Privacy, Security, and Compliance News

Penalty #43 for Right of Access Violation by a Laboratory

On January 3, 2023, the HHS Office for Civil Rights (OCR) announced a settlement with Life Hope Labs, LLC, a full-service diagnostic laboratory in Sandy Springs, Georgia, concerning a potential violation of the HIPAA Privacy Rule's right of access provision.  Life Hope Labs agreed to implement a corrective action plan (including two years of monitoring) and pay $16,500 to resolve this investigation.

In August 2021, a complaint was filed with OCR alleging that Life Hope Labs would not provide a personal representative with a copy of her deceased father’s medical records until over seven months after the request.  OCR's investigation determined that Life Hope Labs’ failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access provision.

See the press release and the resolution agreement at:  https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/life-hopes/index.html  

Penalty #42 for Violations of Individual Right to Access PHI

On December 15, 2022, HHS Office for Civil Rights (OCR) announced a settlement with Health Specialists of Central Florida Inc., a provider in Florida that provides primary care, concerning a potential violation of the HIPAA Privacy Rule's right of access provision requiring that patients be able to access their health information in a timely manner.  This investigation marks the 42nd case to be resolved under OCR’s HIPAA Right of Access Initiative.  Health Specialists of Central Florida Inc. paid $20,000 to OCR and agreed to implement a corrective action plan (CAP) to resolve this investigation.

A complaint was filed in 2019 by a daughter acting as a personal representative on behalf of her deceased father, who had been a patient. The complainant alleged she was not provided with timely access to the requested medical records, despite multiple requests.

See the press release with a link to the agreement at:  https://www.hhs.gov/about/news/2022/12/15/hhs-civil-rights-office-resolves-hipaa-right-of-access-investigation-with-20000-dollar-settlement.html  and an article in SC News at:  https://www.scmagazine.com/analysis/privacy/hipaa-right-of-access-failure-costs-florida-provider-20k-in-settlement-with-feds

HHS Penalty for Posting PHI in Social Media Review Responses

On December 14, 2022, HHS Office for Civil Rights (OCR) announced a settlement with B. Brandon Au, DDS, Inc., d/b/a New Vision Dental (New Vision Dental), in California, over the impermissible disclosure of patient protected health information (PHI) in response to online reviews, and other potential HIPAA Privacy Rule violations.  The violation involves the provider’s inappropriate use of social media to respond to patient reviews, disclosing protected health information. This practice is illegal under HIPAA.  New Vision Dental paid $23,000 to OCR and agreed to implement a corrective action plan (CAP) to resolve this investigation. 

See the press release and agreement at:  https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/new-vision/index.html  and an article in SC News at https://www.scmagazine.com/analysis/privacy/dentist-settles-hipaa-violations-for-disclosing-information-replying-to-yelp-reviews  

Updated FTC-HHS Online Tool for Developers re Rules

On December 7, 2022, The Federal Trade Commission (FTC) in conjunction with the HHS Office for Civil Rights (OCR), the HHS Office of the National Coordinator for Health Information Technology (ONC), and the Food and Drug Administration (FDA) have updated the Mobile Health App Interactive Tool. This tool is designed to help developers of health-related mobile apps understand what federal laws and regulations might apply to them. 

The guidance tool asks developers a series of high-level questions about the nature of their app, including about its function, the data it collects, and the services it provides to users. Based on the developer’s answers to those questions, the guidance tool will point the app developer toward detailed information about certain federal laws that might apply to the app. These include the FTC Act, the FTC’s Health Breach Notification Rule, the Children’s Online Privacy Protection Act (COPPA), the Health Insurance Portability and Accountability Act (HIPAA), the Federal Food, Drug and Cosmetics Act (FD&C Act), and the 21st Century Cures Act and ONC Information Blocking Regulations.

Developers and others seeking more information about how the HIPAA Rules might apply to their health apps should visit OCR’s HIPAA and Health Apps page, which contains information on how HIPAA applies to a range of example health app scenarios and offers key questions to consider in determining when HIPAA’s regulations cover a particular health app. 

