Privacy, Security, and Compliance News

HIPAA Limits on Teleconferencing Relaxed for the Pandemic

On March 17, 2020, the HHS Office for Civil Rights announced the relaxation during the national health emergency of HIPAA rules on security, encryption, and teleconferencing, to make it easier for medical providers to adopt remote technology in response to the Coronavirus pandemic.  Non-public-facing services, such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, may be used during the emergency, even if they are not established as HIPAA Business Associates.

HHS also listed a number of services that do meet HIPAA requirements and are willing to sign a HIPAA BAA, including Skype for Business, Updox, VSee, Zoom for Healthcare,, and Google G Suite Hangouts Meet.  Public-facing services, such as Facebook Live, Twitch, TikTok, and similar video communication applications should NOT be used.

Personally, I’d say adopt one of the secure services under a BAA now, and you won’t have to switch later when the emergency is over.  Once you start using it, you won’t want to stop.

The announcement is available at:  

The announcement was augmented by the issuance on March 20 of a set of Frequently Asked Questions about the relaxation.  The FAQs on telehealth remote communications may be found at: 

The press release on telehealth remote communications may be found at:

For more information on HIPAA and COVID-19, see OCR’s February 2020 Bulletin: 

NIST Releases Final Draft of Revision 5 of SP 800-53 Controls

On March 16, 2020, the National Institute of Standards and Technology released a final public draft of Revision 5 of Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, which now includes the NIST Cybersecurity and Privacy control frameworks and a host of revisions and expansions.  If you’re in information privacy and security, you need to review this and get any comments in by the deadline of May 15, 2020.  If you’re working from home now, spend the time you used to use to commute to look this over — this is a major update.  See the announcement and all the details at:  

Breach + No Risk Analysis Before or After = $100K Settlement

On March 3, 2020, the practice of Steven A. Porter, M.D., a provider of gastroenterological services to over 3,000 patients per year in Ogden, Utah, agreed to pay $100,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a two-year corrective action plan to settle a potential violation of the HIPAA Security Rule.  From the announcement:

"OCR began investigating Dr. Porter’s medical practice after it filed a breach report with OCR related to a dispute with a business associate.  OCR’s investigation determined that Dr. Porter had never conducted a risk analysis at the time of the breach report, and despite significant technical assistance throughout the investigation, had failed to complete an accurate and thorough risk analysis after the breach and failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.”

Once again, if HHS OCR advises you to do something, don’t ignore them. 

The resolution agreement and corrective action plan may be found at:

Court Invalidates Release of PHI to Third Parties Under Rules for Release to Individuals

On January 28, 2020, The US Department of Health and Human Services announced changes in the enforcement of individual access of information rules pursuant to a court decision to limit the application of the rules on format and costs.  This is not a simple change, so here goes…

  • Individuals still have the right to get copies of records, paper or electronic, sent to them directly, with costs limited to the individual access request fees.
  • Individuals have the right to request electronic records be sent to a third party, but without the cost limitations under the individual access rules.
  • Individuals can allow a disclosure of paper or electronic records to a third party using a HIPAA Authorization, without cost limitations.

Here is the HHS Announcement:  

Comment: This is a step backward that sets up a hurdle for patients who want to share their records with other parties, such as providers, but at least the patients do still have the right to ask for records in the form or format they wish, for a cost-based fee, which they can then pass on to others as they see fit.  In my view it’s an absurd limitation that will likely be changed by the Data Blocking regulations.  It’s time for healthcare to grow up and stop making it hard for people to access and share their records as they see fit.  It’s a national shame.  My two cents.

Also see the article in Health and IT Security at:  And a great analysis by the Nixon Peabody law firm:  

NIST Releases Draft of Ransomware Guidance SP 1800-26

On January 28, 2020, The National Cybersecurity Center of Excellence (NCCoE) released a draft of National Institute of Standards and Technology (NIST) Cybersecurity Special Publication 1800-26, Detecting and Responding to Ransomware and Other Destructive Events, for public comment. 

This practice guide can benefit executives, Chief Information Security officers, system administrators, or those who have a stake in protecting their organizations' data, privacy, and overall operational security.  The NCCoE released the full draft which comprises the following volumes:
• SP 1800-26A: Executive Summary (PDF)
• SP 1800-26B: Approach, Architecture, and Security Characteristics (PDF)
• SP 1800-26C: How-To-Guides (PDF)

The project includes the development of a reference design and uses commercially available technologies to develop an example solution.  The project focuses on detailed methods and potential tool sets that can detect, mitigate, and contain data integrity events in an enterprise network.  It also identifies tools and strategies to aid in a security team’s response to such events.

The comment period closes on February 26, 2020.  To see the announcement, with a summary and links to the Draft and the e-mail address for comments, see:  

Lost Laptop+Noncompliance+Ignoring OCR Advice = $65,000

On December 30, 2019, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announced West Georgia Ambulance, Inc. agreed to pay $65,000 and to adopt a corrective action plan, including two years of monitoring, to settle potential HIPAA Security Rule violations.

West Georgia filed a breach report in 2013 following the loss of an unencrypted laptop containing the PHI of 500 individuals. OCR’s investigation uncovered long-standing noncompliance with the HIPAA Rules, including failures to conduct a risk analysis, provide a security awareness and training program, and implement HIPAA Security Rule policies and procedures. According to the OCR Press Release, despite OCR’s investigation and technical assistance, West Georgia did not take meaningful steps to address their systemic failures.

The resolution agreement and corrective action plan may be found at

HHS and Dept. of Ed. Issue Updated Guidance re HIPAA, FERPA

On December 19, 2019, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services issued Updated Joint Guidance on Privacy and Student Education and Health Recordsaddressing the application of the Family Educational Rights and Privacy Act (FERPA) and the HIPAA Privacy Rule to records maintained on students. 

The guidance, which was first issued in November 2008, clarifies how FERPA and HIPAA apply to education and health records maintained about students.  The revised guidance includes additional frequently asked questions and answers addressing when a student’s health information can be shared without the written consent of the parent or eligible student under FERPA, or without written authorization under the HIPAA Privacy Rule, especially in connection with health and safety emergency situations.  Topics include:

  • When can protected health information (PHI) or personally identifiable information from an education record (PII) be shared with the parent of an adult student?
  • What options do family members of an adult student have under HIPAA if they are concerned about the student’s mental health and the student does not agree to disclosures of their PHI?
  • Does HIPAA allow a covered health care provider to disclose PHI about a minor with a mental health condition or substance use disorder to the minor’s parents?
  • When can PHI or PII be shared about a student who presents a danger to self or others? 
  • Under FERPA, can an educational agency or institution disclose, without prior written consent, PII from a student’s education records, including health records, to the educational agency’s or institution’s law enforcement officials?
  • Does FERPA permit an educational agency or institution to disclose, without prior written consent, PII from a student’s education records to the National Instant Criminal Background Check System (NICS)?

The joint guidance may be viewed at: 

Another Access of Records HIPAA Settlement for $85,000

On December 12, 2019 the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announced its second enforcement action and settlement under its HIPAA Right of Access Initiative.  Korunda Medical, LLC, a Florida-based company that provides comprehensive primary care and interventional pain management, has agreed to take corrective actions and pay $85,000 to settle a potential violation of HIPAA's right of access provision. 

In March of 2019, OCR received a complaint concerning a Korunda patient alleging that, despite repeatedly asking, Korunda failed to forward a patient's medical records in electronic format to a third party.  Korunda also failed to provide them in the requested electronic format, and charged more than the reasonable cost-based fees allowed under HIPAA. OCR provided Korunda with technical assistance on how to correct these matters, but Korunda continued to fail to provide the requested records, resulting in another complaint to OCR. As a result of OCR's second intervention, the requested records were provided for free in May 2019, and in the format requested.

"For too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia. We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up healthcare providers to their obligations under the law," said Roger Severino, OCR Director.

The resolution agreement and corrective action plan may be found at:

What is PHI?  Get it wrong = $2.175 million Breach Settlement

On November 27, 2019, HHS OCR announced a $2.175 Million HIPAA Settlement after Sentara Hospitals, comprised of 12 acute care hospitals with more than 300 sites of care throughout Virginia and North Carolina, failed to properly notify HHS of a breach of unsecured PHI.

Sentara mailed 577 patients’ PHI to wrong addresses, including patient names, account numbers, and dates of services.  Sentara reported this incident as a breach affecting 8 individuals, because Sentara concluded, incorrectly, that unless the disclosure included patient diagnosis, treatment information or other medical information, no reportable breach of PHI had occurred.  Sentara persisted in its refusal to properly report the breach even after being explicitly advised of their duty to do so by OCR. OCR also determined that Sentara failed to have a business associate agreement in place with Sentara Healthcare, an entity that performed business associate services for Sentara.

In addition to the monetary settlement, Sentara will undertake a corrective action plan that includes two years of monitoring. The resolution agreement and corrective action plan may be found at

Exposure of 6,617 Records = $1.6 million Fine for Texas Agency

Well, the hits just keep on comin’!  On November 7, 2019, the HHS Office for Civil Rights (OCR) announced a $1,600,000 civil money penalty (not a settlement, a fine) against the Texas Health and Human Services Commission (TX HHSC), for HIPAA violations between 2013 and 2017. TX HHSC operates state supported living centers; provides mental health and substance use services; regulates child care and nursing facilities; and administers hundreds of programs for people who need assistance, including supplemental nutrition benefits and Medicaid. 

On June 11, 2015, a breach report was filed with OCR stating that the electronic PHI of 6,617 individuals was viewable over the internet. The breach was a result of a flawed migration to a new server, lack of risk analysis, and lack of adequate audit controls, such that the number of accesses of the information was unknown. The Notice of Proposed Determination and Notice of Final Determination may be found at:

Unencrypted Mobile Devices (Again) leads to $3 million penalty

On November 5, 2019, the U.S. Department of Health and Human Services Office for Civil Rights announced The University of Rochester Medical Center (URMC) has agreed to pay $3 million and take substantial corrective action to settle potential violations of the HIPAA Privacy and Security Rules.  From the press release...

  • URMC filed breach reports with OCR in 2013 and 2017 following its discovery that protected health information (PHI) had been impermissibly disclosed through the loss of an unencrypted flash drive and theft of an unencrypted laptop, respectively. OCR's investigation revealed that URMC failed to conduct an enterprise-wide risk analysis; implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; utilize device and media controls; and employ a mechanism to encrypt and decrypt electronic protected health information (ePHI) when it was reasonable and appropriate to do so. 
  • Of note, in 2010, OCR investigated URMC concerning a similar breach involving a lost unencrypted flash drive and provided technical assistance to URMC. Despite the previous OCR investigation, and URMC's own identification of a lack of encryption as a high risk to ePHI, URMC permitted the continued use of unencrypted mobile devices.

Whoops!  Lessons not learned lead to big penalties!  As OCR Director Roger Severino, says, "When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect.”

See the settlement at:

Miami Hospital Pays a $2.15 million Fine for Several Violations

On October 23, 2019, the U.S. Department of Health and Human Services Office for Civil Rights announced the imposition of a civil money penalty of $2,154,000 against Jackson Health System (JHS) for violations of HIPAA Security and Breach Notification Rules between 2013 and 2016. JHS is a nonprofit academic medical system based in Miami, Florida.

On August 22, 2013, JHS submitted a breach report to OCR stating that it had lost paper records containing the PHI of 756 patients in January 2013. JHS's internal investigation determined that an additional three boxes of patient records were also lost in December 2012; however, JHS did not report the additional loss or the increased number of individuals affected to 1,436, until June 7, 2016.

In July 2015, OCR initiated an investigation following a media report that disclosed the PHI of a JHS patient. A reporter had shared a photograph of a JHS operating room screen containing the patient's medical information on social media. JHS subsequently determined that two employees had accessed this patient's electronic medical record without a job-related purpose.

On February 19, 2016, JHS submitted a breach report to OCR reporting that an employee had been selling patient PHI. The employee had inappropriately accessed over 24,000 patients' records since 2011.

Lessons here: OCR's investigation revealed that JHS failed to 1) provide timely and accurate breach notification to the Secretary of HHS, 2) conduct enterprise-wide risk analyses, 3) manage identified risks to a reasonable and appropriate level, 4) regularly review information system activity records, and 5) restrict authorization of its workforce members' access to patient ePHI to the minimum necessary to accomplish their job duties.

JHS waived its right to a hearing and did not contest the findings, and has paid the full civil money penalty.  "OCR's investigation revealed a HIPAA compliance program that had been in disarray for a number of years," said OCR Director Roger Severino.  See:  

No, You Can’t Post PHI on Social Media - Dentist Hit for $10K

On October 2, 2019, the U.S. Department of Health and Human Services Office for Civil Rights settled with Elite Dental Associates for $10,000 and a Corrective Action Plan to Settle Social Media Disclosures of Patients’ Protected Health Information.  

On June 5, 2016, OCR received a complaint from an Elite patient that Elite had responded to a social media review by disclosing the patient’s name and details of the patient’s health condition.  OCR’s investigation found that Elite had impermissibly disclosed the PHI of multiple patients in response to patient reviews on the Elite Yelp review page, and did not have a policy and procedure regarding disclosures of PHI to ensure that its social media interactions protect the PHI of its patients or a Notice of Privacy Practices that complied with the Privacy Rule.  OCR accepted a substantially reduced settlement amount in consideration of Elite’s size, financial circumstances, and cooperation with OCR’s investigation.

