Links to Two Key Resources Updated; Wall of Shame Updated
In early March 2015, Internet links to two key resources were changed. The old link to the HHS OCR “Wall of Shame” listing the breaches affecting more than 500 individuals, in typical HHS fashion, has simply stopped working, yielding a “page not found” error.
The information is now available in a much easier to use format using modern Web technologies on secure pages that are part of the new HHS OCR portal that will someday be used for submission of information requested in the random audit program, due to restart “real soon now.” The new-and-improved “Wall of Shame” is at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf The new format is much easier to read and search, with easy export of the data in multiple formats. See what happens to others -- make sure it doesn't happen to you.
Another key resource is the NIST Computer Security Incident Handling Guide, Special Publication 800-61 revision 2, which has been been relocated to: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
New Jersey Law Requires Encryption of Health Information
On January 9, 2015 a New Jersey law was enacted, going into effect August 1, 2015, requiring that health insurance companies doing business in New Jersey must encrypt personal data they transmit electronically a public network or retain on end-user computers, such as desktops, workstations, laptops, storage media, and smart phones. The law was prompted by health data breaches in New Jersey. The brief text of the bill is available at: http://www.njleg.state.nj.us/2014/Bills/S1000/562_R1.PDF
News stories on the new law are available at:
Security Alert for Windows Systems - Don’t be the next Sony!
On December 19 2014, the US Computer Emergency Readiness Team (US-CERT) issued Alert (TA14-353A) on Targeted Destructive Malware, about what can be done to help prevent an attack such as the recent attack on Sony. Healthcare institutions would be well advised to review the bulletin and implement measures accordingly. Make sure your technical security folks know about this! The Alert is available at: https://www.us-cert.gov/ncas/alerts/TA14-353A
NIST Announces Draft Rev’s to Small Business Security Guide
On December 16, 2014, the National Institute of Standards and Technology announced the draft of Revision 1 of NIST IR 7621, Small Business Information Security: The Fundamentals. The draft can be found on the NIST CSRC Draft publications page at: http://csrc.nist.gov/publications/PubsDrafts.html#ir7621r1
NIST, as a partner with the Small Business Administration and the Federal Bureau of Investigation in an information security awareness outreach to the small business community, developed this NISTIR as a reference guideline, intended to present the fundamentals of a small business information security program in non-technical language. Comments will be accepted through February 9, 2015. If you have any comments on the draft, please send comments or questions to: firstname.lastname@example.org.
$150K Settlement for Unpatched and Unsupported Software
On December 8, 2014, the US Department of Health and Human Services Office for Civil Rights announced that Anchorage Community Mental Health Services (ACMHS) has agreed to settle potential HIPAA violations by paying $150,000 and adopting a two-year corrective action plan, following investigation of a breach that revealed ACMHS had not implemented good security processes, had not regularly updated their IT resources with available patches, and were running outdated, unsupported software.
The bulletin and settlement agreement are available at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/acmhs/index.html
NIST Draft SP 800-171 Provides Excellent Summary of Security
On November 20, 2015, the National Institute of Standards and Technology released the first public draft of SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, which provides an excellent summary of security actions to take to protect information systems, and provides a great checklist of security considerations.
To view the full announcement and link to this draft document, please visit the CSRC Drafts page at: http://csrc.nist.gov/publications/PubsDrafts.html#800-171
If you would like to submit comments on the draft, the deadline to submit comments is January 16, 2015, and Email your comments to: email@example.com
HHS Announces Guidance on HIPAA in Emergency Situations
On November 10, 2014, the US Department of Health and Human Services (HHS) published new guidance on HIPAA Privacy Rule protections in emergency situations, such as an Ebola outbreak, to ensure that HIPAA-regulated entities are aware of the ways in which patient information may be shared under the HIPAA Privacy Rule in an emergency situation, and to serve as a reminder that the protections of the Privacy Rule are not set aside during an emergency. The HIPAA Privacy Rule protects the privacy of patients' health information but also ensures that appropriate uses and disclosures of the information still may be made to treat a patient, to protect the nation's public health, and for other critical purposes.
OCR's bulletin on HIPAA Privacy in Emergency Situations may be found at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/emergency/hipaa-privacy-emergency-situations.pdf
Additional guidance on HIPAA in Emergency Situations: Preparedness, Planning, and Response can be found at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/emergency/index.html
HHS OIG 2015 Work Plan Includes HIPAA Security Enforcement
The 2015 Work Plan of the US Department of Health and Human Services (HHS) Office of Inspector General (OIG) has been announced and includes items pertaining to HIPAA Security, including analyzing the IT security of community health centers funded by the Health Resources and Services Administration, and reviewing controls over networked medical devices at hospitals. The HHS OIG Work Plan for Fiscal Year 2015 is available at: http://oig.hhs.gov/reports-and-publications/archives/workplan/2015/FY15-Work-Plan.pdf
SANS-Norse Report: Healthcare Info Compromises Epidemic
A 2014 report developed by SANS and Norse indicates widespread compromises of healthcare information in the US, affecting all kinds of healthcare organizations, and all kinds of devices from firewalls and radiology imaging systems to Web cameras and mail servers. "A significant number of compromises were due to very basic issues such as not changing default credentials on firewalls.” The report is available at: http://www.norse-corp.com/HealthcareReport2014.html (requires registration)
Serious Security Flaw Affects Unix-based Systems - Urgent!
