Privacy, Security, and Compliance News

Illinois Adds Health Information to Data Breach Notification

In May 2016, Illinois enacted a law expanding the Illinois Data Breach Notification law to include health insurance and medical information, beginning in 2017.  Note that the law is not limited to HIPAA-covered information; it also includes apps and Web sites that may be outside of HIPAA control.  Flexible notification is also included in the new law, providing more options in notification.

Perhaps most significantly, the law also includes requirements to “implement and maintain reasonable security measures,” including the addition of data security provisions to contracts that disclose personal information to another entity.  It’s time to review the SANS Top 20 Critical Security Controls, as that is becoming the accepted baseline for information security.

The news story in Health IT Security is available at:  and the Top 20 Critical Security Controls are available at:  

Watch That Public USB Outlet!  It could attack your device

In an article published June 1, 2016, the Sydney (Australia) Morning Herald reported that Kaspersky Lab warns that public USB outlets could transmit malicious code and be used for nefarious purposes.  After all, come to think of it, you wouldn’t let someone plug in their USB device to your network because of the risks; why would it be any safer to use a public USB charger?

See the article at:  

One solution: Using a cable or adapter that blocks data transfer and ONLY can be used for charging.  Much lighter and more portable than a power cube!  See:  

HHS OCR Adds Guidance re Fees for Electronic Records Access

On May 24, 2016, the US Department of Health and Human Services Office for Civil Rights issued an update to their guidance on Access of PHI by Individuals, further explaining the use of a $6.50 flat fee for electronic copies of records, and when that fee may or may not be appropriate.  The update is integrated into the Q&A section of the guidance, and is available within the guidance directly at:  while the guidance remains available at  

Steps for Prevention of Ransomware Attacks — Do these now!

On May 16, 2016, Health Data Management magazine’s Web site published a very useful, practical guide to preventing ransomware attacks by such means as:
  • Developing a plan for an end-user awareness program and implementing it across the hospital
  • Reviewing the server backup processes and evaluating users' network drive permissions
  • Auditing user privilege roles
  • Disabling macro scripts from MS Office files
  • Reviewing monthly patch management processes and inbound spam and malware protection
  • Installing a next-generation firewall and advanced endpoint protection

Go to the site, copy the entire list, and get to work, right now.  See:  

OCR Issues Cyber-Awareness Update on Business Associates

On May 3, 2016, the US Department of Health and Human Services Office for Civil Rights issued a Cyber-Awareness Monthly Update regarding the topic, Is Your Business Associate Prepared for a Security Incident?  The guidance indicates that entities should consider:
• Ensuring that agreements define appropriate uses and disclosures and include requirements to report any other use or disclosure including breaches
• Including in agreements the timeframe for reporting any incidents
• Identifying what must be included in any breach or incident reports
• Ensuring all workforce members are trained and Business Associate privacy and security practices are adequate

Additional details are provided.  The update is available via subscription from HHS OCR (see and the current update is available at a number of locations, including:  

Joint Commission Says Secure Texting OK for Orders, but…

On April 29, 2016, the Joint Commission released an update on its position on the use of texting for orders, in its May 2016 issue of Joint Commission Perspectives.  The update indicates the use of secure texting services for management of orders is acceptable practice, with some caveats.  The required components of an order must be included, and the messaging platform should include
• a secure sign-on process,
• encrypted messaging,
• delivery and read receipts,
• date and time stamp,
• customized message retention time frames, and
• a specified contact list for individuals authorized to receive and record orders

Communications must be documented, and organizations should:
• Develop an attestation documenting the capabilities of their secure text messaging platform
• Define when text orders are or are not appropriate
• Monitor how frequently texting is used for orders
• Assess compliance with texting policies and procedures
• Develop a risk management strategy and perform a risk assessment
• Conduct training for staff, licensed independent practitioners, and other practitioners on applicable policies and procedures

The update is available from the Joint Commission at:  and an article on the topic in is available at:  

Verizon 2016 Data Breach Investigations Report Released

Verizon Enterprise Solutions has released to insiders the ninth Data Breach Investigations Report, pulling together incident data from around the world to reveal insights based on over 100,000 incidents from 82 countries, including analysis of 2,260 confirmed data breaches.  Highlights include:
• 89% of breaches had a financial or espionage motive.
• Over 85% of all of security incidents fit into just nine categories.
• The biggest risks you face and what attacks look like.
• Practical steps you can take today to better protect your data.

Healthcare was listed as a top industry for issues in the categories of Insider and Privilege Misuse, Miscellaneous Errors, Physical Theft and Loss, and Everything Else.  As to the issue of Physical Theft and Loss, they offer the following haiku:

Employees lose things
Bad guys also steal your stuff
Full disk encryption

This is one of the most useful, practical, readable guides to dealing with current security and data breach issues and should be required reading in every IT department.  See:  

NY Presbyterian Gets $2.2 million Settlement for Allowing TV Crews to Film in the ED

The beat goes on!  On April 21, 2016, the US Department of Health and Human Services Office for Civil Rights announced that reached a $2.2 million settlement with New York Presbyterian Hospital (NYP) for the egregious disclosure of two patients’ PHI to film crews and staff during the filming of “NY Med,” an ABC television series, without first obtaining authorization from the patients. In particular, OCR found that NYP allowed the ABC crew to film someone who was dying and another person in significant distress, even after a medical professional urged the crew to stop

OCR also found that NYP failed to safeguard protected health information and allowed ABC film crews virtually unfettered access to its health care facility, effectively creating an environment where PHI could not be protected from impermissible disclosure to the ABC film crew and staff.

What were they thinking? How could this possibly be seen as OK?  Does anyone work in Compliance?  Academic medical centers tend to be out of control because of their complexity in responsibility and governance but this takes the cake. 

The announcement and agreement, and a link to a FAQ page on Media Access to PHI are available at  

FTC/OCR/ONC/FDA Release Developer Tool for Apps and Regs

On April 15, 2016, The Federal Trade Commission (FTC) announced a new web-based tool to help developers of health-related mobile apps understand what federal laws and regulations might apply to them, developed the tool in conjunction with OCR, the HHS Office of National Coordinator for Health Information Technology (ONC), and the Food and Drug Administration (FDA).