“Social media is not the place for providers to discuss a patient’s care,” said OCR Director, Roger Severino.  “Doctors and dentists must think carefully about patient privacy before responding to online reviews.”  Well said!

The resolution agreement and corrective action plan may be found at:

HHS Settles Individual Access of Records Case for $85K

On September 9, 2019, the U.S. Department of Health and Human Services announced its first enforcement action and settlement in its Right of Access Initiative, wherein Bayfront Health St. Petersburg (Bayfront) has paid $85,000 to OCR and has adopted a corrective action plan to settle a potential violation of the HIPAA right of access provision, after Bayfront failed to provide a mother timely access to records about her unborn child.  

In addition to the monetary settlement, Bayfront will undertake a corrective action plan that includes one year of monitoring by OCR. The resolution agreement and corrective action plan may be found at:

This settlement is long in coming and signals that HHS is actually serious about the issue of records access, finally.  This is a wake-up call: no more dilly-dallying in responding to patient requests for records!

AHIMA Updates Guidelines for Cybersecurity Planning

In August 2019, the American Health Information Management Association (AHIMA) published an updated version of their document, AHIMA Guidelines: The Cybersecurity Plan, providing a seventeen-step list of tasks to perform in completing a cybersecurity plan, from conducting a risk analysis to discussing cybersecurity issues with senior management.  Whether or not you follow this process strictly, it does present a good set of questions and issues to be considered in establishing and maintaining any information cybersecurity program.  See:  

Updates Proposed for 42 CFR Part 2 Rules to Improve Care

On August 22, 2019, the US Department of Health and Human Services announced proposed changes to the rules under 42 CFR Part 2, including changes for clarification of when the rules apply, the definition of “records”, access of central registries (such as prescription drug monitoring programs), generalization of some consents, clarification of allowable disclosures for payment and operational purposes, better research alignment with HIPAA and the Common Rule, and rules on how Part 2 program staff’s personally owned devices must be cleared of any Part 2 data, including texts and e-mail messages.  The NPRM is available at now, and will be published in the Federal Register on August 26, where it will be available at  

The HHS 42 CFR Part 2 Proposed Rule Fact Sheet outlining the changes is available at

There is a summary article on the proposed rule in Modern Healthcare at

New York State SHIELD Act Changes the Game for Breach Notification

On July 25, 2019, New York Governor Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (the "SHIELD Act”), which amends New York State's current data breach notification law, and breaks new ground by imposing substantive data security requirements on businesses that own or lease the Private Information of New York residents, regardless of whether the businesses otherwise conduct business in New York State.

In addition, the SHIELD Act requires HIPAA covered entities to report to the New York State Attorney General any breaches that must be reported to HHS, even if the data at issue does not count as Private Information under New York's breach notification law, and apparently even if the information subject to HIPAA breach reporting was not in electronic form. 

The SHIELD Act's breach notification provisions take effect on October 23, 2019, and the new data security requirements take effect on March 21, 2020.  The Act is available at and an article discussing the act by the firm Proskauer Rose is available at  

New NIST Guide re: Mobile Devices (Corporate-owned, Personally-enabled, or COPE)

NIST’s National Cybersecurity Center of Excellence (NCCoE) has released Draft NIST Special Publication (SP) 1800-21, Mobile Device Security: Corporate-Owned Personally-Enabled (COPE), for public comment. The comment period ends September 23, 2019.

Mobile devices bring unique threats to the enterprise that need to be addressed in a manner distinct from traditional desktop platforms. This includes securing against different types of network-based attacks on devices that generally have an always-on connection to the internet, malicious or risky apps that compromise the data that devices can access, and phishing attempts that try to collect user credentials or entice a user to install software. Additionally, this guide addresses how to reduce risks to individuals through privacy protections.


New Webinar Dates: HHS Security Risk Assessment Tool Overview and User Feedback Session

The hastily announced Webinar for the updated HHS HIPAA Security Risk Assessment Tool has had two more sessions added.  The additional sessions will be on July 30th, from 3:30 to 5:30 PM, and on August 15th, 1:00 to 3:00 PM.  Let it be said, I don’t think much of the tool, but I’ll be watching the July 30 session myself, to see if it’s been improved and hopefully learn something new.  The sessions are available at: 
• July 30th at 3:30 – 5:30 PM EDT:
• August 15th at 1:00 -3:00 PM EDT:

HHS Announces FAQs re Uses and Disclosures for Care Coordination and Continuity of Care

On June 26, 2019, the Office for Civil Rights at the U.S. Department of Health and Human Services issued a frequently asked question (FAQ) document that clarifies how the HIPAA Privacy Rule permits health plans to share protected health information (PHI) in a manner that furthers the HHS Secretary's goal of promoting coordinated care.  The FAQ explains when and how one health plan can share PHI about individuals in common with a second health plan for care coordination purposes under the Privacy Rule.

HHS Announces 2019 NIST/OCR HIPAA Security Conference

On June 25, 2019, The US Department of Health and Human Services Office for Covil Rights announced the 2019 OCR/NIST Conference: Safeguarding Health Information: Building Assurance through HIPAA Security, to be held October 16, 2019 to October 17, 2019 at the Washington Marriott at Metro Center, Washington, D.C. 775 12th St NW, Washington, DC 20005.  The conference, the only one I go to every year, focuses on the key healthcare information security issues and provides access to the leaders in the area.  Attendance is available in person or by Webcast.  For more information, see:  

HHS Issues Guide to BA Enforcement Liability Under HIPAA

On May 24, 2019, the US Department of Health and Human Services Office for Civil Rights issued a guide to the direct enforcement liabilities of Business Associates under the HIPAA regulations, detailing the specific rules under which Business Associates must operate.  There are no surprises, just a straightforward list of ten categories of things that can land a Business Associate in hot water, including one big category for “Failure to comply with the requirements of the Security Rule” and one for “Impermissible Uses and Disclosures of PHI”.  It’s a handy list to refer to, available at:  Also see the starting page for Business Associate guidance at:  

No Risk Analysis + Breach of up to 3.5m Records = $100K

On May 23, 2019, the US Department of Health and Human Services Office for Civil Rights announced an enforcement settlement agreement with an Indiana Medical Records service, Medical Informatics Engineering, Inc. (MEI).  On July 23, 2015, MIE filed a breach report with OCR following discovery that hackers used a compromised user ID and password to access the electronic protected health information (ePHI) of approximately 3.5 million patients. OCR’s investigation revealed that MIE did not conduct a comprehensive risk analysis prior to the breach.  (Oops!)  The settlement includes a $100,000 payment and adoption of a corrective action plan.  See:  

Misconfigured FTP=Breach of 300K Records=$3 million Penalty

On May 6, 2019, the US Department of Health and Human Services announced Touchstone Medical Imaging (“Touchstone”) has agreed to pay $3,000,000 to the HHS Office for Civil Rights (OCR), and to adopt a corrective action plan to settle potential violations of the HIPAA Security and Breach Notification Rules.  An insecure FTP server allowed access to PHI that was indexed by search engines and remained online after the server was taken offline.  

Touchstone claimed there was no exposure, but relented and a late investigation showed otherwise.  Notification was therefore also untimely.  No Risk Analysis had been performed and no Business Associate Agreement was established with their IT vendor or data center.  In addition to the monetary settlement amount, a robust corrective action plan is called for.

The HHS Press Release is available at:  and the resolution agreement and corrective action plan are at 

HHS Revises Maximum Annual HIPAA Penalty Amounts

On April 26, 2019, the US Department of Health and Human Services announced, in a notice of enforcement discretion, revisions to the maximum penalty level for the various tiers of violations under HIPAA, to match the language in the HITECH Act more accurately.  

Instead of applying a maximum of $1.5 million for all violations of a similar type in a single year regardless of the penalty tier applied, there is a new set of annual maximum penalties, with a different annual maximum for each tier: 
Tier 1 (no knowledge): $100-$50,000 per violation, capped at $25,000 per year the issue persisted
Tier 2 (reasonable cause): $1,000-$50,000 per violation, capped at $100,000 per year the issue persisted
Tier 3 (willful neglect, corrected): $10,000-$50,000 per violation, capped at $250,000 per year the issue persisted
Tier 4 (willful neglect, not corrected): $50,000 per violation, capped at $1.5 million per year the issue persisted

The goal is to make the maximums relevant to the “level of culpability” involved with a violation, as per the HITECH Act, which previously was interpreted differently, reflecting an ambiguity in the Act.

The notice is available in the Federal Register of April 30, at:  

In addition, in October of 2018 HHS announced Cost-Of-Living-Adjustments to the penalty amounts, resulting in a new table of penalties:

• Tier 1 (no knowledge): $114-$57,051 per violation, capped at $28,525 per year the issue persisted
• Tier 2 (reasonable cause): $1,141-$57,051 per violation, capped at $114,102 per year the issue persisted
• Tier 3 (willful neglect, corrected): $11,182-$57,051 per violation, capped at $285,255 per year the issue persisted
• Tier 4 (willful neglect, not corrected): $57,051 per violation, capped at $1,711,522 per year the issue persisted

For an excellent summary of the implications of the changes, see Kim Stanger’s article at:  

MD Anderson Seeks Injunction Against $4.3 Million HIPAA Fine

An April 23, 2019 article published by the Journal of AHIMA reported that the MD Anderson Cancer Center, having lost its appeal to an Administrative Law Judge, is further appealing the decision and seeks an injunction against their fine for mistreatment of PHI related to research.  This seems like a colossal waste of money that ought to go to health care instead — let’s just say the legal experts are skeptical of their case, as it relies on a number of hard-to-accept arguments.  I don’t know why they are listening to anyone who recommends going down this futile path.  See the article about how foolish you can be, IMHO, at:  

HHS Issues Guidance on HIPAA and 3rd Party Apps

On April 22, 2019, HHS posted guidance on the use of 3rd Party Apps and health information under HIPAA.  The guidance clarifies the rules around and provides examples of uses of 3rd party Apps for communications with providers and how HIPAA applies.  It all boils down to understanding on whose behalf the use of the App is taking place.  The guidance is available at: and an article on the topic in FierceHealthcare is available at:  

Information Blocking Rule Announced, Finally!

On February 11, 2019, The Office of the National Coordinator for Health Information Technology (ONC) issued a Notice of Proposed Rulemaking to Improve the Interoperability of Health Information, the long awaited “Information Blocking” rule, called for by the 21st Century Cures Act.  From the ONC Web site: "The proposed rule is designed to increase innovation and competition by giving patients and their healthcare providers secure access to health information and new tools, allowing for more choice in care and treatment. It calls on the healthcare industry to adopt standardized application programming interfaces (APIs), which will help allow individuals to securely and easily access structured EHI using smartphone applications.

"The proposed rule places a strong focus on a patient's ability to access their health information through a provision requiring that patients can electronically access all of their EHI (structured and/or unstructured) at no cost. Finally, to further support access and exchange of EHI, the proposed rule implements the information blocking provisions of the Cures Act. The rule proposes seven exceptions to the definition of information blocking.”

It’s about time!  Easy access is absolutely necessary today and it’s a shame we have taken so long to start moving in this direction.  See an article on the topic in Healthcare IT News at:  See the article in FierceHealthcare at:  See the ONC Announcement, with links to the NPRM and several supporting documents (including Summaries of the 7 exceptions to Information Blocking) at:  

Misconfigured Servers Cost Cottage Health $3 million

On February 7, 2019 the Department of Health and Human Services Office for Civil Rights announced a $3 million settlement and a “robust” corrective action plan for Cottage Health for having unsecured servers leading to multiple breaches, affecting a total of 62,500 individuals, and lack of risk and technical analyses and business associate agreements as needed.  Cottage Health operates Santa Barbara Cottage Hospital, Santa Ynez Cottage Hospital, Goleta Valley Cottage Hospital and Cottage Rehabilitation Hospital, in California.  Make sure whomever you hire to manage your systems is contracted appropriately and does a good job! And don’t forget, YOU are responsible for your own Risk Analysis.  See:  

HHS Releases Health Industry Cybersecurity Practices Guide

On December 28, 2018 the Department of Health and Human Services released a guide to voluntary cybersecurity practices for healthcare organizations ranging in size from local clinics to large hospital systems.  This is an important product of the section 405d requirements under the Cybersecurity Information Sharing Act of 2015 (CISA).

Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients is a four-volume publication, the result of a two-year public-private partnership between HHS and more than 150 healthcare industry professionals, mandated through CISA.  This is good stuff!  

The guidance is a mixture of highly technical solutions and common sense practices applicable to a wide range of healthcare facilities. The core of the document explores the five most relevant threats to the healthcare industry and recommends 10 cybersecurity practices to mitigate them.  See:  

The set of volumes include the report, Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (, 
Technical Volume 1: Cybersecurity Practices for Small Health Care Organizations (, 
Technical Volume 2: Cybersecurity Practices for Medium and Large Health Care Organizations (, and
Resources and Templates (
Cybersecurity Practices Assessments Toolkit (Appendix E-1) is under development.