On September 25, 2014, several announcements were made concerning a recently discovered serious security flaw in all Unix-based system implementations, known as the Bash/Shellshock Vulnerability.
US-CERT is aware of a Bash vulnerability affecting Unix-based operating systems such as Linux and Mac OS X. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected system. The notification is available at: https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability
HHS OCR Issues Guidance on HIPAA and Same-Sex Marriage
On September 17, 2014, the US Department of Health and Human Services Office for Civil Rights (OCR) issued guidance in response to the Supreme Court decision on same-sex marriage, specifying that spouses include both same-sex and opposite-sex individuals who are legally married, whether or not they live or receive services in a jurisdiction that recognizes their marriage.
The guidance clarifies that same-sex spouses are have the same HIPAA rights as other family members, no matter where services are provided. See: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/samesexmarriage/index.html
FBI Warns Healthcare is Now a Major Target of Hackers
On August 20, 2014, Reuters reported that the FBI has issued an alert through their Liaison Alert System specifically detailing a significant threat to healthcare information security posed by hackers. The FBI provides details about the threat, including information about how technical personnel can spot evidence of malicious activity related to the threat. The Reuters article is available at http://www.reuters.com/article/2014/08/20/us-cybersecurity-healthcare-fbi-idUSKBN0GK24U20140820 and the FBI warning is available here on this site.
Mass. AG Settles Breach Suit with RI Hospital for $150,000
On July 23, 2014, the Massachusetts Attorney General announced they had reached a $150,000 settlement with Women & Infants Hospital of Rhode Island to resolve issues concerning a breach in the Summer of 2011 of 12,000 Massachusetts patients’ names and health information that was not discovered until the Spring of 2012, and not reported until November of 2012. The breach occurred when unencrypted backup tapes went missing. Lessons here: #1: Encrypt your backup tapes. #2: Have a good system for managing your backup tape inventory. #3: Recognize that you may have issues with other states when you have a breach and your patients are residents of other states. #4: Don’t delay reporting your breaches properly — have a solid process! The settlement announcement is available at: http://www.mass.gov/ago/news-and-updates/press-releases/2014/2014-07-23-women-infants-hospital.html
7th Annual NIST/OCR HIPAA Security Conference Announced
On July 15, 2014, the US Department of Health and Human Services Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) announced the 7th annual NIST/OCR Safeguarding Health Information: Building Assurance through HIPAA Security conference, to be held September 23-24, 2014 at the Grand Hyatt Hotel, 1000 H Street NW, Washington, DC. If you are a HIPAA Security Officer, this is THE event to attend this year. Onsite attendance costs $345, and $200 for the webcast. For more information and registration, please see http://www.nist.gov/itl/csd/safeguarding-health-information-building-assurance-through-hipaa-security-2014.cfm
Settlements Continue: $800K for Poorly Handled Records
On June 24, 2014, the US Department of Health and Human Services Office for Civil Rights announced that Parkview Health System, Inc. (Parkview) has agreed to settle potential HIPAA violations by paying $800,000 and adopting a corrective action plan. Parkview employees had left 71 boxes of medical records in an open and accessible area, completely unsecured.
The press release and settlement agreement are available on the HHS Web site at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/parkview.html and HHS provides FAQ on the proper disposal of protected health information at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/disposalfaqs.pdf
HHS Releases New Reports on Breaches and HIPAA Compliance
On June 11, 2014, The U.S. Department of Health and Human Services, Office for Civil Rights, has issued two Reports to Congress called for by the HITECH Act: one on Breaches of Unsecured Protected Health Information, and the other on HIPAA Privacy, Security, and Breach Notification Rule Compliance. The reports cover relevant activities in calendar years 2011 and 2012.
The breach notification report provides an overview of the breach notification requirements and discusses the reports received as a result. The report on compliance with the HIPAA Rules summarizes complaints received of alleged violations of the HITECH Act and the HIPAA Privacy and Security Rules. These are the second reports on these topics in response to the HITECH Act requirement. See: http://www.hhs.gov/ocr/privacy/hitechrepts.html
Exposed PHI Costs Columbia/Presbyterian Record $4.8 million
On May 7, 2014, the US Department of Health and Human Services Office for Civil Rights announced that New York and Presbyterian Hospital (NYP) and Columbia University (CU), operating jointly as New York Presbyterian Hospital / Columbia University Medical Center, had settled a complaint for a total of $4.8 million, following the unintentional exposure of the PHI of 6,800 individuals through insecure management of server deployments. The settlement includes an extensive (and expensive) corrective action plan.