The tool is available at: https://www.ftc.gov/business-guidance/resources/mobile-health-apps-interactive-tool 

Th HIPAA and Health Apps page is available at: https://www.hhs.gov/hipaa/for-professionals/special-topics/health-apps/index.html   

HHS Warns Of Requirements for Online Tracking Technology

On December 1, 2022, the HHS Office for Civil Rights issued a Bulletin on Requirements under HIPAA for Online Tracking Technologies to Protect the Privacy and Security of Health Information, to warn of the use of technologies like Google Analytics or Meta Pixel to collect and analyze information about how internet users are interacting with a regulated entity’s website or mobile application.  Such technologies may require the establishment of a HIPAA Business Associate Agreement with the vendor.  See the guidance at:  https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html  

See the announcement at:  https://www.hhs.gov/about/news/2022/12/01/hhs-office-for-civil-rights-issues-bulletin-on-requirements-under-hipaa-for-online-tracking-technologies.html  and an article on the topic in SC Media at https://www.scmagazine.com/analysis/privacy/hhs-warning-to-providers-use-of-pixel-tracking-tech-without-baa-violates-hipaa

Changes to 42 CFR Part 2 Proposed to Align with HIPAA

On November 28, 2022, HHS announced proposed changes to rules for the treatment of personal information protected under 42 CFR Part 2 rules concerning Substance Use Disorders, to ensure better care coordination for patients With SUD.  The proposed rule is available at:  https://public-inspection.federalregister.gov/2022-25784.pdf      

Part 2 currently imposes different requirements for SUD treatment records than the HIPAA Privacy Rule, which can create barriers to information sharing by patients and among healthcare providers and create dual obligations and compliance challenges for regulated entities, HHS said.  Greater flexibility for information sharing would include the permitted use and disclosure of Part 2 records based on a single patient consent given once for all future uses and disclosures for treatment, payment and healthcare operations.

The proposed rule permits redisclosure of Part 2 records in any manner permitted by the HIPAA Privacy Rule, with certain exceptions.  It gives patients rights to obtain an accounting of disclosures and to request restrictions on certain disclosures, as also granted by the HIPAA Privacy Rule.  It updates breach notifications to affected patients.  It expands prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative and legislative proceedings and gives HHS new enforcement authority, including the imposition of civil money penalties for violations of Part 2.

A fact sheet on the proposed rule from HHS is available at:  https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/hipaa-part-2/index.html  

An article on the proposed rule in Healthcare Finance News is available at:  https://www.healthcarefinancenews.com/news/hhs-proposes-rule-substance-use-treatment-information-sharing-and-protection  and an article on MedPage Today is at:  https://www.medpagetoday.com/publichealthpolicy/healthpolicy/101944    

Five Hospital Staff Charged with Criminal HIPAA Violations

On November 10, 2022 the US Department of Justice announced the indictment of five former Methodist Hospital Employees for conspiring with another individual to unlawfully disclose patient information in violation of HIPAA for personal gain.  

The conspiracy charge carries a maximum penalty of five years imprisonment, a fine of $250,000 and three-year period of supervised release.  Each count of obtaining patient information with the intent to sell it for financial gain carries a maximum penalty of 10 years’ imprisonment, a fine of $250,000 and three years’ of supervised release.

The five hospital employees were each charged with separate violations of disclosing the information in violation of HIPAA. That charge carries a maximum penalty of one year imprisonment, a $50,000 fine and a one-year period of supervised release.

See the DOJ announcement at https://www.justice.gov/usao-wdtn/pr/five-former-methodist-hospital-employees-charged-hipaa-violations and a story in HealthITSecurity at https://healthitsecurity.com/news/5-former-methodist-hospital-employees-indicted-over-hipaa-violations  

OCR Releases New Recognized Security Practices Video

On October 31, 2022, HHS OCR announced, in recognition of National Cybersecurity Awareness Month, release of a new video for organizations covered under the HIPAA Rules on Recognized Security Practices, to help organizations improve their ability to safeguard patient information from cyberattacks and better safeguard the health care services.   Section 13412 of the HITECH Act requires OCR to take into consideration in certain Security Rule enforcement and audit activities whether a regulated entity has adequately demonstrated that recognized security practices were “in place” for the prior 12 months. 