NIST Releases Risk Management Framework Revision 2

On December 20, 2018, the National Institute of Standards and Technology published NIST Special Publication (SP) 800-37 Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, the first NIST publication to address security and privacy risk management in an integrated, robust, and flexible methodology.  For an overview of the seven major objectives of the revision, and an explanation of the new “Prepare” step in the framework, see  and for the new revision, see  

NIST Releases Guidance on Medical Device Security

On December 20, 2018, the National Institute of Standards and Technology released its December 2018 ITL Security Bulletin on the Topic of the Month: Securing Wireless Infusion Pumps, summarizing the information found in NIST SP 1800-8, Securing Wireless Infusion Pumps in Healthcare Delivery Organizations which discusses the cybersecurity risks associated with medical devices, such as infusion pumps, which can connect to a variety of healthcare systems, networks, and other tools within a healthcare delivery organization.

See: and the PDF version at

For a complete list of ITL Bulletins:

Failure to Terminate Access of Former Employee = $111.4K

I must say I’m astonished to see this one — this is a topic I’ve been harping about for some time now, with the message mostly falling on deaf ears.  But this enforcement action validates my concern.

On December 11, 2018, the pace of HIPAA enforcement actions continued to increase, with the HHS announcement that Pagosa Springs Medical Center (PSMC) agreed to pay $111,400 and adopt a substantial corrective action plan to settle potential HIPAA violations.  PSMC is a critical access hospital, that at the time of OCR’s investigation, provided more than 17,000 hospital and clinic visits annually and employs more than 175 individuals.

The complaint alleged that a former PSMC employee continued to have remote access to PSMC’s web-based scheduling calendar, which contained patients’ electronic PHI, after separation of employment. OCR’s investigation revealed that PSMC impermissibly disclosed the ePHI of 557 individuals to its former employee and to the web-based scheduling calendar vendor without a HIPAA required business associate agreement in place.

Covered entities that do not have or follow procedures to terminate information access privileges upon employee separation risk a HIPAA enforcement action.  Covered entities must also evaluate relationships with vendors to ensure that business associate agreements are in place with all BAs before disclosing PHI.  The resolution agreement and corrective action plan may be found on the OCR website at

Share PHI with Unknown Vendor, No BAA = Breach = $500K

On December 4, 2018, HHS OCR announced that Advanced Care Hospitalists PL (ACH) has agreed to pay $500,000 and to adopt a substantial corrective action plan to settle potential HIPAA violations. ACH provides contracted internal medicine physicians to hospitals and nursing homes in west central Florida.  ACH provided services to more than 20,000 patients annually and employed between 39 and 46 individuals during the relevant timeframe.

Between November 2011 and June 2012, ACH engaged the services of an individual that represented himself to be a representative of a Florida-based company named Doctor’s First Choice Billings, Inc. (First Choice). The individual provided medical billing services to ACH using First Choice’s name and website, but allegedly without any knowledge or permission of First Choice’s owner.

On February 11, 2014, a local hospital notified ACH that patient information was viewable on the First Choice website, including name, date of birth and social security number.  ACH filed a breach notification report with OCR on April 11, 2014, stating that 400 individuals were affected; however, after further investigation, ACH filed a supplemental breach report stating that an additional 8,855 patients could have been affected.

ACH never entered into a business associate agreement with the individual providing medical billing services to ACH, as required by HIPAA and failed to adopt any policy requiring business associate agreements until April 2014.  Although ACH had been in operation since 2005, it had not conducted a risk analysis or implemented security measures or any other written HIPAA policies or procedures before 2014

The resolution agreement and corrective action plan may be found on the OCR website at

Allergy Doctor Goes Public With Patient Information = $125K

On November 26, 2018, HHS OCR announced that Allergy Associates of Hartford, P.C. (Allergy Associates), has agreed to pay $125,000 and to adopt a corrective action plan to settle potential HIPAA Privacy Rule violations. Allergy Associates is a health care practice that specializes in treating individuals with allergies, and is comprised of three doctors at four locations across Connecticut.

In February 2015, a patient of Allergy Associates contacted a local television station to speak about a dispute that had occurred between the patient and an Allergy Associates’ doctor. The reporter subsequently contacted the doctor for comment and the doctor impermissibly disclosed the patient’s protected health information to the reporter.

OCR’s investigation found that the doctor’s discussion with the reporter demonstrated a reckless disregard for the patient’s privacy rights and that the disclosure occurred after the doctor was instructed by Allergy Associates’ Privacy Officer to either not respond to the media or respond with “no comment.” Additionally, OCR’s investigation revealed that Allergy Associates failed to take any disciplinary action against the doctor or take any corrective action following the impermissible disclosure to the media.

The resolution agreement and corrective action plan may be found on the OCR website at

Vendor Banned from New Jersey for Role in Breach of PHI

On November 2, 2018, New Jersey Attorney General Gurbir S. Grewal and the New Jersey Division of Consumer Affairs announced a $200,000 settlement with a now-defunct Georgia company responsible for a 2016 security lapse that allowed the public to view online patient records belonging to more than 1,650 individuals treated by doctors associated with Virtua Medical Group (“VMG”), a southern New Jersey network of medical and surgical practices.

The settlement with ATA Consulting LLC, which did business as Best Medical Transcription, and its owner, Tushar Mathur, resolves allegations that the company violated the federal Health Insurance Portability and Accountability Act (“HIPAA”) and the New Jersey Consumer Fraud Act (“CFA”) in connection with a server misconfiguration that publically exposed the private health information – including the names and medical diagnoses – of up to 1,654 individuals.

In addition to civil penalties and reimbursement of attorneys’ fees and costs, the settlement with Best Medical Transcription permanently bars Mathur from managing or owning a business in New Jersey.

The announcement is available at:  and an article on the settlement in HealthcareITNews is available at:  

Anthem Hit With Huge(?) Penalty: 20 cents per Person = $16M

On October 15, 2018, HHS OCR announced that Anthem, Inc. has agreed to pay $16 million and take substantial corrective action to settle potential violations of HIPAA after a series of cyberattacks led to the largest U.S. health data breach in history and exposed the electronic protected health information of almost 79 million people.  The $16 million settlement eclipses the previous high of $5.55 million paid to OCR in 2016.

Anthem discovered cyber-attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks. OCR’s investigation revealed that between December 2, 2014 and January 27, 2015, the cyber-attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.

In addition to the impermissible disclosure of ePHI, OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014.

The resolution agreement and corrective action plan may be found on the OCR website at

HHS Updates the HIPAA Audit Protocol in July, Tells No One

SURPRISE!  HHS OCR Updated the HIPAA Audit Protocol in July 2018.  There was no announcement, and no summary of the changes is provided.  So I began the process of updating my HIPAA Audit Protocol spreadsheet only to discover that the latest posting does not easily copy and paste into a spreadsheet the way the previous one did.  Thanks a lot, HHS!  

Anyway, with a cursory review I don’t see obvious changes, and at the end of next week I’m going to be at the annual NIST/OCR HIPAA Security love fest in Washington, DC, where I can try to find someone from HHS who can say what the difference between the 2016 and 2018 versions is, so I don’t have to spend a day recreating the whole thing again.  (Ugh!)

Anyway, despite the pain, I’m glad a question from a reader revealed to me that they had updated the HIPAA Audit Protocol in some (unknown) way.  How was I expected to hear about it — rumors on the street?  What happened to press releases?  Information?  Oh well…  So here’s the link, and please let me know if you have a summary of the changes!

Update: There are changes in 13 of the questions, mostly in Breach Notification and some in Privacy.  Please let me know if you’d like me to e-mail you a copy of the new 2018 HIPAA Audit Protocol in Excel format.

Busy Time for Medical Device and IoT Security Guidance

In September, 2018, NIST presented Draft NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks (available at ), including IoT devices used in healthcare settings, and is open for comments though October 24, 2018.  See the article in HealthITSecurity at   

On October 1, 2018 the FDA released a playbook for medical device security developed by MITRE that can enable healthcare organizations to plan for and respond to cybersecurity incidents involving medical devices.  The MITRE playbook Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook Version 1.0 October 2018 is available through and an article on the release in HealthITSecurity is at  A Statement from FDA Commissioner Scott Gottlieb, M.D. on FDA’s efforts to strengthen the agency’s medical device cybersecurity program as part of its mission to protect patients is available at 

In addition, a KLAS/CHIME survey shows providers lack confidence in medical device cybersecurity — is it any wonder?  See the article in Modern Healthcare (registration required) at  Results suggest that the majority of surveyed provider groups attributed security problems to the device manufacturers, especially if the devices can’t be updated or patched, and that the problem is widespread.  

Clearly, it’s time to look at all the various devices and IoT “things” that may need a serious update to protect patient safety and privacy.  This is not a minor issue.

Health Data Access Wizard Simplifies Records Requests

On September 25, 2018, it was announced that fourteen organizations including AHIMA, X4 Health, CareJourney, and CARIN Alliance recently launched a new health IT tool designed to offer users an easier way to request EHR patient data.  The tool is designed to help patients avoid the cumbersome process of filling out paperwork to obtain copies of their EHRs from providers in apps or other secure locations.

The prototype tool is the Health Record Request Wizard, designed to streamline and simplify patient EHR request processes. The Wizard also helps patients receive their EHR data in digital formats.

See the article in EHR Intelligence, at and try out the prototype tool at   

State AGs Take Aim Using HIPAA for Breach Violations

Where HHS Office for Civil Rights has seemed to be slacking off in enforcement recently, state Attorneys General are taking up the slack and issuing penalties for violations of HIPAA and other state laws.  The latest, reported on September 24, 2018, is a settlement by the Massachusetts AG with UMass Memorial for $350,000 for violations of HIPAA, the Consumer Protection Act, and the Massachusetts Data Security Law when they failed to properly protect patients’ information from access by identity thieves even after the activity had been reported.  See the story at:  

Allowing TV Crews Into Boston Hospitals = $1M in Penalties

On September 20, 2018 the Department of Health and Human Services, Office for Civil Rights (OCR) announced that it has reached separate settlements with Boston Medical Center (BMC), Brigham and Women's Hospital (BWH), and Massachusetts General Hospital (MGH) for compromising the privacy of patients’ protected health information (PHI) by inviting film crews on premises to film an ABC television network documentary series, without first obtaining authorization from patients. Collectively, the three entities paid OCR $999,000 to settle potential HIPAA violations.  Each entity will provide workforce training as part of a corrective action plan that will include OCR’s guidance on disclosures to film and media:  

This is the second HIPAA case involving an ABC medical documentary television series, the previous being OCR’s April 16, 2016 settlement with New York-Presbyterian Hospital in association with the filming of “NY Med.”

The respective Resolution Agreements and Corrective Action Plans may be found on the HHS website at:

New Guidance from NIST on Wireless Infusion Pumps

On August 21, 2018, the NIST National Cybersecurity Center of Excellence (NCCoE) published Special Publication (SP) 1800-8, Securing Wireless Infusion Pumps in Healthcare Delivery Organizations.  The title says it all.  If you use wireless infusion pumps or are thinking about using them, best to consult this.  See  

Final NIST SP1800-1 on EHRs and Mobile Devices Released

On July 27, 2018, the National Institute of Standards and Technology National Cybersecurity Center of Excellence (NCCoE) released the final version 1 of Special Publication 1800-1, Securing Electronic Health Records on Mobile Devices, which includes valuable information on establishing strong authentication and secure practices when accessing EHR systems remotely from mobile devices.  

While much of the report is technical in nature, such that it can be used to guide development of secure implementations, the overall goals of security AND ease of use are well-explained, and a questionnaire for EHR providers is included to help assess the security posture of an EHR vendor.

The NIST page with the Abstract of SP 1800-1 is available at:  and the publication, including all the subsections, is available at:  

Annual NIST/OCR HIPAA Security Conference October 18-19

On July 5, 2018 the National Institute of Standards and Technology and the HHS Office for Civil Rights announced the (11th annual) 2018 OCR/NIST Conference: Safeguarding Health Information: Building Assurance through HIPAA Security, to be held October 18-19, 2018 at the Hyatt Regency, Washington, D.C.  Note that the registration ends at 11:59 PM on October 11.  This is the one event I always attend every year.  See:  

New California Consumer Privacy Act set for January 1, 2020

On June 28, 2018, the California Consumer Privacy Act of 2018 was signed into law, going into effect at the beginning of 2020, offering many of the same protections for personal information contained within the EU’s GDPR.  You’ll need to go through a similar evaluation process for personal information, but instead of, “is this individual an E.U. resident?” the question becomes, “is this individual a California resident?”

Luckily, information subject to HIPAA is not subject to CCPA, but non-PHI will still be controlled by CCPA, and will need evaluation.  Expect this kind of legislation to spread, as California is typically the trend-setter for privacy and security legislation.  One of the many articles on this topic is available at:  

Updated Common Rule for Research Effective January 21, 2019

The revised Common Rule on the use of personal information in research was adopted June 19, 2018 and will go into effect January 21, 2019, finally, after several delays and adjustments.  

Prior to the effective date, institutions may implement three of the “burden-reducing” changes for studies begun prior to January 21, 2019 that will transition to compliance with the revised requirements

  • the revised definition of ‘research,’ which deems certain activities not to be research covered by the Common Rule; 
  • the elimination of the requirement for annual continuing review with respect to certain categories of research; and 
  • the elimination of the requirement that institutional review boards (IRBs) review grant applications or other funding proposals related to the research,” only .