The message here is to be sure you use good, professional practices in the development and implementation of all systems handling PHI. The press release is at: http://www.hhs.gov/news/press/2014pres/05/20140507b.html and the Resolution Agreements are available at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/ny-and-presbyterian-hospital-settlement-agreement.pdf and http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/columbia-university-resolution-agreement.pdf
Stolen Laptops Lead To $2 million in Settlements for Entities
On April 22, 2014, it was announced that two entities have paid nearly $2 million total to the US Department of Health and Human Services Office for Civil Rights to resolve HIPAA issues around laptops that were stolen, that had PHI on them, and that were not encrypted, a scenario that is reported daily in the Health Information Technology press. In both cases, Concentra Health Services and QCA Health Plan, Inc. of Arkansas had not done the required complete and thorough risk analysis and implementation of a risk management plan. Both have corrective action plans that must be implemented, in addition to the monetary settlement. The press release is at: http://www.hhs.gov/news/press/2014pres/04/20140422b.html and the Resolution Agreements are available at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/stolenlaptops-agreements.html
The message here is clear: 1) Do a solid Risk Analysis, and 2) Encrypt your portable devices and provide training on their secure use, or you risk big fines and corrective action plans.
FBI Issues Alert to Healthcare Entities About Cyber Security
On April 8, 2014, the FBI Cyber Division issued a Private Industry Notification, Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain, a two-page overview of the state of information security in healthcare. The Notification references other research and reports to conclude that PHI is valuable ($50 per record, vs. $1 per record for financial information), security is insufficiently implemented, and breaches are widespread. This, combined with the rapid increase in the number of EHR implementations, leaves the healthcare industry vulnerable. The Notification is available at: http://www.illuminweb.com/wp-content/uploads/ill-mo-uploads/103/2418/health-systems-cyber-intrusions.pdf
The FBI encourages entities to report any suspicious or criminal activity to the local FBI field office; FBI regional phone numbers can be found online at http://www.fbi.gov/contact/fo/fo.htm
ONC & OCR Release Risk Assessment Tool for iPad & Windows
On March 28, 2014, the Office of the National Coordinator for Health IT, in collaboration with the HHS Office for Civil Rights and HHS Office of the General Counsel, released a new Risk Assessment tool for small and medium sized organizations that assists in the collection and analysis of data, and comes in iPad and Windows 7 versions.
In many ways, the tool is an evolution of the NIST HIPAA Security Rule Toolkit released in 2011. It doesn’t make the work any easier, but it makes organizing the information and producing reports a little easier if you’re new to Risk Analysis. Used well, it could help; used poorly, it could provide a false sense of security. The Tool, the user guide, and related videos are all available at: http://www.healthit.gov/providers-professionals/security-risk-assessment
WA County Gov’t Settles HIPAA Security Issues for $215K
On March 7, 2014, the US Department of Health and Human Services announced that Skagit County, Washington, has agreed to settle potential violations of the HIPAA Privacy, Security, and Breach Notification Rules for a $215,000 settlement and agreement to work closely with HHS to correct deficiencies in its HIPAA compliance program. The issues concern the deployment of PHI on insecure servers, exposing the information of 1581 individuals, and the lack of HIPAA-related policies, procedures, documentation, and training. The HHS press release is at: http://www.hhs.gov/news/press/2014pres/03/20140307a.html
The Resolution Agreement can be found on the OCR website at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/skagit-agreement.html
HHS Requests Comments on Plan to Send Audit Readiness Information Requests to 1200 HIPAA CEs and BAs
On February 24, 2014, the US Department of Health and Human Services issued a request for comment on the proposed collection of information to determine the suitability of 1200 HIPAA Covered Entities and Business Associates for being audited under the requirements of the HITECH Act.
The survey will gather information about respondents to enable OCR to assess the size, complexity, and fitness of a respondent for an audit. Information collected includes, among other things, recent data about the number of patient visits or insured lives, use of electronic information, revenue, and business locations. See: https://www.federalregister.gov/articles/2014/02/24/2014-03830/agency-information-collection-activities-proposed-collection-public-comment-request
This means that the 2014 HIPAA random audit program is now ramping up, with the first wave of contacts going out once the comment period is over. The time to get ready is NOW.