Based on the developer’s answers to a series of questions about the app, the guidance tool will point the developer toward information about federal laws that might apply, including the FTC Act, the FTC’s Health Breach Notification Rule, HIPAA, and the Federal Food, Drug and Cosmetics Act (FD&C Act).

Developers seeking more information about how the HIPAA Rules might apply to their apps should visit OCR’s health app developer portal.  One new resource on the portal is Health App Use Scenarios and HIPAA, which analyzes whether HIPAA applies to a range of example health app scenarios and offers questions to consider in determining when HIPAA’s regulations cover a particular health app. 


$750K Settlement for Lack of a Business Associate Agreement

On April 20, 2016, the US Department of Health and Human Services Office for Civil Rights announced that Raleigh Orthopaedic Clinic, P.A. of North Carolina (Raleigh Orthopaedic) has agreed to pay $750,000 for potential Privacy Rule violations by handing over protected health information (PHI) for approximately 17,300 patients to a potential business partner without first executing a business associate agreement, leaving this sensitive health information without safeguards and vulnerable to misuse or improper disclosure.  OCR initiated its investigation of Raleigh Orthopaedic following receipt of a breach report on April 30, 2013.  

In addition to the $750,000 payment, Raleigh Orthopaedic is required to revise its policies and procedures for managing business associate relationships, in an extensive Corrective Action Plan.

See the Bulletin and Resolution Agreement at  

HHS Releases New HIPAA Audit Protocol, Virtually Unusable!

On April 1, 2016, and I hope it wasn’t an April Fool’s joke, the US Department of Health and Human Services Office for Civil Rights updated their HIPAA Audit Protocol for the new HIPAA Audit Program, much to my, and others’ no doubt, frustration.  The old format allowed you to easily copy and paste the protocol into a spreadsheet so you could actually USE it, but no such luck with the new one, because the formatting on the Web site makes it virtually unusable, and impossible to easily paste into Excel in a usable way.  

THANKS HHS!  What a miserable job.  What an embarrassment.  They didn’t even announce the new page, and, by the way guys, if it’s not ready, DON’T POST IT.  You can’t even download an Excel copy.  If you look at the site and try to use it, you’ll see what I mean.  It looks like it might be a great tool for preparing for audits but NOT IN ITS CURRENT UNUSABLE FORMAT.  If you’d like to be as frustrated as I am about this, see  If you’d like to submit comments (and you can imagine the one I submitted) send an e-mail to .  PLEASE FIX THIS, HHS!  No joke!  (Yes, Jim, but what do you REALLY think?)

NIST Releases 2nd Draft of SP 800-177, on Trustworthy Email

On March 30, 2016, the National Institute of Standards and Technology released the second draft of the new Special Publication 800-177, focusing on how plain old insecure e-mail can be remade into Trustworthy E-mail.  This is an incredibly useful document for anyone slightly technically oriented, as it does cover a lot of technical topics but is very approachable, with several very real, very actionable security recommendations.  In this day and age, we ALL need to understand how encrypted email can work, and this SP does a great job of explaining the various protocols and processes behind bringing e-mail into the 21st century.

This is HIGHLY RECOMMENDED READING for anyone wrestling with securing e-mail.  Available at:  Comments on the new draft may be submitted until April 29, 2016 via e-mail to .

2016 HIPAA Audit Program Announced, Saying Not Much New

On March 21, 2016, The US Department of Health and Human Services Office for Civil Rights announced the launch of its 2016 HIPAA Audit Program, providing almost no information that was not already widely believed to be the case.  It hasn’t yet begun, the HIPAA Audit Protocol is not yet updated, and the start of any audits is still a “few months” away.  Yes, Business Associates will be targeted as well as Covered Entities, in “round two,” following the audits of Covered Entities.  Yes, the audits will be, for the most part, desk audits limited to selected areas of the rules, completed within 30 days, but there may be field audits as well.

Perhaps the most useful information is that contact will be made via e-mail from HHS OCR, so make sure your spam filter doesn’t toss them!  If you don’t reply to the e-mail, you may still be selected anyway.  And, the entire process will be completed by December 31, 2016.

The non-announcement is available at  and the HHS OCR page on the topic (with lots of actually useful Q&A) is available at:  

Two More Laptop-Related Settlements, re a BA, and Research

On March 16 and 17, 2016, The US Department of Health and Human Services Office for Civil Rights announced new resolution agreements related to the loss or theft of laptop computers, one in the hands of a HIPAA Business Associate and one managed by a research organization.  

North Memorial Health Care of Minnesota did not have an appropriate Business Associate agreement with a major contractor, and had not adequately performed a risk analysis prior to the BA's loss of a laptop full of patient information — $1.55 million settlement and corrective action plan.  See:  

Feinstein Institute for Medical Research did not implement appropriate security precautions or perform a complete risk analysis for HIPAA compliance and lost a laptop via theft from an employee — $3.9 million settlement and a corrective action plan.  See:  

In case you missed the memo, it’s a really good idea to encrypt all portable devices containing any PHI!

CIRCL Releases Guidance on Ransomware Defense & Response

On February 23, 2016 the Computer Incident Response Center Luxembourg (CIRCL) released TR-41 Crypto Ransomware - Proactive defenses and incident response, a guide to defending and recovering from Crypto Ransomware attacks.  The guidance provides actionable measures to prevent and repel ransomware incidents.  Highly recommended reading for all!  See:  

HHS OCR Updates Access Guidance with New Q&As regarding Fees for Providing Copies of PHI

On February 25, 2016, The US Department of Health and Human Services Office for Civil Rights updated its guidance on rights of individuals to access their PHI with an additional set of questions and answers, dealing with fees charged for providing access.  The announcement is available at:  and the guidance is available at

HHS OCR Releases Crosswalk for HIPAA Security vs. NIST Cybersecurity Framework

On February 24, 2016, The US Department of Health and Human Services Office for Civil Rights released a crosswalk between the HIPAA Security Rule and the NIST Cybersecurity Framework to show how the HIPAA Security Rule compares with the NIST Cybersecurity Framework and other security regulations.  For organizations needing to meet multiple security requirements, the crosswalk simplifies compliance by showing where there are overlaps in requirements.  See the announcement, with a link to the crosswalk at:  