The changes to the Common Rule for secondary research enable low-risk medical studies, such as observational studies designed to find patterns in patient record to improve how procedures are performed.  The changes also encompass: 

  • requiring the most important information regarding a study to be explained clearly and concisely, and in a way that a “reasonable person” could understand; 
  • permitting researchers to seek broad consent, which will help improve the availability of biospecimens and patient-reported data (including real-time data from mobile applications and devices) for secondary research; 
  • clarifying that certain public health surveillance activities are outside the scope of the Common Rule, so that the spread of disease can be more easily monitored; 
  • and providing a new option meant to help screening of potential participants, so patients who qualify for new treatments are more likely to learn about them.

One of many articles on this topic is at:  

An article on new HHS OCR guidance issued June 12, 2018 regarding HIPAA and research is at:  

MD Anderson Cancer Center hit with $4.3 million HIPAA Fine

On June 14, 2018, a U.S. Department of Health and Human Services Administrative Law Judge (ALJ) ruled that The University of Texas MD Anderson Cancer Center (MD Anderson) violated the HIPAA Privacy and Security Rules and granted summary judgment to the Office for Civil Rights (OCR) on all issues, requiring MD Anderson to pay $4,348,000 in civil money penalties to OCR. From the June 18, 2018 HHS press release (with my bolding):

"OCR investigated MD Anderson following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop from the residence of an MD Anderson employee and the loss of two unencrypted universal serial bus (USB) thumb drives containing the unencrypted electronic protected health information (ePHI) of over 33,500 individuals. OCR’s investigation found that MD Anderson had written encryption policies going as far back as 2006 and that MD Anderson’s own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011 , and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013. The ALJ agreed with OCR’s arguments and findings and upheld OCR’s penalties for each day of MD Anderson’s non-compliance with HIPAA and for each record of individuals breached.

"MD Anderson claimed that it was not obligated to encrypt its devices, and asserted that the ePHI at issue was for “research,” and thus was not subject to HIPAA’s nondisclosure requirements. MD Anderson further argued that HIPAA’s penalties were unreasonable. The ALJ rejected each of these arguments and stated that MD Anderson’s “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” a risk that MD Anderson “not only recognized, but that it restated many times.”

Lessons: Follow the guidance of your risk analysis, follow your own policies, and just because the data is for research doesn’t mean you can forget HIPAA.  ONLY information that is collected solely for research is exempt from HIPAA.

See the press release at:  

HHS Finally Playing Catch-up on HITECH Law Requirements

It’s been more than nine years since the HITECH Act was passed, and HHS is finally dealing with some of the thorniest issues presented by the law.  The HHS regulatory agenda indicates that in November they will propose:

• A new Accounting of Disclosures rule (see story below), 

• A new rule to clarify that healthcare providers are presumed to be acting in the individual's best interests when they share information with an incapacitated patient's family members unless there is evidence that a provider has acted in bad faith, and

• Change the requirement that healthcare providers make a good faith effort to obtain from individuals a written acknowledgment of receipt of the provider's notice of privacy practices.  This one has me concerned, because getting this signed counts as a consent under the TCPA so you can call a patient’s cell phone without breaking the law.  If you skip this, medical offices will need to get written consent to contact the patient instead.  Savings? NONE.

But the biggest issue is with the requirement in HITECH to come up with a way to share penalty amounts collected with the individuals harmed in a breach.  This has more pitfalls and issues than anything HHS has had to come up with in a long time.  The experts have plenty to say about this one.

There is a great summary of all this, with links to the items in the agenda, in an article by Health IT Security, at:  

New Accounting of Disclosures Rule to be Proposed, Finally

The Office of Management and Budget’s regulations agenda indicates that the reviled 2011 proposal for a new Accounting of Disclosures rule based on HITECH Act requirements will be withdrawn, and the process will begin anew.  What was proposed in 2011 was preposterous, and the new proposed rule will have sufficient input to develop a rule that focuses on what patients really want to know when they ask for an Accounting.  See the story in GovInfo Security, at

New Guidance, Updated FAQs on SAMHSA 42 CFR Part 2

On May 1, 2018, the Substance Abuse and Mental Health Services Administration (SAMHSA) updated its Frequently Asked Questions page about 42 CFR Part 2 with two new fact sheets on how Part 2 applies to disclosures of information for treatment purposes.  The FAQ page is at:, with links to new fact sheets , Disclosure of Substance Use Disorder Patient Records: Does Part 2 Apply to Me? ( and Disclosure of Substance Use Disorder Patient Records: How Do I Exchange Part 2 Data? (

Head of HHS OCR Says Texting with Patients is OK, but...

But it needs to be the patient’s preference.  In a “Making Policy from the Podium” moment, HHS Office for Civil Rights chief Roger Severino indicated that HHS guidance regarding using plain e-mail with patients would also apply to using plain texting with patients.  (Wouldn’t it be nice to see some real, formal, legal guidance, rather that just comments off the cuff?  Is anybody doing any real work at HHS OCR or is it just that chaos is so prevalent in the Federal government today that nothing of substance ever gets out?  Anyway, don’t get me started…)  

Plain texting is fine with patients if they prefer, but plan texting between professionals is strictly forbidden.  There’s an article in Mike Semel’s Blog posted March 6, 2018 about the Severino’s comments in response to a question at the recent Spring HIMMS conference in Las Vegas.  See:  

Hospital Data Breaches Lead To Thousands of Deaths

On March 27, 2018, Becker’s Hospital Review reported on a Wall Street Journal article on a research presentation showing that hospitals that suffer a data breach can have negative impacts lasting years, due to diverted resources and attention, and slower responses to healthcare situations.  As a result, people die, some 2,100 per year.  These numbers are not huge, but they are significant and preventable.  Breaches => Patient Deaths.  Good Security = Good Patient Care.  See the Becker's article with a link to the WSJ article at:   

TCPA Allows Healthcare Texting If NPP Is Acknowledged

There has long been some uncertainty as to how the Telephone Consumer Protection Act applies to healthcare and cell phones, but a recent ruling (Latner v. Mt. Sinai Health System, Inc., No. 17-99-cv (2d Cir. Jan. 9, 2018)) indicated that if the Notice of Privacy Practices includes mention of such use, and the individual acknowledges that the NPP has been received, that counts as the necessary consent.  So, to comply with TCPA, make sure your NPP includes the necessary statements about contacting the individual, and make sure the individual acknowledges receipt of the NPP.  There’s an informative March 27, 2018 posting on the Journal of AHIMA Blog pages, available at:  

NOTE! This does not address HIPAA Security Rule requirements for security, so you’ll still need your patients to express a preference to receive any plain text messages that may imply a healthcare connection, depending on the message.  The “everyone should get a flu shot” message sent to all recent patients  in the case cited probably would not count as a breach without consent, but an individualized message with personal details could.  Your mileage may vary.

Get Ready for the GDPR — Compliance Required by May 25

The new European Union General Data Protection Regulation goes into effect May 25, 2018, and it requires the protection of the identifiable personal information of any EU subject no matter where that information may be, even in the US.  The GDPR is far from trivial, and could be expected to become the de facto international standard for protection merely because of its widespread applicability.  If you serve any patients or customers who reside in the EU, you need to be aware of this.  

See great overview articles at and and the EU GDPR Web page at   

HHS OCR Director Says No More HIPAA Audits To Be Done

Following a presentation at the HIMSS18 conference on March 6, 2018, HHS Office for Civil Rights Director Roger Severino told an Information Security Media Group reporter that while HIPAA enforcement activity would continue unabated, the HIPAA Audit Program will have no further effort other than to report on the results of the prior work and provide best practices guidance based on that analysis.  This is despite a clear requirement in the HITECH Act for HHS to perform periodic audits of covered entities and business associates.  (Law? What law?)  See:  

Two New Reports Show Massive Insider Threats to PHI

Two news reports of March 2, 2018 show that healthcare security issues are different from other industries, and that insiders pose a huge threat both in accidental and intentional breaches.  Some of the results are astonishing and contrary to what you’d expect.  

A survey by Accenture reported in Becker’s Hospital Review showed that 18% of respondents would sell PHI for as little as $500, and an amazing 24% of respondents said they knew of someone in their organization who had sold access or credentials to an outsider.  See:

MedCity News reported that the latest Verizon Protected Health Information Data Breach Report shows how insiders are the biggest threat to the security of PHI, far beyond that for other industries.  Also, larger organizations tend to find problems before the public does better than smaller organizations.  Any surprise?  Remember that the results of the 2012 HIPAA Audits showed that small healthcare providers tend to have security issues, and that apparently hasn’t changed.  See the story at and the Verizon report is at   

$100K Improper Record Disposal by out-of-Business Associate

On February 13, 2018, the HHS Office for Civil Rights announced a resolution agreement for $100,000 with the receiver appointed to liquidate the assets of records management firm Filefax, Inc., of Northbrook, Illinois, for insecure storage and disposal of records.  Filefax advertised that it provided for the storage, maintenance, and delivery of medical records for covered entities and did not escape a penalty even though it shut its doors during the course of OCR’s investigation into alleged HIPAA violations.

It’s so simple — secure storage and disposal of paper records is required, and filing for bankruptcy doesn’t protect an entity that violates the rules.  See the HHS page with links to the press release and the Resolution Agreement and Corrective Action Plan at  

Fresenius gets $3.5 Million Settlement for Lack of Security

On February 1, 2018, the HHS Office for Civil Rights announced a resolution agreement with Fresenius Medical Care North America (FMCNA) for $3.5 million and a corrective action plan to deal with a lack of risk analysis and risk management that led to multiple breaches of PHI.  Although the total number of records breached was for only 521 individuals, the investigation turned up a variety of risk assessment and management problems at a number of sites and organization-wide.  

The clear message is: YOU CAN’T INGORE THE SECURITY RULE ANY MORE.  If you haven’t done the proper risk analysis or haven’t addressed the risks you found (or should have found), you’re looking for trouble.  See the HHS announcement at:  and the Resolution Agreement and Corrective Action Plan at:   Also worth a look is the article in Fierce Health:  

CMS Says Secure Texting Is OK But Not For Patient Orders

On December 28, 2017, HHS Center for Medicare and Medicaid Services (CMS) issued a memo to its State Survey Agency Directors to clarify that Texting patient information among members of the health care team is permissible if accomplished through a secure platform, but texting of patient orders is prohibited regardless of the platform utilized.  Computerized Provider Order Entry (CPOE) is the preferred method of order entry by a provider.  So, Texting PHI among the team?  Yes, but must be secure.  Texting Patient Orders?  No, which is aligned with Joint Commission rules.  The memorandum is available at:  and there are articles on the announcement at:  and at:  

OCR Finally Announces 21CO $2.3m Settlement 17 Days Later

On December 28, 2017 the HHS Office for Civil Rights finally announced a resolution agreement with 21st Century Oncology (21CO) for HIPAA violations culminating in a breach of 2.2 million records and investigation, resulting in a resolution amount of $2.3 million and a Corrective Action Plan, listed two stories below this one.  The OCR press release is available at and the resolution agreement is available at   

HHS OCR Updates Guidance on Sharing Info in Opioid Incidents

On December 19, 2017 the HHS Office for Civil Rights announced expanded and improved guidance relating to the sharing of information in opioid overdose incidents, including revised guidance, new guidance, and new Frequently Asked Question sets on the topic.  Per former HHS honcho Deven McGraw, this should be required reading for all front line personnel dealing with these emergencies!  See the page with links to the new and updated information at:  

OCR Doesn’t Announce Latest HIPAA Settlement for $2.3m?

On December 11, 2017 the HHS Office for Civil Rights did not announce a filed resolution agreement with 21st Century Oncology (21CO) for HIPAA violations culminating in a breach of 2.2 million records and investigation, resulting in a resolution amount of $2.3 million and a Corrective Action Plan.  But that’s not the worst of it for 21CO — they (now bankrupt, no surprise) face a $26 million penalty for false meaningful use attestations

Here’s an article on it in HealthIT Security:  And here’s a page with the announcement by the Justice Department about the $26m settlement:  

Finally, here are a couple of sources for the filed settlement:  and  

But it is not announced on the HHS OCR page where these are all listed (at, and there have not been the typical e-mail list announcements from them about this.  What gives?  Has all work stopped in Washington?  VERY unusual...

On-site HHS OCR HIPAA Audits for 2017 Cancelled

At the 2017 AHIMA conference in Los Angeles, on October 7, 2017 a representative of the regional office of HHS spoke about the latest from HHS re HIPAA, and although the presentation slides don’t show it, it was announced that the 2016 HIPAA Audit program has concluded, and the on-site audits promised for 2017 will not take place.  Given the tremendous rate of turnover at HHS under the new administration, the paralysis that has hit HHS operations, and the fact that the leaders of the audit program are now gone, I would be surprised to see the program (required by law) to be resuscitated before 2019.

Read The New NISTIR 8192: Enhancing Resilience of the Internet and Communications Ecosystem

On September 19, 2017 the National Institute of Standards and Technology Computer Security Resource Center released NIST Internal Report (NISTIR) 8192, Enhancing Resilience of the Internet and Communications Ecosystem.  This is a surprisingly readable, actionable document that includes specific items to address the needs of a variety of industry stakeholders.

If you are wondering, What in the world am I going to do about all these incredible security threats??? this is a great place to begin.  See the announcement at  and download it at 
DO THIS NOW — You will discover things you can do right away, today!