UPDATE: Beginning in late March, 2014, HHS OCR began presenting its plan for resumption of the HIPAA Audit Program, Phase 2 of which will be getting under way in 2014 and expanding to include Business Associates in 2015. A PDF of a PowerPoint presentation by HHS OCR Senior Adviser Linda Sanches at the HCCA Compliance Institute March 31, 2014 is available at: http://www.hcca-info.org/Portals/0/PDFs/Resources/Conference_Handouts/Compliance_Institute/2014/tue/710print2.pdf
UPDATE #2: On May 12, 2014 HHS reissued its request for comment on its plan to survey 1200 entities for their suitability, gathering additional information until June 11, 2014. The reissued request for comment is available at: https://www.federalregister.gov/articles/2014/05/12/2014-10829/agency-information-collection-activities-submission-to-omb-for-review-and-approval-public-comment
HHS Issues HIPAA Guidance on Sharing Mental Health Info
On February 20, 2014, the U.S. Department of Health and Human Services announced new guidance explaining how the HIPAA Privacy Rule operates to protect individuals' privacy rights with respect to their mental health information and in what circumstances the Privacy Rule permits health care providers to communicate with patients' family members and others to enhance treatment and assure safety. This important guidance is available at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/mhguidance.html
HHS Publishes Model Notice of Privacy Practices in Spanish
On February 19, 2014, the US Department of Health and Human Services announced it has created Spanish language versions of their new model HIPAA Notices of Privacy Practices. The model notices, in English and Spanish, are available at: http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html
HHS Launches Competition for Best Online Privacy Notice
In the hopes of finding a better model, on February 10, 2014, the US Department of Health and Human Services announced a call for designers, developers, and patient privacy experts to create an online model notice of privacy practices that is compelling, readable, and understandable by patients and is easily integrated into existing entity Web sites. Public voting on the the contestants will determine the winner, with a $15,000 prize for first place. See: http://oncchallenges.ideascale.com and http://www.gpo.gov/fdsys/pkg/FR-2014-02-10/html/2014-02785.htm
HHS Releases CLIA & HIPAA Rules Allowing Lab Info Access
The US Department of Health and Human Services is releasing a new final rule concerning the access of laboratory information by individuals, to be officially published February 6, 2014. The new rule amends CLIA to allow access of authenticated information by authenticated individuals or their authorized representatives under HIPAA, and amends HIPAA to remove laboratory information from the list of information to which individuals may be denied access.
As usual, the Preamble is well worth reading. Individuals may still access results via their physician, and results may still be accessed for the usual treatment purposes; the new rules simply add new access rights, but create a whole new world for labs and patient communications. See: https://www.federalregister.gov/articles/2014/02/06/2014-02280/patients-access-to-test-reports-clia-program-and-hipaa-privacy-rule
FTC Gets Into Healthcare Privacy & Security Enforcement
On January 16, 2014, the US Federal Trade Commission unanimously asserted that it has authority to enforce consumer protection laws concerning the privacy and security of healthcare information, even when the concerned business is also covered under the HIPAA regulations. FTC sees no conflict with HHS activity and finds no problems with enforcing the rules alongside HHS.
This means that, whether or not a privacy or security problem is noted by HHS, the FTC could become involved involved if they feel there have been deceptive trade practices, e.g, promising security and then not providing it.
The FTC order is at http://op.bna.com/hl.nsf/id/psts-9fmms7/$File/lab.pdf . An accompanying story in Bloomberg BNA is available at: http://www.bna.com/ftc-affirms-data-n17179881620/
HHS Proposes HIPAA Changes to Allow NICS Communication
On January 3, 2014, the US Department of Health and Human Services issued a Notice of Proposed Rule Making (NPRM) intended to make it easier to report information to the National Instant Criminal Background Check System (NICS). The NPRM would modify the HIPAA Privacy Rule to permit certain HIPAA-covered entities to disclose to the NICS the identities of persons prohibited by federal law from possessing or receiving a firearm for reasons related to mental health.
The information is reported to the NICS would not include clinical, diagnostic, or other mental health information. Instead, certain covered entities would be permitted to disclose the minimum necessary identifying information about individuals who have been involuntarily committed to a mental institution or otherwise have been determined by a lawful authority to be a danger to themselves or others or to lack the mental capacity to manage their own affairs.
The NPRM and additional information are available at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/NICS/index.html
$150K Settlement for Stolen USB Drive and No Breach Policies
On December 27, 2013, US Department of Health and Human Services Office for Civil Rights announced that Adult & Pediatric Dermatology, P.C., of Concord, Mass., (APDerm), a private practice that delivers dermatology services in six locations, has agreed to settle potential HIPAA violations, agreeing to a $150,000 payment and a corrective action plan to correct deficiencies in its HIPAA compliance program. This is the first settlement with a covered entity for not having HIPAA Breach Notification policies and procedures in place.
An unencrypted thumb drive with the health information of 2,200 individuals was stolen from a vehicle and never recovered. APDerm had not conducted a HIPAA Risk Analysis and did not have in place written policies, procedures, and training for breach handling. In addition to the $150,000 resolution, the settlement includes a corrective action plan requiring a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, and provide an implementation report to OCR.
The resolution agreement and press release can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/apderm-agreement.html
Accounting of Disclosures Rule Recommendations Released
On December 4, 2013, the US Department of Health and Human Services Office of the National Coordinator for Health IT Health IT Policy Committee Privacy and Security Tiger Team (the USDHHS-ONCHIT-HITPC-PSTT?) released a report with its recommendations for implementation of the HITECH Act requirements for Accounting of Disclosures, available as a PDF of slides, at http://www.healthit.gov/FACAS/sites/faca/files/HITPC_PSTT_Accounting%20of%20Disclosures_FINAL_12042013.pdf The recommendations call for a staged implementation relying on available technologies, with an accounting of disclosures outside the organization from certified EHRs as the first step, a new right to request an investigation of internal access, and recommendations to expand the Security Rule to call for more detailed ability to log access for auditing.