$25K Settlement for Posting Pictures Without Authorizations

On February 16, 2016, The US Department of Health and Human Services Office for Civil Rights announced a resolution agreement for $25,000 with Complete P.T., Pool & Land Physical Therapy, Inc., operating in the Los Angeles area, for posting patient photographs and testimonials without obtaining a valid HIPAA Authorization on its website, and for not having appropriate policies and procedures for handling the authorization process.  See the announcement and resolution agreement at:  

HHS OCR Announces Guidance for Health App Developers

In February, 2016, the US Department of Health and Human Services Office for Civil Rights announced new guidance on the application of HIPAA rules to App Developers, and describes the typical circumstances when one may or may not be considered a HIPAA Business Associate.  The guidance is available at:  

HHS Announces Proposed Rules to Modify 42 CFR Part 2 Restrictions

On February 5, 2016, the US Department of Health and Human Services announced new proposed regulations for Confidentiality of Alcohol and Drug Abuse Patient Records, 42 CFR Part 2. The goal of the proposed changes is to facilitate information exchange within new health care models while addressing the legitimate privacy concerns of patients seeking treatment for a substance use disorder.  The press release is available at:  
The Proposed rules published in the Federal Register February 9, 2016 are at:  
The comment period is open until April 11, 2016.

New HHS Fact Sheets on Exchange of PHI for Treatment and Operations

On February 4, 2016, the US Department of Health and Human Services announced, via its blog, that it had released two fact sheets concerning Permitted Uses and Disclosures for the Exchange of Protected Health Information for purposes of Treatment and for purposes of Health Care Operations, in order to clarify HIPAA regulations and help enable permissible uses and disclosures under the rules.  
• The blog entry is at 
• The fact sheet on Exchange for Treatment is at 
• The fact sheet on Exchange for Health Care Operations is at  

According to the blog post, this is the first in a series of postings of new guidance meant to clear confusion about HIPAA and promote proper compliance.  "Blog #2 will be background on HIPAA’s Permitted Uses and Disclosures: what they are, and how they advance the national goal of interoperability. Blog #3 will give examples of exchange of health information for Care Coordination, Care Planning, and Case Management, both between providers, and between provider and payers. Finally, Blog #4 will give examples of interoperable, permissible exchange of PHI for Quality Assurance and Population-Based Activities, including via a health information exchange.” 

HHS OCR Announces Fine for Insecure Handling of Paper PHI

On February 3, 2016, The US Department of Health and Human Services Office for Civil Rights announced that an HHS Administrative Law Judge (ALJ) has ruled that Lincare, Inc. (Lincare) violated the HIPAA Privacy Rule and granted summary judgment to OCR on all issues, requiring Lincare to pay $239,800 in civil money penalties.  This is only the second time in its history that OCR has sought CMPs for HIPAA violations, and each time the CMPs have been upheld by the ALJ. 

From the press release: "OCR’s investigation of Lincare began after an individual complained that a Lincare employee left behind documents containing the protected health information (PHI) of 278 patients after moving residences.  Evidence established that this employee removed patients’ information from the company’s office, left the information exposed in places where an unauthorized person had access, and then abandoned the information altogether.  Over the course of the investigation, OCR found that Lincare had inadequate policies and procedures in place to safeguard patient information that was taken offsite, although employees, who provide health care services in patients’ homes, regularly removed material from the business premises. Further evidence indicated that the organization had an unwritten policy requiring certain employees to store protected health information in their own vehicles for extended periods of time.  Although aware of the complaint and OCR’s investigation, Lincare subsequently took only minimal action to correct its policies and strengthen safeguards to ensure compliance with the HIPAA Rules.” 

The two messages here: Take proper care of paper records, and don’t ignore HHS Office for Civil Rights.

The Notice of Proposed Determination and the ALJ’s opinion may be found on the OCR website at

HHS OIG Report Says Utah Medicaid Systems Had Weaknesses

On February 2, 2016 FierceHealthIT reported that the HHS Office of Inspector General had completed a report in January entitled: INADEQUATE SECURITY MANAGEMENT PRACTICES LEFT UTAH DEPARTMENT OF HEALTH SENSITIVE MEDICAID DATA AT RISK OF UNAUTHORIZED DISCLOSURE.  Once again, the OIG pretty much says it all right there in the title.  This is a study of what happened when a contractor for Utah IT put up a server insecurely and 780,000 people in Utah had their PHI hacked.  The population of Utah is only 2.9 million, so that’s 29% of the state affected.  The news report is at  

The OIG Report is at:  

A report on the Utah Breaches is available at:   

FDA Provides Cybersecurity Recommendations for Medical Devices

On January 15, 2016 the US Food and Drug Administration (FDA) announced draft guidance on important steps medical device manufacturers should take to continually address cybersecurity risks to keep patients safe and better protect the public health. The draft guidance details the agency’s recommendations for monitoring, identifying and addressing cybersecurity vulnerabilities in medical devices once they have entered the market.  The announcement is available at:  and the guidance, posted January 22, 2016, is available at:  

In October 2014, the FDA issued guidance for medical device manufacturers regarding building cybersecurity into their product from the beginning of the development process, available at:  

HIMSS Announces its Healthcare Cybersecurity Community

On January 19, 2016, HIMSS launched its Healthcare Cybersecurity Community for its members, which will provide a forum where healthcare constituents can discuss and learn about advancing the state of cybersecurity in the healthcare industry.

Participation in the community will include monthly discussions via WebEx with healthcare cybersecurity thought-leaders and discussion with peers in the healthcare sector.  In addition, members of the Healthcare Cybersecurity Community can engage and dialogue with each other through a dedicated ListServ.

January Webinar Information: The first Healthcare Cybersecurity Community webinar will occur on January 28, 2016 from 2-3PM ET.  The speaker will be Kevin A. McDonald, BSN, MEPD, GCIS, CISSP, Director of Clinical Information Security at the Office of Information Security of Mayo Clinic.  He will discuss how healthcare providers can effectively address today’s people, process, and technology challenges as they pertain to cybersecurity.  Mr. McDonald will also discuss best practices and reference standards which may be helpful in overcoming these challenges.  Registration information for this event, along with other details about the community, can be found on the HMSS Cybersecurity Community web site, at

How to join the community (you must be a member of HIMSS):
1. Log into the HIMSS member portal at
2. Under the “My Involvement” tab, click on the "Edit Participations” button.
3. Select "Healthcare Cybersecurity Community" and click on the “Save” button.