Annual NIST/OCR HIPAA Security Conference Announced

On July 26, 2017, the HHS Office for Civil Rights announced that registration is open for the 10th Annual OCR/NIST conference, Safeguarding Health Information: Building Assurance through HIPAA Security, September 5-6, 2017 at the Hyatt Regency, 400 New Jersey Ave NW, Washington, DC 20001, hosted by OCR and the National Institute for Standards and Technology.

The conference explores the current healthcare cybersecurity landscape and the HIPAA Security Rule. Over two days, presentations will cover a variety of topics including understanding the current cybersecurity threat landscape, managing data breaches, considerations for small provider cybersecurity, managing cybersecurity risk and implementing practical cybersecurity solutions in healthcare environments, updates on OCR's Phase 2 audits and enforcement activities, and more.

Participants can choose to participate in-person or via webcast. All registrants will have access to archived webcast presentations and materials.  Registration ends on 8/29/2017 at 11:59 PM EDT. 

Yes, I am attending again this year, hoping to ask the hard questions of those who should be able to provide answers.

For registration information and additional details, please visit  

HHS OCR Releases “Improved” Wall of Shame for Breaches

On July 25, 2017, the HHS Office for Civil Rights announced an updated HIPAA Breach Reporting Tool (HBRT) featuring improved navigation for both those looking for information on breaches and ease-of-use for organizations reporting incidents.  The tool also helps educate industry on the types of breaches that are occurring, industry-wide or within particular sectors, and how breaches are commonly resolved following investigations launched by OCR. 

New features of the HBRT include:

  • Enhanced functionality that highlights breaches currently under investigation and reported within the last 24 months
  • New archive that includes all older breaches and information about how breaches were resolved
  • Improved navigation to additional breach information
  • Tips for consumers

The HBRT may be found at:  

For additional information on HIPAA breach notification, visit:

ONC Releases Report on Issues with Individual Access of PHI

On July 11, 2017, the HHS Office of the National Coordinator for Health IT released a report on patient experiences in the access of medical records, and it’s a pretty sorry looking picture, frankly.  In the examples shown, there is a remarkable lack of understanding of basic HIPAA Access requirements by the involved providers.  The report shows the alarming, life threatening hurdles in the process and offers some ideas what must be done, and NOW.  See the announcement at:  and the report at:  

NIST Finalizes Report: Time to Change Password Habits!

On June 22, 2017, NIST released an expected finalized update to Special Publication 800-63-3, Digital Identity Guidelines, published in 4 parts.  The best part of SP 800-63-3 is the password recommendations: see Appendix A to SP 800-63-3 B for the details.

They suggest that periodic password changes are no longer necessary. The report also recommends changes to several other password policies that have become antiquated in the modern computing environment:

  • Allow at least 64 characters in length to support the use of passphrases.
  • Encourage users to make memorized secrets as lengthy as they want, using any characters they like (including spaces), thus aiding memorization.
  • Do not impose other composition rules (e.g. mixtures of different character types) on memorized secrets.

NIST is also recommending checking new passwords against several lists, such as:

  • Context specific words, such as the name of the service, the username, and derivatives thereof.
  • Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
  • Passwords obtained from previous breach corpuses.

Link to Special Publication 800-63-3 are provided below, on the CSRC Special Publications page: 
Main document:
SP 800-63-3 A:
SP 800-63-3 B:
SP 800-63-3 C:

AHIMA Releases Template for Request for Access of PHI

On July 6, 2017, AHIMA released a model form for Patient Requests for Access to their PHI that meets the requirements of the HHS Office of the National Coordinator for Health IT and Office for Civil Rights.  While the form is hospital-centric in some of the details, it can be the basis for forms used by other providers.  Remember: An access request is NOT the same as a release under Authorization, and you should not use the same forms or processes for both.  This form is very simple, as it should be according to HHS guidance.  See the announcement at  and download the form at:  

ECRI on Protecting Medical Devices from Ransomware Attacks

On May 26, 2017, Healthcare Informatics reported that the ECRI Institute has released a new guidance article, Ransomware Attacks: How to Protect Your Medical Device Systems, with recommendations to help hospitals identify and protect against ransomware attacks.  The report provides recommendations for adapting general cybersecurity principles to the particular requirements of medical device systems, including a list of immediate do's and don'ts for quickly responding to emerging threats.

The Healthcare Informatics article is available at:  and the ECRI guidance, published May 18, 2017 is available at:  

Provider Sends HIV Information to Employer - Oops! = $387K

On May 23, 2017, HHS OCR announced a $387,200 HIPAA settlement for impermissible disclosure of protected health information (PHI) with St. Luke’s-Roosevelt Hospital Center Inc.  In September 2014, OCR received a complaint alleging that a staff member impermissibly disclosed the complainant’s PHI to the complainant’s employer, including sensitive information concerning HIV status, medical care, sexually transmitted diseases, medications, sexual orientation, mental health diagnosis, and physical abuse

The investigation revealed that staff at the Spencer Cox Center impermissibly faxed the patient’s PHI to his employer rather than sending it to the requested personal post office box.  (!!!)  

Additionally, OCR discovered that the Spencer Cox Center was responsible for a related breach of sensitive information that occurred nine months prior to the aforementioned incident but had not addressed the vulnerabilities in their compliance program to prevent impermissible disclosures.  (Yow!)

Look folks, there’s no excuse for this.  Small breaches are easily prevented if everyone DOUBLE-CHECKS what they’re doing before they send information.  And if you have an issue, ADDRESS IT BEFORE IT HAPPENS AGAIN!!  HELLO!  WHERE IS THE COMPLIANCE DEPARTMENT??


NIST Says It’s Time To Change Password Habits in Draft 800-63

New guidelines from NIST expected this summer suggest that periodic password changes are no longer necessary. The report also recommends changes to several other password policies that have become antiquated in the modern computing environment:

  • Allow at least 64 characters in length to support the use of passphrases.
  • Encourage users to make memorized secrets as lengthy as they want, using any characters they like (including spaces), thus aiding memorization.
  • Do not impose other composition rules (e.g. mixtures of different character types) on memorized secrets.

NIST is also recommending checking new passwords against several lists, such as:

  • Context specific words, such as the name of the service, the username, and derivatives thereof.
  • Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
  • Passwords obtained from previous breach corpuses.

Draft SP 800-63 is available at,, and for the password recommendations, see Appendix A to Draft SP 800-63B at  

Also see this article in Quartz Media:  

Draft NIST Guide on Securing Wireless Infusion Pumps

On May 16, 2017, just in time for the global ransomware attack, NIST announced Draft NIST SP 1800-8, Securing Wireless Infusion Pumps in Healthcare Delivery Organizations, which is now available for public comment.

IF YOU HAVE WIRELESS INFUSION PUMPS, YOU MUST READ AND IMPLEMENT SP-1800-8 or you are playing with fire, and your patient’s lives.

See:  for the guide and for the announcement.

Brute Force Attacks on Remote Access Points Under Way

Use RDP for remote access to desktops?  Watch out!  The bad guys are now using brute force attacks to gain entry to networks via open RDP services that use only an ID and password for access.  Time to beef up your Remote Access controls, and require STRONG authentication!  See the article in Healthcare IT News:    

Patient Name in Press Release Headline yields $2.4 million

On May 10, 2017, HHS OCR announced a $2.4 million settlement (and corrective action plan, of course) with Memorial Hermann Health System (MHHS) settle potential HIPAA violations, for issuing a press release about a patient, including details and the patient’s name in the headline, without a HIPAA Authorization, and for not adequately sanctioning the individuals responsible for the violation.

In addition to the $2.4 million settlement, a corrective action plan requires MHHS to update its policies and procedures on safeguarding PHI from impermissible uses and disclosures and to train its workforce members.  The corrective action plan also requires all MHHS facilities to attest to their understanding of permissible uses and disclosures of PHI, including disclosures to the media.  See:

Stolen Laptop + No Risk Analysis or Management = $2.5 million

On April 24, 2017, HHS OCR announced a $2.5 million resolution agreement with wireless services provider CardioNet, for not having done the proper risk analysis and risk management, resulting in a stolen laptop and a breach.  The message?  No matter who you are, even if you provide cardiac monitoring services, you need to lock down your portable devices, NOW.  See the press release and agreement at:  

No Business Associate Agreement Leads to $31K settlement

On April 20, 2017, HHS OCR announced a $31,000 resolution agreement with Center for Children’s Digestive Health for not having had a proper HIPAA Business Associate Agreement in place with a business associate, FileFax, Inc., which stored health records for CCDH.  See the Resolution Agreement and Corrective Action Plan at  

After a break during March, I guess we’re getting back to a two-a-month settlement rate.  Learn your lessons from others’ mistakes!

No Risk Analysis, Breach, Insufficient Risk Mitigation = $400K

On April 12, 2017, HHS OCR announced a $400,000 resolution agreement with Metro Community Provider Network, a FQHC, for not having conducted a HIPAA Security Risk Analysis, suffering a breach, and then following up with insufficient risk analysis and risk mitigation.  I think it’s getting pretty clear that it’s time start a program of regular risk analysis activity that leads to mitigation of the issues discovered.  See the Resolution Agreement and Corrective Action Plan at

OCR’s guidance on the Security Rule may be found at

Lack of Audit Controls Leads to $5.5 million HIPAA settlement

On February 16, 2017 HHS OCR announced a $5.5 million resolution agreement with Memorial Healthcare Systems of Florida, for not having controlled and monitored access to PHI, leading to a breach of the PHI of 115,143 individuals by an insider.  I’ve been waiting to see an enforcement action based on a lack of auditing, and now it’s here.  This, folks, is the tough nut to crack in HIPAA Security compliance and can no longer be ignored.

The Resolution Agreement and Corrective Action Plan may be found on the OCR website at

OCR offers helpful guidance on the importance of audit controls and audit trails in their January 2017 cyber-newsletter, at

See a Security Problem?  Fix it!  If not, $3.2 million PENALTY

On February 1, 2017 HHS OCR announced the imposition of a PENALTY for violations resulting from known security problems that went unaddressed for years at Children’s Medical Center of Dallas.  They had problems with breaches from unencrypted portable devices in 2007 and did not implement the proper encryption until further breaches occurred in 2013.  

Amazingly, Children’s did NOT file for a hearing and passed up an opportunity to negotiate a settlement.  They probably could have had a nice simple corrective action plan and a much lower financial amount but decided to just take the financial penalty.  Or did they just not notice the Notice of Proposed Determination?  Um, OK.  Bizarre.  Either way, I have reservations about their compliance processes.  See the announcement and Notices of Proposed and Final Determination at  and decide for yourself.

NIST Releases Draft Revision to Intro to Information Security

On January 26, 2017, NIST Released Draft Special Publications (SP) 800-12 Revision 1, Introduction to Information Security, open for public comment submissions through February 22, 2017.  The new draft is available at:

If you’re looking for a place to start with Information Security, this is a fine one.  If you’re interested in making sure the new revision is a good one, read it and submit your comments.

New Update to the Common Rule for Research Finalized

On January 19, 2017, the revised Federal Policy for Protection of Human Subjects, a.k.k. the Common Rule, was published, relating to the proper protections, including privacy, to be afforded to research subjects.  If you do research involving human subjects, you need to review the changes.  Some privacy concerns have been voiced about the new rule.

What with this new rule, there are many new intersections to be explored between HIPAA, 42 CFR Part 2, and research, not to mention the 21st Century Cures Act!  Those of you who do research with health information relating to substance abuse, for instance, have plenty of homework to do.  You have a little time, until 2018, to implement the new rule.  


Poor Implementation of Safeguards Following Breach: $2.2M

On January 18, 2017, HHS OCR announced yet another HIPAA settlement, this time for $2.2 million, for reporting a breach and then not following through on risk mitigation as promised to OCR.  Please, if you have a breach, do what you need to to prevent a repeat (in this case, do your risk analysis and encrypt your portable devices) and satisfy HHS OCR that you actually care about security.  Don’t put it off for years, OK?  See: 

Changes to 42 CFR Part 2 re Substance Abuse Info Finalized

On January 18, 2017, the Substance Abuse and Mental Health Services Administration (SAMHSA) announced the release of the final updates to 42 CFR Part 2 regarding substance abuse treatment information.  The changes, among other things, allow release of information to a qualified researcher, but more importantly, allow a patient to consent to disclosing their information using a general designation (such as “my healthcare providers”), to allow patients to benefit from integrated health care systems.  Patients do not have to agree to such disclosures, but patients who do agree to the general disclosure designation have the option to request a list of entities to whom their information has been disclosed.  

A nice summary is in the press release, available at and the new rule is at

Untimely Reporting of Breach Results In $475K Settlement

On January 10, 2017, HHS OCR announced the first HIPAA settlement based on the untimely reporting of a breach of unsecured PHI.  Presence Health has agreed to settle  by paying $475,000 and agreeing to implement a corrective action plan.  With this settlement amount, OCR balanced the need to emphasize the importance of timely breach reporting with the desire not to disincentive breach reporting altogether.  Good idea!