Compared with the proposed rule, the recommendations are more reasonable, more implementable, and more likely to satisfy the desires of patients. There is also an AHIMA article on the report at http://journal.ahima.org/2013/12/09/onc-committee-makes-accounting-of-disclosures-recommendations/
HHS OIG Slams HHS OCR for HIPAA Audit Program Deficiencies
The US Department of Health and Human Services Office of Inspector General (OIG) issued in late November 2013 highly critical of the work done by the HHS Office for Civil Rights (OCR) in implementation of requirements for audits of HIPAA Security Rule compliance to be performed under the HITECH Act, enacted in February of 2009. In addition, OIG found that OCR's own system implementations used in the management of their audit process were not performed securely.
The OIG report, titled The Office for Civil Rights Did Not Meet All Federal Requirements in Its Oversight and Enforcement of the Health Insurance Portability and Accountability Act Security Rule, calls for better controls on the HITECH auditing process and systems used by HHS, and implementation of periodic Security Rule audits. See: http://oig.hhs.gov/oas/reports/region4/41105025.pdf
The impact of the report is that it may be now expected that efforts to audit HIPAA Security Rule compliance will be increased, putting additional pressure on HIPAA entities to do the work necessary for HIPAA Security Rule compliance now.
HHS OCR Releases New HIPAA Security Risk Analysis Tipsheet
On November 22, 2013, the US Department of Health and Human Services Office for Civil Rights released an updated Security Risk Analysis Tipsheet including an overview of the HIPAA Security Rule Risk Analysis requirement, a table of risk and safeguard examples, and a table of Myths vs. Facts about Security Risk Analysis. The Tipsheet is available at: http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/SecurityRiskAssessment_FactSheet_Updated20131122.pdf
PCI Security Standards Council Releases DSS v3.0, eff. 1/1/14
On November 7, 2013, the PCI Security Standards Council released version 3.0 of the PCI Data Security Standard, to which all payment card merchants and data handlers are held, effective January 1, 2014, with a compliance deadline of July 1, 2015. The new version emphasizes maintaing awareness of threats and education to help ensure secure use of systems. PCI documentation is available at: https://www.pcisecuritystandards.org/security_standards/documents.php?agreements=pcidss&association=pcidss For an overview of PCI DSS compliance, see: https://www.pcisecuritystandards.org/security_standards/index.php The press release from PCI, including many details of the changes, is available at: https://www.pcisecuritystandards.org/pdfs/13_11_06_DSS_PCI_DSS_Version_3_0_Press_Release.pdf
HHS OCR Holds Accounting of Disclosures Hearing
On September 24, 2013, the US Department of Health and Human Services Office of Civil Rights announced that the HIT Policy Committee's Privacy and Security Tiger Team will be holding a virtual, public hearing to explore practical ways to provide patients with greater transparency about the uses and disclosures of their electronic PHI, to facilitate implementation of the HITECH requirement that a patient’s right under the HIPAA Privacy Rule to an "accounting" of disclosures include disclosures for "treatment, payment and operations" when such disclosures are made through "an electronic health record." This hearing will be held on Monday, September 30 from 11:45 a.m. to 5:00 p.m. EDT. To listen to this meeting, see: http://www.healthit.gov/facas/calendar/2013/09/30/policy-privacy-security-tiger-team-virtual-hearing
The Tiger Team invites members of the public to provide written answers to key discussions questions through the ONC blog at: http://www.healthit.gov/buzz-blog/. The Tiger Team will consider these answers as it continues to deliberate and make recommendations on these issues. In addition, the hearing will include time for public comments from 4:45 to 5:00 p.m. EDT.
HHS Issues Guidance on Decedents, Student Immunizations, Law Enforcement
On September 19, 2013, a busy day at the HHS Office for Civil Rights, OCR issued guidance on decedents and student immunizations, as well as the guidance and delay announcement below, and, the next day, released a guide to HIPAA for Law Enforcement. The guidances, and other essential HIPAA news from HHS are at: http://www.hhs.gov/ocr/privacy/
HHS Refill Reminders Guidance and Enforcement Delay
On September 19, 2013, the HHS Office for Civil Rights (OCR) issued guidance on how the changes to the HIPAA Privacy Rule’s marketing provisions apply to refill reminders and other communications about drugs or biologics currently being prescribed for individuals. The new Fact Sheet and corresponding FAQs explain how the refill reminder exception to the marketing rule works, the scope of communications that fall within the exception, and the types of third party payments that are considered “reasonable”.
In addition, OCR will not enforce the restrictions on refill reminders for a period of 45 days following the September 23, 2013, compliance date, or until November 7, 2013.