After you have completed steps 1 through 3, you will be automatically added to the HIMSS Healthcare Cybersecurity Community itself as well as the ListServ. 

Report Shows 84% of Mobile Health Apps Are Insecure

On January 13, 2016, Healthcare IT News reported that a new report shows 84  percent of U.S. FDA-approved health apps tested by IT security vendor Arxan Technologies did not adequately address at least two of the Open Web Application Security Project top 10 risks.  Most health apps are susceptible to code tampering and reverse-engineering, and 95% of the FDA-approved apps lack binary protection and have insufficient transport layer protection, leaving them open to hacks that could result in privacy violations, theft of personal health information, as well as device tampering and patient safety issues.  The article is available at:  

HHS Issues Guidance on Individuals’ Right of Access to PHI

On January 7, 2016, The US Department of Health and Human Services issued new guidance on individuals’ right to access their health information. The guidance includes general information and specifics about the details of proper implementation, and also includes an extensive Q&A section providing additional information.  If this guidance is an indication of the quality of information we should expect from HHS on the Web, it’s a good sign.  If you have questions on providing access under HIPAA, look here first.  

By the way, this new guidance is provided on the completely revamped HHS Web site, which is now much easier to use and search for information, even on your smart phone.  Happy exploring!  (Yes, I have good things to say about the HHS Web site!)

HIPAA Rule Issued to Ease Reporting to the NICS re Firearms

On January 6, 2016, a new rule was published in the Federal Register to modify HIPAA §164.512, adding a new section (k)(7) to allow use or disclosure of PHI for purposes of reporting to the National Instant Criminal Background Check System the identity of an individual who is prohibited from possessing a firearm.  Disclosures may include only the limited demographic and certain other information needed for purposes of reporting to the NICS, and may not include diagnostic or clinical information.  The new rule is available at:  

NIST Releases Report on De-Identification of Personal Info

On December 17, 2015, the National Institute of Standards and Technology announced a report on De-Identification of Personal Information, in NIST Internal Report 8053.  The report document summarizes two decades of de-identification research, discusses current practices, and presents opportunities for future research, including discussion of HIPAA methods for de-identification, and the effectiveness of the HIPAA Safe Harbor method.  The report is available at  If you are dealing with any issues of de-identifying PHI, READ THIS REPORT!

Also, see HHS’s guidance from 2012 on De-identification of PHI, available at:  

And the Hits Keep On Coming — New HIPAA RA Settlement

Looks like we’re really seeing the fruits of all that pressure on the HHS Office for Civil Rights to enforce HIPAA.  On December 14, 2015 HHS OCR announced a $750,000 settlement (and corrective action plan) with The University of Washington Medicine for not ensuring that Risk Analyses for its Affiliated Covered Entities were properly performed and not ensuring risks found were properly managed, as a result of a malware infection that led to a large breach of PHI.  The agreement and corrective action plan are available at:  

Pace of Settlements Increases — Two New Ones Announced

On November 25, 2015, the HHS Office for Civil Rights announced a settlement with Lahey Hospital and Medical Center of Burlington, Massachusetts, related to the theft of a laptop that was used as a medical device but was not included in the organization’s Risk Analysis, and widespread non-compliance with HIPAA revealed during the investigation, to the tune of $850,000 and a corrective action plan.  The agreement and plan are available at:  

Less than a week later, on November 30, 2015, HHS OCR announced a settlement with Triple-S Management Corporation for widespread non-compliance with HIPAA regulations in various subsidiaries, for a whopping $3.5 million plus a corrective action plan.  No, you can’t ignore the rules any longer.  The agreement and corrective action plan are available at:  

California Breach Notification Laws Beefed Up

On October 13, 2015, an article in Fierce Health IT indicated that California Governor Jerry Brown signed a new data breach notification law that defines encryption, describes the content of breach notices, and includes data captured by automated license plate readers.  The article is available at:  

OCR, FDA Security Enforcement in OIG 2016 Work Plan

In its FY 2016 Work Plan, the HHS Office of Inspector General plans to more closely scrutinize federal regulators' oversight of the security controls that healthcare providers and business associates use to protect electronic patient information. It also will review FDA oversight of medical device cybersecurity.  The FY 2016 Work Plan is available at:  An article on the Work Plan in GovInfo Security is available at:  

MS Office 2016 Includes New Data Privacy Features

On October 9, 2015, Healthcare IT News reported that the new release of MS Office 2016 includes several features geared toward healthcare providers including PHI recognition, smart attachments, encryption, single sign-on, and authentication, and more.  The article is at:  

Another Settlement, News from NIST/OCR HIPAA Love-Fest

On September 2, 2015 at the annual NIST/OCR HIPAA Security conference in Washington, DC, the latest in the increasing number of HIPAA settlements was announced, this time for a doctor’s group with an unencrypted laptop and backup media that were stolen from an employee’s car, and not having performed HIPAA Security Rule activities such as a Risk Analysis, for $750K plus a corrective action plan.  The settlement and press release are available at:  

The word ENCRYPTION was emphasized by many of the speakers at the annual official NIST/OCR HIPAA Security conference, and the sessions will be available for public consumption at the conference web site:    Let me explain: this is the only conference I attend every year without fail because you can hear from, speak with, and ask questions of all the top people at HHS who deal with HIPAA, and then some.  The sessions are definitely worth watching.  You will learn a LOT!  I learned a lot of details behind the headlines that you can read in any Health IT newsletter, which I will be sharing in an Occasional Client Update newsletter soon.

OCR Releases Handy Guide on HIPAA - Loads of Resource Links

In late July, 2015, the HHS Office for Civil Rights released a handy guide, HIPAA Basics for Providers: Privacy, Security, and Breach Notification Rules, that is a nice summary of how HIPAA applies and what is necessary for compliance at a basic level, and also includes a number of very useful links to other guidance.  

If you’re just getting started in HIPAA, this is a good way to get a basic understanding of HIPAA and then look at the linked guidance for more.  See:

NIST Releases Draft Guidance for Health Info & Mobile Devices

On July 23, 2015, The National Cybersecurity Center of Excellence (NCCoE) has released a draft for public comment a step-by-step guide (the first in a new series) that demonstrates how health care providers can make mobile devices, such as smartphones and tablets, more secure, in order to better protect patient information and still take advantage of advances in communications technology.