The Press Release, Resolution Agreement, and Corrective Action Plan may be found on the OCR website at

Joint Commission Reaffirms Ban on Texting Patient Care Orders

On January 9, 2017, reported that the Joint Commission, in its December 2016 issue of The Joint Commission Perspectives, had reaffirmed its ban on using texting of any kind for patient care orders, even if secured.  The issues identified in this recent assessment include:

  • Using texts or other messaging apps to order treatments could increase the burden on nurses or other clinical staff who would be responsible for inputting such data into electronic health records
  • Talking in-person allows for easier clarifications if there are questions about an order, and allows for better confirmation of directives
  • If there are any clinical decision support alerts triggered during the EHR process, the clinician inputting the information into the system will have to take time to contact the ordering physician to resolve the issue, potentially causing treatment delays

The article in is available at:  and the Joint Commission’s new “Clarification” is available at:  

New FAQs & Guidance from HHS on Disclosures to Loved Ones

OCR has issued a new FAQ clarifying that  the HIPAA Privacy Rule (45 CFR 164.510(b)) permits disclosures to loved ones regardless of whether they are recognized as relatives under applicable law.  In particular, the FAQ makes clear that the potential recipients of information under the relevant permissive disclosure provisions of 45 CFR 164.510(b) are not limited by the sex or gender identity of the person.

In tandem, OCR is updating its existing guidance on several provisions within the HIPAA Privacy Rule that recognize the integral role that a spouse often plays in a patient’s health and health care.  Consistent with the Supreme Court decision in Obergefell v. Hodges, OCR is issuing updated guidance that makes clear that the terms marriage, spouse, and family member include, respectively, all lawful marriages (whether same-sex or opposite-sex), lawfully married spouses and the dependents of all lawful marriages, and clarifies certain rights of individuals under the Privacy Rule. 


The FAQ is also available at

New NIST Guide for Cybersecurity Event Recovery Released

On December 23, 2016, the National Institute of Standards and Technology (NIST) released a little Christmas gift, a new final Special Publication 800-184 an excellent overall Guide for Cybersecurity Event Recovery that now incorporates incident handling and contingency planning.  The press release (at ) provides a good overview, and the Guide is available at:  

From the press release: "The publication supplies tactical and strategic guidance for developing, testing and improving recovery plans, and calls for organizations to create a specific playbook for each possible cybersecurity incident. The guide provides examples of playbooks to handle data breaches and ransomware.”  This approach supports my view that developing and working through drills on various scenarios is one of the best ways to be prepared for a nasty security event.  Bravo!

21st Century Cures Act Includes Health IT and HIPAA Impacts

On December 8, 2016, AHIMA published an informative guide to the Health IT and HIM related sections of the 21st Century Cures Act, now signed by President Obama.  There are numerous sections pertinent to those in HIPAA compliance, and this overview guide from AHIMA is easy to use and understand.  

In fact, many of the things called for relating to HIPAA, such as guidance on sharing information with family, friends, and others involved with an individual’s care, are already in the works at HHS Office for Civil Rights, but the legislation provides a solid foundation for these activities.

This legislation has non-trivial, wide ranging impacts on HIPAA.  See the AHIMA guide at:  

NIST Issues Guide to Securing Mac OS X for Security Pros

On December 12, 2016 NIST announced the Release of Special Publication 800-179, Guide to Securing Apple OS X 10.10 Systems for IT Professionals: A NIST Security Configuration Checklist. This Special Publication has been approved as final, and is available at:  

SP 800-179 aims to assist IT professionals in securing Apple OS X 10.10 desktop and laptop systems within various environments providing detailed information about the security features of OS X 10.10 and security configuration guidelines. The publication recommends and explains tested, secure settings with the objective of simplifying the administrative burden of improving the security of OS X 10.10 systems in three types of environments: Standalone, Managed, and Specialized Security-Limited Functionality. 

Additional project resources are at:

Phony OCR E-mails are Phishing Attacks; Avoid

On November 28 and 30, HHS Office for Civil Rights announced that a phishing e-mail is being circulated on mock HHS Departmental letterhead.  The e-mail appears to be an official government communication, and targets employees of HIPAA covered entities and their business associates, prompting recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program.  The link directs individuals to a non-governmental website marketing a firm’s cybersecurity services.

In no way is this firm associated with the U.S. Department of Health and Human Services or the Office for Civil Rights.  The links in the e-mail lead to addresses in the domain “” which is not an official HHS domain.  HHS addresses end in “”.  For more information on the HIPAA Audit program and this announcement, see:  

Oh, and By The Way, Business Associate Audits Have Begun

Almost as a footnote in the November 30 announcement above, HHS Office for Ciliv Rights has announced that the first notices for audits have been sent to the Business Associates being targeted for the current round of audits.  If you are a HIPAA Business Associate and any of your customers were selected in the covered entity audits this year, you could be selected for an audit.  Be sure to watch your e-mail and spam filters for the message from HHS!

Where the Network Goes, HIPAA goes; $650K for No Firewall

On November 22, 2016, HHS Office for Civil Rights announced a $650,000 settlement for potential HIPAA violations at UMass Amherst, for not protecting networks with a firewall, leading to a breach of PHI.  In addition, UMass Amherst had not properly designated itself as a Hybrid entity, leaving some HIPAA-covered portions without the appropriate safeguards.  It should be noted that the penalty was lower than might be expected for the violation, because of the net operating loss for the University at the time.  See the press release and agreement at:  

NIST Updates Small Business Information Security Guide

On November 14, 2016, The National Institute of Standards and Technology (NIST) released Interagency Report NISTIR 7621 Revision 1, Small Business Information Security: The Fundamentals. NIST developed this interagency report as a reference guideline about cybersecurity for small businesses. This document is intended to present the fundamentals of a small business information security program in non-technical language.  It is a great overview of what goes into an information security program.  See:

Secure That Server Properly On Installation, OR ELSE!

On October 18, 2016, the HHS Office for Civil Rights announced that St. Joseph Health (SJH) has agreed to settle potential violations of the HIPAA Privacy and Security Rules following the report that files containing PHI were publicly accessible through internet search engines from 2011 until 2012.  A default file sharing application had been left open on installation of a server.  Risk Analyses had been performed but were patchwork and incomplete.  SJH will pay a settlement amount of $2,140,500 and adopt a comprehensive corrective action plan.  See the press release and agreement at:  

Yet another reminder that launching a server is like preparing for takeoff — you have to go through a complete checklist, like applicable sections of the CIS Controls for Effective Cyber Defense (, when launching a new server.  And make sure your Risk Analysis is complete!

Surprise! Ready for ACA Section 1557? New FAQs Available

On September 14, 2016, the HHS Office for Civil Rights announced New Section 1557 FAQs on Language Access Requirements and the Top 15 Languages and many providers weren’t even aware of the rule or the October 17, 2016 deadline for compliance.  Beginning on October 17, 2016, covered entities will be required to post Notices of Nondiscrimination and Taglines that alert individuals with limited English proficiency (LEP) to the availability of language assistance services.  Read the FAQs on the Language Access Requirements here:

In addition, HHS OCR has made available a table displaying the top 15 languages spoken by individuals with limited English proficiency (LEP) in each State, the District of Columbia, Puerto Rico and each U.S. Territory based on OCR’s research.  View the table of the top 15 languages in each state:  

HHS 2013-2014 Report to Congress on Breach Notification

On August 30, 2016, the Secretary of HHS reported to Congress on the status of the HIPAA Breach Notification program, for the 2013-2014 period, as required under the HITECH Act, section 13402.  The report shows the percentages of breaches by theft and loss are decreasing while unauthorized access and “other” are up, by a number of measures.  

This means the hackers are doing a lot more damage while we still have a significant problem with loose data.  There’s also a good summary of enforcement and audit activity in the 2013-2014 period.  Especially take note of the section on Lessons Learned to see what you can do to avoid breaches, on pages 28-30.  The report is available at:  

HHS Releases Long-Awaited Guidance on Cloud Computing

On October 7, 2016, the US Department of Health and Human Services Office for Civil Rights released guidance on using cloud-based solutions to help HIPAA-regulated CSPs (Cloud Service Providers — hello new acronym!) and their customers in understanding their responsibilities under the HIPAA Rules when they create, receive, maintain, or transmit electronic protected health information.  The guidance includes key questions and answers.  See:  Frequently Asked Questions about Business Associates are available at   

This is an area that has been begging for guidance ever since the new rules come out in 2013, as the rules and Preamble did not adequately consider such computing solutions.   Note that the guidance includes several references to the guidance in the story below, on availability of PHI.  With these guidance documents and the guidance on Individual Access of PHI, it is clear that HHS is quite serious about the availability of PHI.

HHS Releases New FAQ on Availability of PHI Maintained by BA

On September 28, 2016, the US Department of Health and Human Services Office for Civil Rights released a new set of Frequently Asked Questions about how Business Associates must maintain availability of PHI.  The FAQs address "whether a business associate of a HIPAA covered entity may block or terminate access by the covered entity to the protected health information maintained by the business associate”.  The short answer is, No.  Data may not be held hostage for non-payment of fees, for instance.  PHI must be returned upon termination of an agreement.  Also, if the covered entity signs an agreement that prevents it from ensuring the availability of its PHI, it is not in compliance.  Check your contracts!  See:

$400K Settlement for Breaches and Not Having BA Agreements

On September 23, 2016, the US Department of Health and Human Services Office for Civil Rights announced a settlement with Care New England Health System (CNE), on behalf of each of the covered entities under its common ownership or control, for the loss of a backup tape with information on 14,000 individuals, without an up-to-date Business Associate Agreement in place for handling the tapes.  Even if you are in the same corporate family, if you have a BA relationship, you need a compliant BAA.  If HHS asks and you don’t have one, you will be in trouble.  Easy as that!  For the press release and settlement agreement, please see:  

NIST Releases SP 800-177 on Trustworthy E-mail

On September 16, 2016, NIST released Special Publication 800-177, Trustworthy Email, which overs and gives recommendations for state of the art email security technologies to detect and prevent phishing and other malicious email messages. Most of these new technologies rely on publishing email infrastructure-related information in DNSSEC, a secure version of the established Domain Name System (DNS). The guide was written for email administrators and for those developing security policies for enterprise’s email infrastructure.  See:  

FTC Advises: Watch that Rental Car USB Port!

The Federal Trade Commission has advised people to be wary of using their smart phones with the USB ports in rental cars.  Cars can pull information out of your phone without your knowing it and can retain your contacts, etc. for the next renter.  Be sure to clear out your rental car’s memory when you turn it in!  See:  and  Always be careful using any USB ports you don’t control, in cars or at airports!

HHS Releases Updated HIPAA Security Risk Assessment Tool

In early September 2016, HHS Office of the National Coordinator for Health IT released an updated version of the HIPAA Security Risk Assessment Tool for Windows and iPad with new compatibility with Windows 10, and additional functionality for the iPad version.  For more information, see:  

HIMSS Releases 2016 Cybersecurity Survey Report

HIMSS has released its report on its 2016 Cybersecurity Survey which gathers information from a number of entities to develop a picture of the issues facing healthcare entities regarding cybersecurity, and some of the measures entities take to deal with the issues.  Available at:

HHS OCR Will Make More Investigations into Small Breaches

On August 18, 2016, the US Department of Health and Human Services Office for Civil Rights announced an “Initiative to More Widely Investigate Breaches Affecting Fewer than 500 Individuals”.  HHS regional offices will take on the load, and look into factors such as: 
• The size of the breach
• Theft of or improper disposal of unencrypted PHI
• Breaches that involve unwanted intrusions to IT systems (for example, by hacking)
• The amount, nature and sensitivity of the PHI involved
• Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.  

OCR noted that regions may also consider the lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates.  In other words, if everyone else like you reports breaches and you don’t, why not?

The press release will be available at:  

Advocate Health Care Ignores Security Rule = $5.5 million

The flood of HIPAA settlements continues.  On August 4, 2016, the US Department of Health and Human Services Office for Civil Rights announced a $2.75 million resolution agreement with Advocate Health Care for potential violations of the HIPAA Security Rule leading in some cases leading to breaches, affecting four million people.  No complete RA, no physical controls at a data center, no BAA with a vendor holding PHI, and an unencrypted laptop stolen from an unlocked car overnight.  Let us count the violations!  Yes, it is a record settlement amount.  See:  

Annual NIST/OCR HIPAA Security Conference Announced

The NIST Information Technology Laboratory announced the next NIST/OCR HIPAA Security conference — Safeguarding Health Information: Building Assurance through HIPAA Security - 2016 — in Washington, DC, set for Wednesday and Thursday, October 19-20, 2016, at the Capital Hilton, and available by Webcast as well.  This is the ONLY conference that I ALWAYS attend every year — you get access to the best experts in a non-commercial setting, and insights you can gain nowhere else.  If you can, go, or at least attend the Webcast.  See:  

DHS Releases Cyber Incident Reporting Guide

On July 28, 2016, the US Department of Homeland Security released Cyber Incident Reporting:  A Unified Message for Reporting to the Federal Government, providing guidance on to which Federal agencies and departments certain Cyber Incidents should be reported.  Best to pay attention to this, if you suffer some kind of Cyber Incident!  The DHS page hosting the guidance is at:  and the guidance document is available at:  

HHS Issues New Guidance on HIPAA Audits and on Device IDs

On July 27, 2016, the HHS Office for Civil Rights provided new HIPAA Audit Guidance & FAQ on HIPAA and Unique Device Identifiers.