HHS Delays HIPAA NPP Enforcement for CLIA Laboratories
On September 19, 2013, the US Department of Health and Human Services Office of Civil Rights announced that it would delay enforcement of the required update of the HIPAA Notice of Privacy Practices for HIPAA-covered laboratories that are subject to CLIA or otherwise not required to provide access to individuals under HIPAA, not including any laboratories that are part of a larger entity and do not have their own separate NPP. The delay is being allowed because such notices will need to be updated when the CLIA regulations are updated, which is expected soon, and it would be a burden to have to update twice over a short period of time. The delay was announced just four days before the new rules became enforceable. The announcement is available at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/clia-labs.html
HHS OCR and ONC Release HIPAA Privacy Notice Templates
On September 16, 2013, the US Department of Health and Human Services Office of Civil Rights and the Office of the National Coordinator for Health IT published a set of templates in four formats, for both providers and health plans, and instructions for use, for HIPAA Notices of Privacy Practices, that include the required changes pursuant to the HIPAA Omnibus Update of 2013. The templates are available at: http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html
In related news, the AMA released in September 2013 updated tools for HIPAA Privacy and Security Compliance, including new sample Notice of Privacy Practices and Business Associate Agreement templates, as well as toolkits and FAQs. See: http://www.ama-assn.org/go/hipaa
PHI on Old Copier Yields $1.2 million Settlement with Affinity
On August 14, 2013, the US Department of Health and Human Services announced that it will settle with Affinity Health Plan, Inc. potential violations of HIPAA for $1,215,780, as a result of a breach involving the information of more than 340,000 individuals that was left on a leased copier purchased by CBS Evening News as part of an investigation into private information held on old copiers. The CBS Evening News story that identified the breach is available at http://www.youtube.com/watch?v=iC38D5am7go
Part of the settlement includes a corrective action plan that requires Affinity to try to retrieve all the old copiers it has ever returned under leases so that PHI may be properly destroyed. The agreement and CAP are available on the HHS OCR Web site at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/affinity-agreement.html
Also included in the news release was additional information on copier compliance:
• For more information on safeguarding sensitive data stored in the hard drives of digital copiers: http://business.ftc.gov/documents/bus43-copier-data-security.
• The National Institute of Standards and Technology has issued guidance on media sanitation: http://csrc.nist.gov/publications/drafts/800-88-rev1/sp800_88_r1_draft.pdf.
• OCR offers free training on compliance with the HIPAA Privacy and Security Rules for continuing medical education credit at http://www.medscape.org/sites/advances/patients-rights.
Australian Defence Signals Directorate Releases Security Guides
In July 2013, the Australian Defence Signals Directorate released information security advice that is useful for healthcare security professionals to consider as they discover and plan for mitigation of information security risks. One of the guides, Top 4 Strategies to Mitigate Targeted Cyber Intrusions, available at http://www.dsd.gov.au/infosec/top-mitigations/top-4-strategies-explained.htm provides ways to eliminate 85% of all threats. Another of the guides focuses on Assessing Security Vulnerabilities and Patches, and is available at http://www.dsd.gov.au/publications/csocprotect/assessing_security_vulnerabilities_and_patches.htm. A third guide, released in April of 2013, discusses Additional Security Considerations and Controls for Virtual Private Networks; see http://www.dsd.gov.au/publications/csocprotect/addtional_security_considerations_and_controls_for_vpn.htm. These guides are written for the use of all levels of the Australian government but are compact, easy to understand, and provide a great foundation for security. All of the guides are available on the Web pages listed above, and as downloadable .pdf files on those pages.
WellPoint Gets $1.7 million Settlement for Insecure Database
On July 11, 2013, the US Department of Health and Human Services announced that the managed care company WellPoint, Inc. has agreed to a $1.7 million settlement to resolve HIPAA Privacy and Security Rule potential violations regarding weaknesses in an online application database. WellPoint did not have good access control policies and procedures in place, did not do a technical evaluation of a software upgrade, and did not have technical safeguards to verify the identity of those accessing the database. 612,402 individuals were affected by the breach, which took place in 2010.
Potential violations like this are easily prevented if a good information security management process is instituted. The Press Release can be found on the HHS News page: http://www.hhs.gov/news/press/2013pres/07/20130711b.html and the Resolution Agreement can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/wellpoint-agreement.html.
NIST Releases Revised Guidelines for Mobile Device Security
On June 24, 2013, the National Institute of Standards and Technology announced the final release of Special Publication (SP) 800-124 Revision 1, Guidelines for Managing the Security of Mobile Devices in the Enterprise. The purpose of the guide is to help organizations centrally manage and secure mobile devices against a variety of threats, providing recommendations for selecting, implementing, and using centralized management technologies, and explaining the security concerns inherent in mobile device use. The scope of SP 800-124 Revision 1 includes securing both organization-provided and personally-owned (bring your own device) mobile devices. The guidelines are available at http://csrc.nist.gov/publications/PubsSPs.html#800-124
Shasta Regional Medical Center Settles HIPAA Case for $275K
In a June 14, 2013 announcement, the US Department of Health and Human Services let it be known that there is no such thing as an implied authorization for release of PHI. Officials at Shasta Regional Medical Center discussed a patient's PHI with staff and the press following a disclosure to the press by the patient. Even when the patient has released the same information, an authorization must be given for the covered entity to release the information.