Securing Electronic Records on Mobile Devices provides IT implementers and security engineers with a detailed architecture so that they can copy, or recreate with different but similar technologies, the security characteristics of the guide. It also maps to standards and best practices from NIST and others, and to Health Insurance Portability and Accountability Act (HIPAA) rules. The guide takes into account the need for different types of implementation for different circumstances such as when cyber security is handled in-house or is outsourced.

Comments on the draft are requested by September 25, 2015.

The NIST press release is available at:  

An article in ComputerWorld on the draft guidance is available at:  

The draft document, a web form and a template for comments are available at  

Take note!  This is incredibly useful information, to say the least, and if you have any comments, please submit them so it can be even better.

$218K Settlement for Internet-based File Sharing with no RA

On July 10, 2015, the US Department of Health and Human Services Office for Civil Rights announced a $218,000 monetary settlement and corrective action plan with St. Elizabeth’s Medical Center in Brighton, Mass., for using a Web-based document sharing application without having performed a risk analysis, and for a breach involving an unencrypted personal laptop and flash memory device of a former employee containing PHI.  

The corrective action plan includes a thorough self-assessment of compliance, unannounced inspections of compliance and portable devices, and regular compliance progress reports to HHS.  The settlement announcement, agreement, and action plan are available at:  

The lesson here?  Do your risk analysis before using new technologies, train your staff well, and encrypt all laptops or portable devices with any PHI!

Oregon Breach Law to Include Health Information as of 1/1/16

According to a report in Becker Hospital Review, as of January 1, 2016, Oregon's Consumer Identity Theft Protection Act of 2007 will include mandatory notification for individuals whose personal health information is breached, as a result of the passage of Senate Bill 601.  On that date, the definition of sensitive identifying information will expand to include the following:
• Biometrics
• Health insurance policy numbers
• Unique identifiers of any kind used by health 
• Medical information history
• Any information about mental or physical conditions
• Information about a healthcare professional's medical diagnosis or treatment of an individual

The law also requires the state attorney general be notified in the instance of a data breaches or breaches of personal information involving 250 or more individuals.

The story is available at:  and Oregon Senate Bill 601 is available at:  

Annual NIST/OCR HIPAA Security Conference Announced

On July 8, 2015, the National Institute of Standards and Technology announced the 8th Annual Safeguarding Health Information: Building Assurance through HIPAA Security Conference, set for September 2-3, 2015 at the Grand Hyatt hotel in Washington, DC.  If you are a HIPAA specialist, you MUST attend this if you go anywhere this year.

The conference will explore the current health information technology security landscape and the HIPAA Security Rule, with practical strategies, tips and techniques for implementing the HIPAA Security Rule, and offer sessions exploring security management and technical assurance of electronic health information. Presentations will cover a variety of current topics including updates on the Omnibus HIPAA/HITECH Final Rule, breach management, business associate liability, managing 3rd party risk, securing medical devices, and more.

Participants can choose to participate on-site, or through a live web cast.  All registrations include access to archived webcast presentations and materials.  For more information and registration, please see:  

Dates Set for Annual NIST/OCR HIPAA Security Conference

On June 11, 2015, Lewis Creek Systems learned through reliable sources that the dates for this year’s NIST/OCR HIPAA Security Conference will be September 2 and 3, 2015, and will be held at the Grand Hyatt in D.C.  Sources indicated that a “save-the-date” announcement would be forthcoming within the week.

This is the only conference that I insist on attending every year, with all the leading experts and authorities from healthcare, NIST, and HHS in attendance or presenting.  I highly recommend watching for the announcement and attending.

HHS OIG Refines 2015 Work Plan and Adds New EHR Issues

On June 8, 2015, FierceHealthIT reported that the US Department of Health and Human Services Office of the Inspector General has updated its work plan, adding several new items and removing some as well.  

OIG will review the use of EHRs by accountable care organizations to coordinate care, will review the extent that providers participating in ACOs in the Medicare Shared Savings Program use EHRs to exchange health information to achieve their care coordination goals, and assess providers' use of EHRs to identify best practices and possible challenges in their progression toward interoperability.

OIG will also review EHR contingency planning required by HIPAA, whether providers that received Medicare and/or Medicaid Meaningful Use incentive payments were entitled to the money, and whether covered entities are adequately securing electronic PHI created or maintained by certified EHR technology.  OIG specifically states that hospitals must conduct security risk analyses.

The updated plan no longer includes a review of whether business associates also are adequately securing electronic patient protected health information and no longer includes a review of CMS' oversight of hospitals' security controls over networked medical devices. 

The story is available at:  

2015 HIPAA Audits Appear to be Getting Started, Finally

On May 22, 2015, FierceHealthIT reported that HHS has begun verifying contact information for HIPAA Covered Entities who could be selected for the Phase 2 HIPAA Audits called for by the HTECH Act.  Additional information is expected, and HHS advised watching its website for announcements.

Supposedly 550 to 800 entities will receive or have received surveys to determine their appropriateness for an audit, and 350 covered entities and 50 business associates are expected to be audited, according to reports.

The article is available at:  

New HIPAA Settlement for Improper Disposal of PHI, more enforcement actions expected soon

On April 27, 2015, the US Department of Health and Human Services Office for Civil Rights announced a settlement with Cornell Prescription Pharmacy (Cornell), a small, single-location pharmacy that provides in-store and prescription services to patients in the Denver, Colorado metropolitan area, specializing in compounded medications and services for hospice care agencies, for potential HIPAA violations.  Cornell will pay $125,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program.

A Denver news outlet notified HHS OCR of disposal of un-shredded, unsecured documents containing specific protected health information (PHI) of 1,610 patients in an unlocked, open container on Cornell's premises.  Cornell had failed to implement and provide training to the workforce in any written policies and procedures as required by the HIPAA Privacy Rule.

The agreement requires Cornell to develop and implement a comprehensive set of policies and procedures to comply with the Privacy Rule, and develop and provide staff training.  The Resolution Agreement can be found on the OCR website via:  

Recent news reports and rumors indicate that HHS is just ramping up its enforcement work on HIPAA, and this may be only the first indication of a coming flood of settlement agreements for HIPAA violations.  Take note!