1) Guidance for 2016 HIPAA Desk Audits 

Covered entities received notification of their selection as the subjects of an Office for Civil Rights (OCR) desk audit of compliance with the HIPAA Security, Privacy and Breach Notification Rules on July 11, and were invited to participate in a webinar held on Wednesday, July 13, where OCR staff walked through the processes for the audit and expectations for their participation.  

To respond to questions, OCR developed three targeted guidance documents, available at  

 — One is a comprehensive question and answer listing.  

 — The second puts the specific audit document submission requests in context with the rule requirements and associated protocol audit inquiries, as well as the related questions asked by selected entities.  The entire protocols are available on the OCR website; for this guidance we extracted from those protocols the specific desk audit provisions, and added the audit inquiries and Q&A.  

 — Finally, OCR has posted the slides used in the webinar.  The guidance should be helpful to audited entities as well as other covered entities and business associates seeking assistance with improving their compliance with these important requirements of the HIPAA Rules.  

2) New FAQ: HIPAA and Unique Device Identifiers (Note: "Device Identifiers" is NOT a unique identifier — which one are you taking about?  Are you lost yet?  No?  Read on...)

OCR has posted a new FAQ on HIPAA and Unique Device Identifiers (UDI), which clarifies that the device identifier (DI) portion of a UDI can be part of a limited or de-identified data set as defined under HIPAA.  While the HIPAA Privacy Rule prohibits the inclusion of “device identifiers and serial numbers” in both limited data sets and data sets that are de-identified in accordance with the “de-identification safe harbor” provisions, the guidance explains that the DI portion of the UDI is not the type of “device identifier” to which these HIPAA Privacy Rule provisions refer.  (Oh Boy!  “Device Identifiers” that aren’t “Device Identifiers”!  Aren’t the regulations simple and unambiguous?  No, you say?)

You may find the new FAQ on OCR’s website at:

Ignoring Security Costs U Miss Med Center $2.75 million

On July 25, 2016, the US Department of Health and Human Services Office for Civil Rights announced a $2.75 million resolution agreement with University of Mississippi Medical Center for lack of attention to security, even after vulnerabilities and risks were noted.  The agreement announcement, available at:  cited a number of issues resulting in breaches and exposure of patient information.  Compliance would have been WAY cheaper than the agreement, shall we say. 

Joint Commission Says “Whoa!” to Removal of Texting Ban

On July 18, 2016, Health IT Security reported that the Joint Commission on Accreditation of Healthcare (JCAHO) has decided to delay the removal of a ban on the use of texting (even secure texting) for physician ordering that had been previously announced.  Instead, they will wait for guidance to be developed by JCAHO and CMS to ensure texting is done correctly and aligns with the Medicare Conditions of Participation.  

The ban had been put in place because “texting applications were unable to verify the identity of the person sending the text or to retain the original message as validation of the information entered into the medical record,” the Commission stated. - See more at:

Insufficient Risk Analysis and Risk Management Cost $2.7m

On July 18, 2016, (cue Sonny and Cher music, The Beat Goes On) the US Department of Health and Human Services Office for Civil Rights announced a $2.7 million resolution agreement with Oregon Health and Science University for a variety of issues, including insufficient risk analysis and risk management, lack of encryption, lack of a Business Associate Agreement with a cloud vendor hosting PHI, and breaches causing harm to individuals.  

I’ve always maintained that academic medical centers are the most difficult institutions to being into HIPAA compliance, and this is a perfect illustration.  

• The press release is available at:   
• The resolution agreement and corrective action plan are available at:  

FBI Issues Security Guidance for Healthcare Information

On July 13, 2016, Health Data Management reported that the FBI has issued guidance on best practices for protecting healthcare data, re-emphasizing some well-known precautions, but also including others that may not be widely used.  It is an excellent list to start with for your security improvement program that is essential today.  See:

HIPAA Audits for 167 Covered Entities Now Under Way

On July 11, 2016, the US Department of Health and Human Services Office for Civil Rights issued notices to the 167 HIPAA Covered Entities being audited in the round of 2016 desk audits.  If you are a CE and you have NOT been notified, you are not likely to be notified for a desk audit.  Some entities received a request for information on Privacy (in the areas of Notice of Privacy Practices and Access of PHI), and some received a request for information related to Risk Analysis and Risk Management under the Security Rule.  All received a request for a list of Business Associates and contact information.  

Information must be provided by July 22, 2016, and the process is expected to take roughly 90 days to complete for each entity (including time to respond to initial findings), with the program expected to completed by the end of December, 2016.

A selection of Business Associates will receive a desk audit in the fall, and there will still be some on-site audits for some Covered Entities yet to go.  Information on the HIPAA Audit Program is available at:  

HHS OCR Issues Fact Sheet on Dealing with Ransomware

On July 11, 2016, the HHS Office for Civil Rights released Fact Sheet: Ransomware and HIPAA, providing guidance to health care entities about what ransomware is and how good HIPAA compliance helps you deal with it, and indicates that a ransomware attack should be considered a breach, because control of the PHI has been compromised.  The fact sheet is available at:  

HIPAA Business Associate Gets $650K Settlement for Breach

On June 30, 2016, the US Department of Health and Human Services announced a $650,000 settlement agreement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) for potential violations of the HIPAA Security Rule after the theft of an unprotected CHCS iPhone compromised the PHI of hundreds of nursing home residents.  

The iPhone was unencrypted and was not password protected.  The information on the iPhone was extensive, and included social security numbers, information regarding diagnosis and treatment, medical procedures, names of family members and legal guardians, and medication information.  At the time of the incident, CHCS had no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of a security incident; OCR also determined that CHCS had no risk analysis or risk management plan.  In determining the resolution amount, OCR considered that CHCS provides unique and much-needed services in the Philadelphia region. 

Information on the settlement agreement is available at  

HHS Issues Ransomware Guidance for Healthcare Entities

In June, 2016, HHS issued new guidance on the protection of healthcare organizations from Ransomware attacks.  The guidance explains what Ransomware is, how to protect your networks from it, and how to respond to it.

An article on the guidance is available in Becker’s Hospital Review, at  and the guidance is available at  

Illinois Adds Health Information to Data Breach Notification

In May 2016, Illinois enacted a law expanding the Illinois Data Breach Notification law to include health insurance and medical information, beginning in 2017.  Note that the law is not limited to HIPAA-covered information; it also includes apps and Web sites that may be outside of HIPAA control.  Flexible notification is also included in the new law, providing more options in notification.

Perhaps most significantly, the law also includes requirements to “implement and maintain reasonable security measures,” including the addition of data security provisions to contracts that disclose personal information to another entity.  It’s time to review the SANS Top 20 Critical Security Controls, as that is becoming the accepted baseline for information security.

The news story in Health IT Security is available at:  and the Top 20 Critical Security Controls are available at:  

Watch That Public USB Outlet!  It could attack your device

In an article published June 1, 2016, the Sydney (Australia) Morning Herald reported that Kaspersky Lab warns that public USB outlets could transmit malicious code and be used for nefarious purposes.  After all, come to think of it, you wouldn’t let someone plug in their USB device to your network because of the risks; why would it be any safer to use a public USB charger?

See the article at:  

One solution: Using a cable or adapter that blocks data transfer and ONLY can be used for charging.  Much lighter and more portable than a power cube!  See:  

HHS OCR Adds Guidance re Fees for Electronic Records Access

On May 24, 2016, the US Department of Health and Human Services Office for Civil Rights issued an update to their guidance on Access of PHI by Individuals, further explaining the use of a $6.50 flat fee for electronic copies of records, and when that fee may or may not be appropriate.  The update is integrated into the Q&A section of the guidance, and is available within the guidance directly at:  while the guidance remains available at  

Steps for Prevention of Ransomware Attacks — Do these now!

On May 16, 2016, Health Data Management magazine’s Web site published a very useful, practical guide to preventing ransomware attacks by such means as:
  • Developing a plan for an end-user awareness program and implementing it across the hospital
  • Reviewing the server backup processes and evaluating users' network drive permissions
  • Auditing user privilege roles
  • Disabling macro scripts from MS Office files
  • Reviewing monthly patch management processes and inbound spam and malware protection
  • Installing a next-generation firewall and advanced endpoint protection

Go to the site, copy the entire list, and get to work, right now.  See:  

OCR Issues Cyber-Awareness Update on Business Associates

On May 3, 2016, the US Department of Health and Human Services Office for Civil Rights issued a Cyber-Awareness Monthly Update regarding the topic, Is Your Business Associate Prepared for a Security Incident?  The guidance indicates that entities should consider:
• Ensuring that agreements define appropriate uses and disclosures and include requirements to report any other use or disclosure including breaches
• Including in agreements the timeframe for reporting any incidents
• Identifying what must be included in any breach or incident reports
• Ensuring all workforce members are trained and Business Associate privacy and security practices are adequate

Additional details are provided.  The update is available via subscription from HHS OCR (see and the current update is available at a number of locations, including:  

Joint Commission Says Secure Texting OK for Orders, but…

On April 29, 2016, the Joint Commission released an update on its position on the use of texting for orders, in its May 2016 issue of Joint Commission Perspectives.  The update indicates the use of secure texting services for management of orders is acceptable practice, with some caveats.  The required components of an order must be included, and the messaging platform should include
• a secure sign-on process,
• encrypted messaging,
• delivery and read receipts,
• date and time stamp,
• customized message retention time frames, and
• a specified contact list for individuals authorized to receive and record orders

Communications must be documented, and organizations should:
• Develop an attestation documenting the capabilities of their secure text messaging platform
• Define when text orders are or are not appropriate
• Monitor how frequently texting is used for orders
• Assess compliance with texting policies and procedures
• Develop a risk management strategy and perform a risk assessment
• Conduct training for staff, licensed independent practitioners, and other practitioners on applicable policies and procedures

The update is available from the Joint Commission at:  and an article on the topic in is available at:  

Verizon 2016 Data Breach Investigations Report Released

Verizon Enterprise Solutions has released to insiders the ninth Data Breach Investigations Report, pulling together incident data from around the world to reveal insights based on over 100,000 incidents from 82 countries, including analysis of 2,260 confirmed data breaches.  Highlights include:
• 89% of breaches had a financial or espionage motive.
• Over 85% of all of security incidents fit into just nine categories.
• The biggest risks you face and what attacks look like.
• Practical steps you can take today to better protect your data.

Healthcare was listed as a top industry for issues in the categories of Insider and Privilege Misuse, Miscellaneous Errors, Physical Theft and Loss, and Everything Else.  As to the issue of Physical Theft and Loss, they offer the following haiku:

Employees lose things
Bad guys also steal your stuff
Full disk encryption

This is one of the most useful, practical, readable guides to dealing with current security and data breach issues and should be required reading in every IT department.  See:  

NY Presbyterian Gets $2.2 million Settlement for Allowing TV Crews to Film in the ED

The beat goes on!  On April 21, 2016, the US Department of Health and Human Services Office for Civil Rights announced that reached a $2.2 million settlement with New York Presbyterian Hospital (NYP) for the egregious disclosure of two patients’ PHI to film crews and staff during the filming of “NY Med,” an ABC television series, without first obtaining authorization from the patients. In particular, OCR found that NYP allowed the ABC crew to film someone who was dying and another person in significant distress, even after a medical professional urged the crew to stop

OCR also found that NYP failed to safeguard protected health information and allowed ABC film crews virtually unfettered access to its health care facility, effectively creating an environment where PHI could not be protected from impermissible disclosure to the ABC film crew and staff.

What were they thinking? How could this possibly be seen as OK?  Does anyone work in Compliance?  Academic medical centers tend to be out of control because of their complexity in responsibility and governance but this takes the cake. 

The announcement and agreement, and a link to a FAQ page on Media Access to PHI are available at  

FTC/OCR/ONC/FDA Release Developer Tool for Apps and Regs

On April 15, 2016, The Federal Trade Commission (FTC) announced a new web-based tool to help developers of health-related mobile apps understand what federal laws and regulations might apply to them, developed the tool in conjunction with OCR, the HHS Office of National Coordinator for Health Information Technology (ONC), and the Food and Drug Administration (FDA).

Based on the developer’s answers to a series of questions about the app, the guidance tool will point the developer toward information about federal laws that might apply, including the FTC Act, the FTC’s Health Breach Notification Rule, HIPAA, and the Federal Food, Drug and Cosmetics Act (FD&C Act).

Developers seeking more information about how the HIPAA Rules might apply to their apps should visit OCR’s health app developer portal.  One new resource on the portal is Health App Use Scenarios and HIPAA, which analyzes whether HIPAA applies to a range of example health app scenarios and offers questions to consider in determining when HIPAA’s regulations cover a particular health app. 


$750K Settlement for Lack of a Business Associate Agreement

On April 20, 2016, the US Department of Health and Human Services Office for Civil Rights announced that Raleigh Orthopaedic Clinic, P.A. of North Carolina (Raleigh Orthopaedic) has agreed to pay $750,000 for potential Privacy Rule violations by handing over protected health information (PHI) for approximately 17,300 patients to a potential business partner without first executing a business associate agreement, leaving this sensitive health information without safeguards and vulnerable to misuse or improper disclosure.  OCR initiated its investigation of Raleigh Orthopaedic following receipt of a breach report on April 30, 2013.  

In addition to the $750,000 payment, Raleigh Orthopaedic is required to revise its policies and procedures for managing business associate relationships, in an extensive Corrective Action Plan.

See the Bulletin and Resolution Agreement at  

HHS Releases New HIPAA Audit Protocol, Virtually Unusable!