The settlement includes $275,000 and a Corrective Action Plan covering all facilities of the organization. The Press Release can be found at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/shasta-agreement-press-release.html and the Resolution Agreement can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/shasta-agreement.pdf
New Unofficial HIPAA Combined Rule Issued by HHS OCR
On June 13, 2013, the US Department of Health and Human Services Office for Civil Rights released an updated Combined Regulation Text of All Rules pertaining to HIPAA, including the Omnibus Update and the June 7 Technical Corrections. This combined rule document is now the go-to source for HIPAA regulations. (It is referred to as an unofficial document because the only official rule is what is published in the Federal Register.) The new combined rule is at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/index.html
Technical Corrections Issued for Omnibus Update Regulations
On June 7, 2013, technical corrections to the HIPAA Omnibus update were issued by the US Department of Health and Human Services Office for Civil Rights. The corrections, mostly minor typos and such, do clarify several internal references and should be used together with the Omnibus update rule and the prior unofficial 2006 combined rule published by HHS OCR to define the current HIPAA rules.
The technical corrections are available in PDF Federal Register format at http://www.gpo.gov/fdsys/pkg/FR-2013-06-07/pdf/2013-13472.pdf , the Omnibus update is at http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf and the 2006 unofficial (non-Federal Register) combined rule is at http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/adminsimpregtext.pdf . It is hoped that HHS OCR will release a new unofficial combined rule including all the HITECH modifications and technical corrections sooner than later.
Idaho State University Settles HIPAA Security Case for $400K
At the close of the first day of the annual NIST-OCR HIPAA Security conference in Washington, DC, just in time for OCR Director Leon Rodriguez to discuss in his day-two keynote address, HHS released information about a new $400,000 settlement for HIPAA Security Rule violations, this time related to a breach of records of 17,500 patients at ISU's Pocatello Family Medicine Clinic, caused by some server firewalls' being disabled for most of a year, and lack of a real Risk Analysis and system activity reviews that could have prevented or limited the breach, among other violations. The press release is available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/isu-agreement-press-release.html.html and the Resolution Agreement is available at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/isu-agreement.pdf
New HHS HIPAA Educational Tools for Consumers, Providers
On April 30, 2013, the US Department of Health and Human Services Office for Civil Rights announced new tools to educate consumers and providers about the HIPAA Privacy and Security Rules. See http://www.hhs.gov/ocr/privacy
OCR has posted a series of fact sheets for consumers, available in eight languages, about cpmsumer rights under the HIPAA Privacy Rule,on OCR’s website at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers
The fact sheets compliment a set of seven videos released earlier this year on OCR’s YouTube channel. A video on The HIPAA Security Rule, has been designed for providers in small practices and offers an overview of how to establish basic safeguards to protect patient information and comply with the Security Rule’s requirements. The videos are available on the HHS OCR YouTube Channel at http://www.youtube.com/user/USGovHHSOCR
OCR has also launched three modules for health care providers that offer free Continuing Medical Education (CME) credits for physicians and Continuing Education (CE) credits for health care professionals, on compliance with various aspects of the HIPAA Privacy and Security Rules, available at Medscape.org:
• Patient Privacy: A Guide for Providers
• HIPAA and You: Building a Culture of Compliance
• Examining Compliance with the HIPAA Privacy Rule
Reports on Breaches Show Weaknesses, Identity Theft
In addition to the Verizon report noted in the story below, additional reports have been released looking at data breaches and healthcare information. In a new study, Ponemon Institute surveyed a sample of privacy and compliance leaders in various organizations about their expectations of having a breach, their breach prevention practices, and their data breach response plan, and found that among healthcare organizations, 94% had had a breach in the last two years, 39% had no breach response plan, and only 19% were equipped to determine the size or causes of breaches. The report is available at: http://www.experian.com/data-breach/readiness-survey.html
Separately, analysis by Javelin Strategy and Research on the results of the massive Utah PHI breach in 2012 that affected 780,000 people found that 25% of all affected individuals had suffered identity theft, and that costs of the incident, caused by a simple but entirely preventable human error, approach a total of over $400 million. The analysis is available at: https://www.javelinstrategy.com/blog/2013/04/28/financial-pain-ensues-when-custodians-of-health-fail-to-be-good-stewards-of-privacy/
2013 Verizon Data Breach Investigations Report Released
On April 23, 2013, the Verizon 2013 Data Breach Investigations Report was released, describing the security threat landscape and characteristics of breaches over the last year. The report includes information about 621 confirmed data breaches as well as more than 47,000 reported security incidents that were investigated by Verizon and 18 of its global partners, including law enforcement.
Probably the most damning statistic is that the vast majority of breaches are discovered by someone other than the entity having the breach. As always, if you are serious about security, you need to review this annual report.
The report is at: http://www.verizonenterprise.com/DBIR/2013/ and a related story in GovInfoSecurity.com is at: http://www.govinfosecurity.com/interviews/verizon-report-ddos-broad-threat-i-1892
NIST/OCR HIPAA Security Conference Announced: May 21-22
The National Institute of Standards and Technology (NIST) and the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) are co-hosting the 6th annual conference Safeguarding Health Information: Building Assurance through HIPAA Security on May 21 & 22, 2013 at the Ronald Reagan Building and International Trade Center in Washington, D.C., exploring the current health information technology security landscape and the HIPAA Security Rule, and highlighting the present state of health information security, and practical strategies, tips and techniques for implementing the HIPAA Security Rule.