Draft NIST Report Released on De-Identification of PII

On April 10, 2015 the National Institute of Standards and Technology released Draft NIST Interagency Report (NISTIR) 8053, De-Identification of Personally Identifiable Information, which is a topic near and dear to those of us who handle PHI.  Draft NISTIR 8053 along with a summary and announcement is at:

To submit comments to this draft, use the comment template available at the above URL.  Send comments to:  The deadline to submit comments is May 15, 2015.

HHS OCR Looking for Someone to Lead HIPAA Audit Program

On April 9, 2015, the US Department of Health and Human Services announced a job opening for someone to lead the HHS Office for Civil Rights’s HIPAA Audit Program.  Quote, "The Office for Civil Rights (OCR) has one Compliance Specialist (Auditing) position available within our Headquarters office located in Washington, DC. This position serves as the senior auditing subject matter expert who provides leadership, oversight, coordination, and advice necessary to design, plan and execute an audit program of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules.”

If they’re hiring someone to lead the HIPAA Audit Program, that probably means they’ll get around to doing some auditing again.  How soon?  Who knows…  The job listing is open until April 17, and is available at:  

ONC Releases Version 2 of Privacy and Security Guide for ePHI

In April 2015, the Office of the National Coordinator for Health Information Technology released version 2 of its Guide to Privacy and Security of Electronic Health Information, providing a concise summary of the processes and requirements involved in assuring adequate privacy and security of electronic Protected Health Information.  The guide is available at:  and Chapter 6, a Sample Seven Step Approach for Implementing a Security Management Process, is available separately at:  

Final Draft of NIST SP 800-171 (Security Summary) Issued

On April 3, 2015 the National Institute of Standards and Technology released the final public draft of SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, which provides an excellent summary of security actions to take to protect information systems, and provides a great checklist of security considerations.

To view the full announcement and link to this draft document, please visit the CSRC Drafts page at:

If you would like to submit comments on the draft, the deadline to submit comments is May 12, 2015, and Email your comments to:

Excellent New PCI Guidance on Penetration Testing Released

In March 2015, the PCI Security Standards Council released a new Information Supplement: Penetration Testing Guidance.  The guidance includes a great deal of useful information including a useful explanation of the difference between a penetration test and a vulnerability scan, as well as descriptions of test components, tester qualifications, and methodology, with a few case studies.

While the guidance is focused on payment card information protection, it is easy to apply to health information protection, which is, of course, a growing issue.  See:  

Links to Two Key Resources Updated; Wall of Shame Updated

In early March 2015, Internet links to two key resources were changed.  The old link to the HHS OCR “Wall of Shame” listing the breaches affecting more than 500 individuals, in typical HHS fashion, has simply stopped working, yielding a “page not found” error.  

The information is now available in a much easier to use format using modern Web technologies on secure pages that are part of the new HHS OCR portal that will someday be used for submission of information requested in the random audit program, due to restart “real soon now.”  The new-and-improved “Wall of Shame” is at  The new format is much easier to read and search, with easy export of the data in multiple formats.  See what happens to others -- make sure it doesn't happen to you.

Another key resource is the NIST Computer Security Incident Handling Guide, Special Publication 800-61 revision 2, which has been been relocated to:  

New Jersey Law Requires Encryption of Health Information

On January 9, 2015 a New Jersey law was enacted, going into effect August 1, 2015, requiring that health insurance companies doing business in New Jersey must encrypt personal data they transmit electronically a public network or retain on end-user computers, such as desktops, workstations, laptops, storage media, and smart phones.  The law was prompted by health data breaches in New Jersey.  The brief text of the bill is available at:

News stories on the new law are available at:

Security Alert for Windows Systems - Don’t be the next Sony!

On December 19 2014, the US Computer Emergency Readiness Team (US-CERT) issued Alert (TA14-353A) on Targeted Destructive Malware, about what can be done to help prevent an attack such as the recent attack on Sony.  Healthcare institutions would be well advised to review the bulletin and implement measures accordingly.  Make sure your technical security folks know about this!  The Alert is available at:  

NIST Announces Draft Rev’s to Small Business Security Guide

On December 16, 2014, the National Institute of Standards and Technology announced the draft of Revision 1 of NIST IR 7621, Small Business Information Security: The Fundamentals.  The draft can be found on the NIST CSRC Draft publications page at:   

NIST, as a partner with the Small Business Administration and the Federal Bureau of Investigation in an information security awareness outreach to the small business community, developed this NISTIR as a reference guideline, intended to present the fundamentals of a small business information security program in non-technical language. Comments will be accepted through February 9, 2015. If you have any comments on the draft, please send comments or questions to:

$150K Settlement for Unpatched and Unsupported Software

On December 8, 2014, the US Department of Health and Human Services Office for Civil Rights announced that Anchorage Community Mental Health Services (ACMHS) has agreed to settle potential HIPAA violations by paying $150,000 and adopting a two-year corrective action plan, following investigation of a breach that revealed ACMHS had not implemented good security processes, had not regularly updated their IT resources with available patches, and were running outdated, unsupported software.  

The bulletin and settlement agreement are available at:

NIST Draft SP 800-171 Provides Excellent Summary of Security

On November 20, 2015, the National Institute of Standards and Technology released the first public draft of SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, which provides an excellent summary of security actions to take to protect information systems, and provides a great checklist of security considerations.

To view the full announcement and link to this draft document, please visit the CSRC Drafts page at:

If you would like to submit comments on the draft, the deadline to submit comments is January 16, 2015, and Email your comments to:

HHS Announces Guidance on HIPAA in Emergency Situations

On November 10, 2014, the US Department of Health and Human Services (HHS) published new guidance on HIPAA Privacy Rule protections in emergency situations, such as an Ebola outbreak, to ensure that HIPAA-regulated entities are aware of the ways in which patient information may be shared under the HIPAA Privacy Rule in an emergency situation, and to serve as a reminder that the protections of the Privacy Rule are not set aside during an emergency.  The HIPAA Privacy Rule protects the privacy of patients' health information but also ensures that appropriate uses and disclosures of the information still may be made to treat a patient, to protect the nation's public health, and for other critical purposes.

