the monetary settlement. The press release is at: http://www.hhs.gov/news/press/2014pres/04/20140422b.html and the Resolution Agreements are available at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/stolenlaptops-agreements.html
The message here is clear: 1) Do a solid Risk Analysis, and 2) Encrypt your portable devices and provide training on their secure use, or you risk big fines and corrective action plans.
FBI Issues Alert to Healthcare Entities About Cyber Security
On April 8, 2014, the FBI Cyber Division issued a Private Industry Notification, Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain, a two-page overview of the state of information security in healthcare. The Notification references other research and reports to conclude that PHI is valuable ($50 per record, vs. $1 per record for financial information), security is insufficiently implemented, and breaches are widespread. This, combined with the rapid increase in the number of EHR implementations, leaves the healthcare industry vulnerable. The Notification is available at: http://www.illuminweb.com/wp-content/uploads/ill-mo-uploads/103/2418/health-systems-cyber-intrusions.pdf
The FBI encourages entities to report any suspicious or criminal activity to the local FBI field office; FBI regional phone numbers can be found online at http://www.fbi.gov/contact/fo/fo.htm
ONC & OCR Release Risk Assessment Tool for iPad & Windows
On March 28, 2014, the Office of the National Coordinator for Health IT, in collaboration with the HHS Office for Civil Rights and HHS Office of the General Counsel, released a new Risk Assessment tool for small and medium sized organizations that assists in the collection and analysis of data, and comes in iPad and Windows 7 versions.
In many ways, the tool is an evolution of the NIST HIPAA Security Rule Toolkit released in 2011. It doesn’t make the work any easier, but it makes organizing the information and producing reports a little easier if you’re new to Risk Analysis. Used well, it could help; used poorly, it could provide a false sense of security. The Tool, the user guide, and related videos are all available at: http://www.healthit.gov/providers-professionals/security-risk-assessment
WA County Gov’t Settles HIPAA Security Issues for $215K
On March 7, 2014, the US Department of Health and Human Services announced that Skagit County, Washington, has agreed to settle potential violations of the HIPAA Privacy, Security, and Breach Notification Rules for a $215,000 settlement and agreement to work closely with HHS to correct deficiencies in its HIPAA compliance program. The issues concern the deployment of PHI on insecure servers, exposing the information of 1581 individuals, and the lack of HIPAA-related policies, procedures, documentation, and training. The HHS press release is at: http://www.hhs.gov/news/press/2014pres/03/20140307a.html
The Resolution Agreement can be found on the OCR website at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/skagit-agreement.html
HHS Requests Comments on Plan to Send Audit Readiness Information Requests to 1200 HIPAA CEs and BAs
On February 24, 2014, the US Department of Health and Human Services issued a request for comment on the proposed collection of information to determine the suitability of 1200 HIPAA Covered Entities and Business Associates for being audited under the requirements of the HITECH Act.
The survey will gather information about respondents to enable OCR to assess the size, complexity, and fitness of a respondent for an audit. Information collected includes, among other things, recent data about the number of patient visits or insured lives, use of electronic information, revenue, and business locations. See: https://www.federalregister.gov/articles/2014/02/24/2014-03830/agency-information-collection-activities-proposed-collection-public-comment-request
This means that the 2014 HIPAA random audit program is now ramping up, with the first wave of contacts going out once the comment period is over. The time to get ready is NOW.
UPDATE: Beginning in late March, 2014, HHS OCR began presenting its plan for resumption of the HIPAA Audit Program, Phase 2 of which will be getting under way in 2014 and expanding to include Business Associates in 2015. A PDF of a PowerPoint presentation by HHS OCR Senior Adviser Linda Sanches at the HCCA Compliance Institute March 31, 2014 is available at: http://www.hcca-info.org/Portals/0/PDFs/Resources/Conference_Handouts/Compliance_Institute/2014/tue/710print2.pdf
UPDATE #2: On May 12, 2014 HHS reissued its request for comment on its plan to survey 1200 entities for their suitability, gathering additional information until June 11, 2014. The reissued request for comment is available at: https://www.federalregister.gov/articles/2014/05/12/2014-10829/agency-information-collection-activities-submission-to-omb-for-review-and-approval-public-comment
HHS Issues HIPAA Guidance on Sharing Mental Health Info
On February 20, 2014, the U.S. Department of Health and Human Services announced new guidance explaining how the HIPAA Privacy Rule operates to protect individuals' privacy rights with respect to their mental health information and in what circumstances the Privacy Rule permits health care providers to communicate with patients' family members and others to enhance treatment and assure safety. This important guidance is available at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/mhguidance.html
HHS Publishes Model Notice of Privacy Practices in Spanish
On February 19, 2014, the US Department of Health and Human Services announced it has created Spanish language versions of their new model HIPAA Notices of Privacy Practices. The model notices, in English and Spanish, are available at: http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html
HHS Launches Competition for Best Online Privacy Notice
In the hopes of finding a better model, on February 10, 2014, the US Department of Health and Human Services announced a call for designers, developers, and patient privacy experts to create an online model notice of privacy practices that is compelling, readable, and understandable by patients and is easily integrated into existing entity Web sites. Public voting on the the contestants will determine the winner, with a $15,000 prize for first place. See: http://oncchallenges.ideascale.com and http://www.gpo.gov/fdsys/pkg/FR-2014-02-10/html/2014-02785.htm
HHS Releases CLIA & HIPAA Rules Allowing Lab Info Access
The US Department of Health and Human Services is releasing a new final rule concerning the access of laboratory information by individuals, to be officially published February 6, 2014. The new rule amends CLIA to allow access of authenticated information by authenticated individuals or their authorized representatives under HIPAA, and amends HIPAA to remove laboratory information from the list of information to which individuals may be denied access.
As usual, the Preamble is well worth reading. Individuals may still access results via their physician, and results may still be accessed for the usual treatment purposes; the new rules simply add new access rights, but create a whole new world for labs and patient communications. See: https://www.federalregister.gov/articles/2014/02/06/2014-02280/patients-access-to-test-reports-clia-program-and-hipaa-privacy-rule
FTC Gets Into Healthcare Privacy & Security Enforcement
On January 16, 2014, the US Federal Trade Commission unanimously asserted that it has authority to enforce consumer protection laws concerning the privacy and security of healthcare information, even when the concerned business is also covered under the HIPAA regulations. FTC sees no conflict with HHS activity and finds no problems with enforcing the rules alongside HHS.
This means that, whether or not a privacy or security problem is noted by HHS, the FTC could become involved involved if they feel there have been deceptive trade practices, e.g, promising security and then not providing it.
The FTC order is at http://op.bna.com/hl.nsf/id/psts-9fmms7/$File/lab.pdf . An accompanying story in Bloomberg BNA is available at: http://www.bna.com/ftc-affirms-data-n17179881620/
HHS Proposes HIPAA Changes to Allow NICS Communication
On January 3, 2014, the US Department of Health and Human Services issued a Notice of Proposed Rule Making (NPRM) intended to make it easier to report information to the National Instant Criminal Background Check System (NICS). The NPRM would modify the HIPAA Privacy Rule to permit certain HIPAA-covered entities to disclose to the NICS the identities of persons prohibited by federal law from possessing or receiving a firearm for reasons related to mental health.
The information is reported to the NICS would not include clinical, diagnostic, or other mental health information. Instead, certain covered entities would be permitted to disclose the minimum necessary identifying information about individuals who have been involuntarily committed to a mental institution or otherwise have been determined by a lawful authority to be a danger to themselves or others or to lack the mental capacity to manage their own affairs.
The NPRM and additional information are available at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/NICS/index.html