Presentations will cover a variety of topics including the Omnibus HIPAA/HITECH Final Rule, identity management, strengthening cybersecurity in the health care sector, integrating security safeguards into health IT, managing insider threats, securing mobile devices, and more. Participants can choose to participate on-site, or through a live web cast. Lunch and refreshments are included in the on-site registration fee and all registrations include access to archived webcast presentations and materials.
Visit the conference web page for more information and registration: http://www.nist.gov/itl/csd/2013-hipaa-conference.cfm
HHS to Survey Entities Receiving a 2012 HIPAA Audit; New Audit Effort to Begin in FY 2014, beginning October 1, 2013
On March 19, 2013, the US Department of Health and Human Services announced it will be surveying those entities subjected to the random audit program in 2012, to help design the revised HIPAA random audit program, now slated to restart in the next Federal Fiscal Year, which begins October 1, 2013, barely a week after the new HIPAA rules go into effect.
The announcement is available at https://www.federalregister.gov/articles/2013/03/19/2013-06281/agency-information-collection-activities-proposed-collection-public-comment-request
A story on the announcement in Health Data Management is available at http://www.healthdatamanagement.com/news/hipaa-privacy-security-breach-notification-enforcement-45853-1.html and in iHealthBeat at http://www.ihealthbeat.org/articles/2013/3/19/ocr-seeks-input-on-survey-of-hipaa-audit-program-participants.aspx
HHS OCR Hiring Staff for HIPAA Enforcement Activity
On February 27, 2013, the US Department of Health and Human Services (DHHS) Office for Civil Rights (OCR) Office of the Deputy Director Health Information Privacy (ODDHIP) announced several job positions, since closed March 12, seeking experience in privacy and security compliance and enforcement as well as in the areas of policy, outreach, and health information technology systems. The OCR Division of Health Information Privacy enforces the HIPAA Privacy and Security Rules and the confidentiality provisions of the Patient Safety and Quality Improvement Act.
It is unknown what impact the Sequester will have on these positions, but the indication is clear that HIPAA enforcement activity will be on the increase.
H-P Print Server Software Vulnerable to Attack by Hackers
A story published January 23, 2013 on the Information Week Web site indicates that any printers using H-P JetDirect print server software may be hacked to allow access to copies of documents previously printed, among other vulnerabilities. The software is used by many printer manufacturers, not only H-P.
Users of printers that use JetDirect should ensure they have applied all patches issued and work with vendor support to find ways to delete copies of printed documents until new patches are developed by H-P. The article is at: http://www.informationweek.com/security/vulnerabilities/security-flaws-leave-networked-printers/240146805
HIPAA Business Associate Agreement Language Updated
On January 25, 2013, the US Department of Health and Human Services updated on its Web site the sample language for Business Associate Agreements meeting the requirements of the new final HIPAA rule, published the same day. While the language should always be finalized by your own attorney, the sample language does show the required elements any agreement should contain. The sample language is available at the same address as the old sample language: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
HIPAA Final Omnibus Rule Finally Released, Major Changes
On January 17, 2013, the US Department of Health and Human Services released the new final HIPAA rule for all the HITECH Act changes (and more, with the exception of the proposed Accounting of Disclosures changes). The rule will be published January 25, 2013 in the Federal Register, go into effect 60 days later and are enforceable by September 23, 2013.
Significant changes from the proposed and interim final rules include allowing Business Associate Agreements using the old language before the publication date of the rule (not the effective date, as proposed) to be able to have 18 months to update the agreement to the new rules.
Also significant is the elimination of the "Harm Standard" in the Breach Notification Rule, replaced with a risk assessment to determine if there is a "low probability of compromise" of the data.
The changes from the current and proposed rules are significant and will be discussed in further detail over the coming weeks. The Rulemaking announced January 17, 2013 may be viewed as a PDF and in the Federal Register at https://www.federalregister.gov/articles/2013/01/25/2013-01073/hipaa-privacy-security-enforcement-and-breach-notification-rules. The HHS Press Release is at: http://www.hhs.gov/news/press/2013pres/01/20130117b.html.
HIPAA Settlement for Laptop Breach at Idaho Hospice Agency
The Hospice of North Idaho (HONI) has agreed to pay the U.S. Department of Health and Human Services’ (HHS) $50,000 to settle potential violations of the HIPAA Security Rule. An unencrypted laptop computer containing the electronic protected health information of 441 patients had been stolen, and OCR discovered that HONI had not conducted a risk analysis to safeguard ePHI and did not have in place policies or procedures to address mobile device security.
From the press release: “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”
Here's the link to the HHS OCR news release on the settlement, with links to the agreement, and to guidance on how to protect mobile data: http://www.hhs.gov/news/press/2013pres/01/20130102a.html