OCR's bulletin on HIPAA Privacy in Emergency Situations may be found at:

Additional guidance on HIPAA in Emergency Situations: Preparedness, Planning, and Response can be found at:

HHS OIG 2015 Work Plan Includes HIPAA Security Enforcement

The 2015 Work Plan of the US Department of Health and Human Services (HHS) Office of Inspector General (OIG) has been announced and includes items pertaining to HIPAA Security, including analyzing the IT security of community health centers funded by the Health Resources and Services Administration, and reviewing controls over networked medical devices at hospitals.  The HHS OIG Work Plan for Fiscal Year 2015 is available at:  

SANS-Norse Report: Healthcare Info Compromises Epidemic

A 2014 report developed by SANS and Norse indicates widespread compromises of healthcare information in the US, affecting all kinds of healthcare organizations, and all kinds of devices from firewalls and radiology imaging systems to Web cameras and mail servers.  "A significant number of compromises were due to very basic issues such as not changing default credentials on firewalls.”  The report is available at:  (requires registration)  

Serious Security Flaw Affects Unix-based Systems - Urgent! 

On September 25, 2014, several announcements were made concerning a recently discovered serious security flaw in all Unix-based system implementations, known as the Bash/Shellshock Vulnerability.

US-CERT is aware of a Bash vulnerability affecting Unix-based operating systems such as Linux and Mac OS X. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected system.  The notification is available at:  

HHS OCR Issues Guidance on HIPAA and Same-Sex Marriage

On September 17, 2014, the US Department of Health and Human Services Office for Civil Rights (OCR) issued guidance in response to the Supreme Court decision on same-sex marriage, specifying that spouses include both same-sex and opposite-sex individuals who are legally married, whether or not they live or receive services in a jurisdiction that recognizes their marriage.  

The guidance clarifies that same-sex spouses are have the same HIPAA rights as other family members, no matter where services are provided.  See:  

FBI Warns Healthcare is Now a Major Target of Hackers

On August 20, 2014, Reuters reported that the FBI has issued an alert through their Liaison Alert System specifically detailing a significant threat to healthcare information security posed by hackers.  The FBI provides details about the threat, including information about how technical personnel can spot evidence of malicious activity related to the threat.  The Reuters article is available at  and the FBI warning is available here on this site.

Mass. AG Settles Breach Suit with RI Hospital for $150,000

On July 23, 2014, the Massachusetts Attorney General announced they had reached a $150,000 settlement with Women & Infants Hospital of Rhode Island to resolve issues concerning a breach in the Summer of 2011 of 12,000 Massachusetts patients’ names and health information that was not discovered until the Spring of 2012, and not reported until November of 2012.  The breach occurred when unencrypted backup tapes went missing.  Lessons here: #1: Encrypt your backup tapes.  #2: Have a good system for managing your backup tape inventory.  #3: Recognize that you may have issues with other states when you have a breach and your patients are residents of other states.  #4: Don’t delay reporting your breaches properly — have a solid process!  The settlement announcement is available at:  

7th Annual NIST/OCR HIPAA Security Conference Announced

On July 15, 2014, the US Department of Health and Human Services Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) announced the 7th annual NIST/OCR Safeguarding Health Information: Building Assurance through HIPAA Security conference, to be held September 23-24, 2014 at the Grand Hyatt Hotel, 1000 H Street NW, Washington, DC.  If you are a HIPAA Security Officer, this is THE event to attend this year.  Onsite attendance costs $345, and $200 for the webcast.  For more information and registration, please see  

Settlements Continue: $800K for Poorly Handled Records

On June 24, 2014, the US Department of Health and Human Services Office for Civil Rights announced that Parkview Health System, Inc. (Parkview) has agreed to settle potential HIPAA violations by paying $800,000 and adopting a corrective action plan.  Parkview employees had left 71 boxes of medical records in an open and accessible area, completely unsecured.  

The press release and settlement agreement are available on the HHS Web site at:  and HHS provides FAQ on the proper disposal of protected health information at:  

HHS Releases New Reports on Breaches and HIPAA Compliance

On June 11, 2014, The U.S. Department of Health and Human Services, Office for Civil Rights, has issued two Reports to Congress called for by the HITECH Act: one on Breaches of Unsecured Protected Health Information, and the other on HIPAA Privacy, Security, and Breach Notification Rule Compliance.  The reports cover relevant activities in calendar years 2011 and 2012.  

The breach notification report provides an overview of the breach notification requirements and discusses the reports received as a result.  The report on compliance with the HIPAA Rules summarizes complaints received of alleged violations of the HITECH Act and the HIPAA Privacy and Security Rules.  These are the second reports on these topics in response to the HITECH Act requirement.  See:  

Exposed PHI Costs Columbia/Presbyterian Record $4.8 million

On May 7, 2014, the US Department of Health and Human Services Office for Civil Rights announced that New York and Presbyterian Hospital (NYP) and Columbia University (CU), operating jointly as New York Presbyterian Hospital / Columbia University Medical Center, had settled a complaint for a total of $4.8 million, following the unintentional exposure of the PHI of 6,800 individuals through insecure management of server deployments.  The settlement includes an extensive (and expensive) corrective action plan.  

The message here is to be sure you use good, professional practices in the development and implementation of all systems handling PHI. The press release is at:  and the Resolution Agreements are available at:  and  

Stolen Laptops Lead To $2 million in Settlements for Entities

On April 22, 2014, it was announced that two entities have paid nearly $2 million total to the US Department of Health and Human Services Office for Civil Rights to resolve HIPAA issues around laptops that were stolen, that had PHI on them, and that were not encrypted, a scenario that is reported daily in the Health Information Technology press.  In both cases, Concentra Health Services and QCA Health Plan, Inc. of Arkansas had not done the required complete and thorough risk analysis and implementation of a risk management plan.  Both have corrective action plans that must be implemented, in addition to the monetary settlement.  The press release is at:  and the Resolution Agreements are available at:  

The message here is clear: 1) Do a solid Risk Analysis, and 2) Encrypt your portable devices and provide training on their secure use, or you risk big fines and corrective action plans.