On April 1, 2016, and I hope it wasn’t an April Fool’s joke, the US Department of Health and Human Services Office for Civil Rights updated their HIPAA Audit Protocol for the new HIPAA Audit Program, much to my, and others’ no doubt, frustration.  The old format allowed you to easily copy and paste the protocol into a spreadsheet so you could actually USE it, but no such luck with the new one, because the formatting on the Web site makes it virtually unusable, and impossible to easily paste into Excel in a usable way.  

THANKS HHS!  What a miserable job.  What an embarrassment.  They didn’t even announce the new page, and, by the way guys, if it’s not ready, DON’T POST IT.  You can’t even download an Excel copy.  If you look at the site and try to use it, you’ll see what I mean.  It looks like it might be a great tool for preparing for audits but NOT IN ITS CURRENT UNUSABLE FORMAT.  If you’d like to be as frustrated as I am about this, see  If you’d like to submit comments (and you can imagine the one I submitted) send an e-mail to .  PLEASE FIX THIS, HHS!  No joke!  (Yes, Jim, but what do you REALLY think?)

NIST Releases 2nd Draft of SP 800-177, on Trustworthy Email

On March 30, 2016, the National Institute of Standards and Technology released the second draft of the new Special Publication 800-177, focusing on how plain old insecure e-mail can be remade into Trustworthy E-mail.  This is an incredibly useful document for anyone slightly technically oriented, as it does cover a lot of technical topics but is very approachable, with several very real, very actionable security recommendations.  In this day and age, we ALL need to understand how encrypted email can work, and this SP does a great job of explaining the various protocols and processes behind bringing e-mail into the 21st century.

This is HIGHLY RECOMMENDED READING for anyone wrestling with securing e-mail.  Available at:  Comments on the new draft may be submitted until April 29, 2016 via e-mail to .

2016 HIPAA Audit Program Announced, Saying Not Much New

On March 21, 2016, The US Department of Health and Human Services Office for Civil Rights announced the launch of its 2016 HIPAA Audit Program, providing almost no information that was not already widely believed to be the case.  It hasn’t yet begun, the HIPAA Audit Protocol is not yet updated, and the start of any audits is still a “few months” away.  Yes, Business Associates will be targeted as well as Covered Entities, in “round two,” following the audits of Covered Entities.  Yes, the audits will be, for the most part, desk audits limited to selected areas of the rules, completed within 30 days, but there may be field audits as well.

Perhaps the most useful information is that contact will be made via e-mail from HHS OCR, so make sure your spam filter doesn’t toss them!  If you don’t reply to the e-mail, you may still be selected anyway.  And, the entire process will be completed by December 31, 2016.

The non-announcement is available at  and the HHS OCR page on the topic (with lots of actually useful Q&A) is available at:  

Two More Laptop-Related Settlements, re a BA, and Research

On March 16 and 17, 2016, The US Department of Health and Human Services Office for Civil Rights announced new resolution agreements related to the loss or theft of laptop computers, one in the hands of a HIPAA Business Associate and one managed by a research organization.  

North Memorial Health Care of Minnesota did not have an appropriate Business Associate agreement with a major contractor, and had not adequately performed a risk analysis prior to the BA's loss of a laptop full of patient information — $1.55 million settlement and corrective action plan.  See:  

Feinstein Institute for Medical Research did not implement appropriate security precautions or perform a complete risk analysis for HIPAA compliance and lost a laptop via theft from an employee — $3.9 million settlement and a corrective action plan.  See:  

In case you missed the memo, it’s a really good idea to encrypt all portable devices containing any PHI!

CIRCL Releases Guidance on Ransomware Defense & Response

On February 23, 2016 the Computer Incident Response Center Luxembourg (CIRCL) released TR-41 Crypto Ransomware - Proactive defenses and incident response, a guide to defending and recovering from Crypto Ransomware attacks.  The guidance provides actionable measures to prevent and repel ransomware incidents.  Highly recommended reading for all!  See:  

HHS OCR Updates Access Guidance with New Q&As regarding Fees for Providing Copies of PHI

On February 25, 2016, The US Department of Health and Human Services Office for Civil Rights updated its guidance on rights of individuals to access their PHI with an additional set of questions and answers, dealing with fees charged for providing access.  The announcement is available at:  and the guidance is available at

HHS OCR Releases Crosswalk for HIPAA Security vs. NIST Cybersecurity Framework

On February 24, 2016, The US Department of Health and Human Services Office for Civil Rights released a crosswalk between the HIPAA Security Rule and the NIST Cybersecurity Framework to show how the HIPAA Security Rule compares with the NIST Cybersecurity Framework and other security regulations.  For organizations needing to meet multiple security requirements, the crosswalk simplifies compliance by showing where there are overlaps in requirements.  See the announcement, with a link to the crosswalk at:  

$25K Settlement for Posting Pictures Without Authorizations

On February 16, 2016, The US Department of Health and Human Services Office for Civil Rights announced a resolution agreement for $25,000 with Complete P.T., Pool & Land Physical Therapy, Inc., operating in the Los Angeles area, for posting patient photographs and testimonials without obtaining a valid HIPAA Authorization on its website, and for not having appropriate policies and procedures for handling the authorization process.  See the announcement and resolution agreement at:  

HHS OCR Announces Guidance for Health App Developers

In February, 2016, the US Department of Health and Human Services Office for Civil Rights announced new guidance on the application of HIPAA rules to App Developers, and describes the typical circumstances when one may or may not be considered a HIPAA Business Associate.  The guidance is available at:  

HHS Announces Proposed Rules to Modify 42 CFR Part 2 Restrictions

On February 5, 2016, the US Department of Health and Human Services announced new proposed regulations for Confidentiality of Alcohol and Drug Abuse Patient Records, 42 CFR Part 2. The goal of the proposed changes is to facilitate information exchange within new health care models while addressing the legitimate privacy concerns of patients seeking treatment for a substance use disorder.  The press release is available at:  
The Proposed rules published in the Federal Register February 9, 2016 are at:  
The comment period is open until April 11, 2016.

New HHS Fact Sheets on Exchange of PHI for Treatment and Operations

On February 4, 2016, the US Department of Health and Human Services announced, via its blog, that it had released two fact sheets concerning Permitted Uses and Disclosures for the Exchange of Protected Health Information for purposes of Treatment and for purposes of Health Care Operations, in order to clarify HIPAA regulations and help enable permissible uses and disclosures under the rules.  
• The blog entry is at 
• The fact sheet on Exchange for Treatment is at 
• The fact sheet on Exchange for Health Care Operations is at  

According to the blog post, this is the first in a series of postings of new guidance meant to clear confusion about HIPAA and promote proper compliance.  "Blog #2 will be background on HIPAA’s Permitted Uses and Disclosures: what they are, and how they advance the national goal of interoperability. Blog #3 will give examples of exchange of health information for Care Coordination, Care Planning, and Case Management, both between providers, and between provider and payers. Finally, Blog #4 will give examples of interoperable, permissible exchange of PHI for Quality Assurance and Population-Based Activities, including via a health information exchange.” 

HHS OCR Announces Fine for Insecure Handling of Paper PHI

On February 3, 2016, The US Department of Health and Human Services Office for Civil Rights announced that an HHS Administrative Law Judge (ALJ) has ruled that Lincare, Inc. (Lincare) violated the HIPAA Privacy Rule and granted summary judgment to OCR on all issues, requiring Lincare to pay $239,800 in civil money penalties.  This is only the second time in its history that OCR has sought CMPs for HIPAA violations, and each time the CMPs have been upheld by the ALJ. 

From the press release: "OCR’s investigation of Lincare began after an individual complained that a Lincare employee left behind documents containing the protected health information (PHI) of 278 patients after moving residences.  Evidence established that this employee removed patients’ information from the company’s office, left the information exposed in places where an unauthorized person had access, and then abandoned the information altogether.  Over the course of the investigation, OCR found that Lincare had inadequate policies and procedures in place to safeguard patient information that was taken offsite, although employees, who provide health care services in patients’ homes, regularly removed material from the business premises. Further evidence indicated that the organization had an unwritten policy requiring certain employees to store protected health information in their own vehicles for extended periods of time.  Although aware of the complaint and OCR’s investigation, Lincare subsequently took only minimal action to correct its policies and strengthen safeguards to ensure compliance with the HIPAA Rules.” 

The two messages here: Take proper care of paper records, and don’t ignore HHS Office for Civil Rights.

The Notice of Proposed Determination and the ALJ’s opinion may be found on the OCR website at

HHS OIG Report Says Utah Medicaid Systems Had Weaknesses

On February 2, 2016 FierceHealthIT reported that the HHS Office of Inspector General had completed a report in January entitled: INADEQUATE SECURITY MANAGEMENT PRACTICES LEFT UTAH DEPARTMENT OF HEALTH SENSITIVE MEDICAID DATA AT RISK OF UNAUTHORIZED DISCLOSURE.  Once again, the OIG pretty much says it all right there in the title.  This is a study of what happened when a contractor for Utah IT put up a server insecurely and 780,000 people in Utah had their PHI hacked.  The population of Utah is only 2.9 million, so that’s 29% of the state affected.  The news report is at  

The OIG Report is at:  

A report on the Utah Breaches is available at:   

FDA Provides Cybersecurity Recommendations for Medical Devices

On January 15, 2016 the US Food and Drug Administration (FDA) announced draft guidance on important steps medical device manufacturers should take to continually address cybersecurity risks to keep patients safe and better protect the public health. The draft guidance details the agency’s recommendations for monitoring, identifying and addressing cybersecurity vulnerabilities in medical devices once they have entered the market.  The announcement is available at:  and the guidance, posted January 22, 2016, is available at:  

In October 2014, the FDA issued guidance for medical device manufacturers regarding building cybersecurity into their product from the beginning of the development process, available at:  

HIMSS Announces its Healthcare Cybersecurity Community

On January 19, 2016, HIMSS launched its Healthcare Cybersecurity Community for its members, which will provide a forum where healthcare constituents can discuss and learn about advancing the state of cybersecurity in the healthcare industry.

Participation in the community will include monthly discussions via WebEx with healthcare cybersecurity thought-leaders and discussion with peers in the healthcare sector.  In addition, members of the Healthcare Cybersecurity Community can engage and dialogue with each other through a dedicated ListServ.

January Webinar Information: The first Healthcare Cybersecurity Community webinar will occur on January 28, 2016 from 2-3PM ET.  The speaker will be Kevin A. McDonald, BSN, MEPD, GCIS, CISSP, Director of Clinical Information Security at the Office of Information Security of Mayo Clinic.  He will discuss how healthcare providers can effectively address today’s people, process, and technology challenges as they pertain to cybersecurity.  Mr. McDonald will also discuss best practices and reference standards which may be helpful in overcoming these challenges.  Registration information for this event, along with other details about the community, can be found on the HMSS Cybersecurity Community web site, at

How to join the community (you must be a member of HIMSS):
1. Log into the HIMSS member portal at
2. Under the “My Involvement” tab, click on the "Edit Participations” button.
3. Select "Healthcare Cybersecurity Community" and click on the “Save” button.

After you have completed steps 1 through 3, you will be automatically added to the HIMSS Healthcare Cybersecurity Community itself as well as the ListServ. 

Report Shows 84% of Mobile Health Apps Are Insecure

On January 13, 2016, Healthcare IT News reported that a new report shows 84  percent of U.S. FDA-approved health apps tested by IT security vendor Arxan Technologies did not adequately address at least two of the Open Web Application Security Project top 10 risks.  Most health apps are susceptible to code tampering and reverse-engineering, and 95% of the FDA-approved apps lack binary protection and have insufficient transport layer protection, leaving them open to hacks that could result in privacy violations, theft of personal health information, as well as device tampering and patient safety issues.  The article is available at:  

HHS Issues Guidance on Individuals’ Right of Access to PHI

On January 7, 2016, The US Department of Health and Human Services issued new guidance on individuals’ right to access their health information. The guidance includes general information and specifics about the details of proper implementation, and also includes an extensive Q&A section providing additional information.  If this guidance is an indication of the quality of information we should expect from HHS on the Web, it’s a good sign.  If you have questions on providing access under HIPAA, look here first.  

By the way, this new guidance is provided on the completely revamped HHS Web site, which is now much easier to use and search for information, even on your smart phone.  Happy exploring!  (Yes, I have good things to say about the HHS Web site!)

HIPAA Rule Issued to Ease Reporting to the NICS re Firearms

On January 6, 2016, a new rule was published in the Federal Register to modify HIPAA §164.512, adding a new section (k)(7) to allow use or disclosure of PHI for purposes of reporting to the National Instant Criminal Background Check System the identity of an individual who is prohibited from possessing a firearm.  Disclosures may include only the limited demographic and certain other information needed for purposes of reporting to the NICS, and may not include diagnostic or clinical information.  The new rule is available at:  

Click to view news stories from 2015

Click to view news stories from 2014

Click to view news stories from 2013

Click to view news stories from 2012

Click to view news stories from 2011

Click to view news stories from 2010

Click to view news stories from 2009

Click to view news stories from 2008

Click to view news stories from 2007 and earlier

              Copyright © 2002-2020 Lewis Creek Systems, LLC  Charlotte, Vermont, USA
Privacy Policy   Terms and Conditions of Use   Contact Us