This presentation is intended to educate the health care industry on the categories of recognized security practices and how entities regulated under the HIPAA Rules may demonstrate implementation. Topics include:

  • The 2021 HITECH Amendment regarding recognized security practices
  • How regulated entities can demonstrate that recognized security practices are in place
  • Details the evidence of recognized security practices that may be requested by OCR in the event of a HIPAA Security Rule investigation or audit
  • Where to find more information about recognized security practices
  • Provides answers to a selection of questions submitted to OCR in June 2022 on recognized security practices

The video presentation may be found on OCR’s YouTube channel at: https://youtu.be/e2wG7jUiRjE

October 2022 OCR Cybersecurity Newsletter Topic:
Security Incident Procedures

On October 25, 2022, HHS OCR published its October Cybersecurity Newsletter focusing on HIPAA Security Rule Security Incident Procedures, providing a good overview of incident handling preparation and execution, including steps in: 

  • Forming a security incident response team
  • Identifying security incidents
  • Responding to security incidents
  • Mitigating harmful effects of a security incident
  • Documenting the security incident
  • Understanding your breach reporting obligations

The newsletter is available at https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-october-2022/index.html

Magellan Health Class Action for Breach Settled for $1.43M

On September 30, 2022, SC Media reported that Magellan Health has agreed to pay breach victims $1.43 million to resolve claims its allegedly inadequate security enabled an undetected phishing attack and subsequent patient data breach in 2019.  Magellan provides managed care services for health plans and other healthcare entities; it denies all claims of wrongdoing and “asserts there’s no evidence the third-party actor ever actually viewed any personally identifiable information or personal health information.” However, “further litigation would be protracted and expensive… and it’s desirable that the litigation be fully and finally settled.”

See the Story in SC Media at  https://www.scmagazine.com/analysis/incident-response/magellan-health-settles-for-1-43m-after-data-breach-delayed-notification  

HHS-ONC Blog: 8 Info Blocking Reminders for October 6, 2022

On September 30, 2022, the HHS Office of the National Coordinator (ONC) posted a blog about eight Information Blocking regulatory reminders concerning changes going into effect on October 6, 2022.  The blog discusses the following eight points:

  1. The information blocking definition’s limitation on the scope of electronic health information (EHI) is lifted as of October 6, 2022.
  2. IB actors’ practices include acts and omissions.
  3. The information blocking regulations’ exceptions are not solely “one size fits all” and address the facts and circumstances of the situation at hand.
  4. Not all health information that’s electronic is EHI under the regulatory definition. And if such information is not EHI, then it’s not covered by the information blocking regulations.
  5. How IB actors make EHI available for access, exchange, and use can and will vary based on who the IB actor is, their technological sophistication, and who it is that is seeking to access, exchange or use an IB actor’s EHI.
  6. Information blocking is about “the data” (i.e., EHI) regardless of whether ONC-certified health IT is involved.
  7. Use of certain information blocking exceptions by actors will provide clear notification to requestors whether their request to access, exchange, or use EHI is delayed or denied.
  8. Information blocking claims are confidential and restricted from public disclosure.

Read the blog to get a better understating of how Information Blocking applies to your operations, at:  https://www.healthit.gov/buzz-blog/information-blocking/information-blocking-eight-regulatory-reminders-for-october-6th  

Comment Period for NIST SP 800-66R2 Draft Extended

The public comment period has been extended for the initial public draft of NIST Special Publication (SP) 800-66r2 (Revision 2), Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide. https://csrc.nist.gov/publications/detail/sp/800-66/rev-2/draft  The new comment deadline is October 5, 2022.