FBI Issues Alert to Healthcare Entities About Cyber Security

On April 8, 2014, the FBI Cyber Division issued a Private Industry Notification, Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain, a two-page overview of the state of information security in healthcare.  The Notification references other research and reports to conclude that PHI is valuable ($50 per record, vs. $1 per record for financial information), security is insufficiently implemented, and breaches are widespread. This, combined with the rapid increase in the number of EHR implementations, leaves the healthcare industry vulnerable.  The Notification is available at:  

The FBI encourages entities to report any suspicious or criminal activity to the local FBI field office; FBI regional phone numbers can be found online at  

ONC & OCR Release Risk Assessment Tool for iPad & Windows

On March 28, 2014, the Office of the National Coordinator for Health IT, in collaboration with the HHS Office for Civil Rights and HHS Office of the General Counsel, released a new Risk Assessment tool for small and medium sized organizations that assists in the collection and analysis of data, and comes in iPad and Windows 7 versions.  

In many ways, the tool is an evolution of the NIST HIPAA Security Rule Toolkit released in 2011.  It doesn’t make the work any easier, but it makes organizing the information and producing reports a little easier if you’re new to Risk Analysis.  Used well, it could help; used poorly, it could provide a false sense of security.   The Tool, the user guide, and related videos are all available at:    

WA County Gov’t Settles HIPAA Security Issues for $215K

On March 7, 2014, the US Department of Health and Human Services announced that Skagit County, Washington, has agreed to settle potential violations of the HIPAA Privacy, Security, and Breach Notification Rules for a $215,000 settlement and agreement to work closely with HHS to correct deficiencies in its HIPAA compliance program.  The issues concern the deployment of PHI on insecure servers, exposing the information of 1581 individuals, and the lack of HIPAA-related policies, procedures, documentation, and training.  The HHS press release is at:  

The Resolution Agreement can be found on the OCR website at:  

HHS Requests Comments on Plan to Send Audit Readiness Information Requests to 1200 HIPAA CEs and BAs

On February 24, 2014, the US Department of Health and Human Services issued a request for comment on the proposed collection of information to determine the suitability of 1200 HIPAA Covered Entities and Business Associates for being audited under the requirements of the HITECH Act.

The survey will gather information about respondents to enable OCR to assess the size, complexity, and fitness of a respondent for an audit. Information collected includes, among other things, recent data about the number of patient visits or insured lives, use of electronic information, revenue, and business locations.  See:  

This means that the 2014 HIPAA random audit program is now ramping up, with the first wave of contacts going out once the comment period is over.  The time to get ready is NOW.

UPDATE: Beginning in late March, 2014, HHS OCR began presenting its plan for resumption of the HIPAA Audit Program, Phase 2 of which will be getting under way in 2014 and expanding to include Business Associates in 2015.  A PDF of a PowerPoint presentation by HHS OCR Senior Adviser Linda Sanches at the HCCA Compliance Institute March 31, 2014 is available at:  

UPDATE #2: On May 12, 2014 HHS reissued its request for comment on its plan to survey 1200 entities for their suitability, gathering additional information until June 11, 2014.  The reissued request for comment is available at:  

HHS Issues HIPAA Guidance on Sharing Mental Health Info

On February 20, 2014, the U.S. Department of Health and Human Services announced new guidance explaining how the HIPAA Privacy Rule operates to protect individuals' privacy rights with respect to their mental health information and in what circumstances the Privacy Rule permits health care providers to communicate with patients' family members and others to enhance treatment and assure safety.  This important guidance is available at:  

HHS Publishes Model Notice of Privacy Practices in Spanish

On February 19, 2014, the US Department of Health and Human Services announced it has created Spanish language versions of their new model HIPAA Notices of Privacy Practices.  The model notices, in English and Spanish, are available at:

HHS Launches Competition for Best Online Privacy Notice

In the hopes of finding a better model, on February 10, 2014, the US Department of Health and Human Services announced a call for designers, developers, and patient privacy experts to create an online model notice of privacy practices that is compelling, readable, and understandable by patients and is easily integrated into existing entity Web sites.  Public voting on the the contestants will determine the winner, with a $15,000 prize for first place.  See:  and  

HHS Releases CLIA & HIPAA Rules Allowing Lab Info Access

The US Department of Health and Human Services is releasing a new final rule concerning the access of laboratory information by individuals, to be officially published February 6, 2014.  The new rule amends CLIA to allow access of authenticated information by authenticated individuals or their authorized representatives under HIPAA, and amends HIPAA to remove laboratory information from the list of information to which individuals may be denied access.

As usual, the Preamble is well worth reading.  Individuals may still access results via their physician, and results may still be accessed for the usual treatment purposes; the new rules simply add new access rights, but create a whole new world for labs and patient communications.  See:  

FTC Gets Into Healthcare Privacy & Security Enforcement

On January 16, 2014, the US Federal Trade Commission unanimously asserted that it has authority to enforce consumer protection laws concerning the privacy and security of healthcare information, even when the concerned business is also covered under the HIPAA regulations.  FTC sees no conflict with HHS activity and finds no problems with enforcing the rules alongside HHS.

This means that, whether or not a privacy or security problem is noted by HHS, the FTC could become involved involved if they feel there have been deceptive trade practices, e.g, promising security and then not providing it.

The FTC order is at$File/lab.pdf .  An accompanying story in Bloomberg BNA is available at:  

HHS Proposes HIPAA Changes to Allow NICS Communication

On January 3, 2014, the US Department of Health and Human Services issued a Notice of Proposed Rule Making (NPRM) intended to make it easier to report information to the National Instant Criminal Background Check System (NICS).  The NPRM would modify the HIPAA Privacy Rule to permit certain HIPAA-covered entities to disclose to the NICS the identities of persons prohibited by federal law from possessing or receiving a firearm for reasons related to mental health.

The information is reported to the NICS would not include clinical, diagnostic, or other mental health information.  Instead, certain covered entities would be permitted to disclose the minimum necessary identifying information about individuals who have been involuntarily committed to a mental institution or otherwise have been determined by a lawful authority to be a danger to themselves or others or to lack the mental capacity to manage their own affairs.

The NPRM and additional information are available at:  

Click to view news stories from 2013

Click to view news stories from 2012

Click to view news stories from 2011

Click to view news stories from 2010

Click to view news stories from 2009

Click to view news stories from 2008

Click to view news stories from 2007 and earlier

              Copyright © 2002-2016 Lewis Creek Systems, LLC  Charlotte, Vermont, USA
Privacy Policy   Terms and Conditions of Use   Contact Us