This draft:

  • Includes a brief overview of the HIPAA Security Rule
  • Provides guidance for regulated entities on assessing and managing risks to ePHI
  • Identifies typical activities that a regulated entity might consider implementing as part of an information security program
  • Lists additional resources that regulated entities may find useful in implementing the Security Rule

Please submit comments to sp800-66-comments@nist.gov through October 5, 2022. See the https://csrc.nist.gov/publications/detail/sp/800-66/rev-2/draft for a copy of the draft and instructions for submitting comments.

Three More Access Settlements, This Time All Dental Offices

On September 20, 2022, HHS OCR announced the settlement of three more enforcement actions in their Right of Access initiative, this time focusing on Dentists.  One provided incomplete responses, taking over five months to satisfy the request; $30K and a CAP.  One took too long and charged too much for copies; $80K and a CAP.  The third one took eight months to respond and required too many requests; $25K and a CAP.  The lesson?  Dentists are HIPAA Covered Entities and are subject to the same rules for individual access.  See the press release with links to the agreements at:  https://www.hhs.gov/about/news/2022/09/20/ocr-settles-three-cases-dental-practices-patient-right-access-under-hipaa.html  

Dermatology Trash Disposal Case: HHS Settles for $340K+CAP

On August 23, 2022, OCR settled a case concerning improper disposal of Protected Health Information (PHI), for $300,640 and a Corrective Action Plan with New England Dermatology P.C., d/b/a New England Dermatology and Laser Center (“NDELC”). 

NEDLC filed a breach report with OCR stating that empty specimen containers with PHI on the labels were placed in a garbage bin in their parking lot. The containers’ labels included patient names and dates of birth, dates of sample collection, and name of the provider who took the specimen.  Reportedly, a security guard found one of the vials on the ground in the parking lot.  OCR’s investigation, conducted by OCR’s New England Regional Office, found potential violations of the HIPAA Privacy Rule including the impermissible use and disclosure of PHI and failure to maintain appropriate safeguards to protect the privacy of PHI.

Folks, this is just the latest in a number of settlements for poor trash handling over the years.  If it’s got PHI on it, it has to be destroyed for disposal, as in shredded.

The HHS Press Release, the Resolution Agreement and Corrective Action Plan, and OCR’s FAQs concerning HIPAA and the disposal of protected health information are all available at:  https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/nedlc/index.html  

HHS OCR Issues 11(!) Actions for Individual Access Violations

On July 15, 2022, HHS OCR announced the resolution of eleven investigations in its HIPAA Right of Access Initiative, bringing the total number of these enforcement actions to thirty-eight since the initiative began in September of 2019.  OCR created this initiative to support individuals' right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule.

Penalty amounts ranged from $5,000 to $240,000, depending on the circumstances and details.  The variety of cases shows that ANY AND EVERY individual request for medical records in any scenario must be treated seriously and expeditiously.  

For the list of settlements, see:  https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/july-2022-hipaa-enforcement/index.html 
For the press release including summary case information for the 11 actions, see:  
https://www.hhs.gov/about/news/2022/07/15/eleven-enforcement-actions-uphold-patients-rights-under-hipaa.html  

OSU-CHS pays $875K Settlement Payment and CAP for Breach

On July 14, 2022, HHS OCR announced Oklahoma State University – Center for Health Sciences (OSU-CHS) has paid $875,000 to HHS OCR and agreed to implement a corrective action plan to settle potential HIPAA violations that resulted in the disclosure of the ePHI of 279,865 individuals.

OCR’s investigation found potential violations of the HIPAA Rules including impermissible uses and disclosures of PHI; failure to conduct an accurate and thorough risk analysis; failure to perform an evaluation, failures to implement audit controls, security incident response and reporting, and failure to provide timely breach notification to affected individuals and HHS.

For the press release and settlement agreement, see:  https://www.hhs.gov/about/news/2022/07/14/oklahoma-state-university-center-health-services-pays-875000-settle-hacking-breach.html  

HHS Guidance on HIPAA and Reproductive Rights Privacy

On June 29, 2022, HHS issued Guidance to Protect Patient Privacy in Wake of Supreme Court Decision on Roe.  Guidance includes information about what information HIPAA protects, and the limits of that protection, as well as what’s protected – and what’s not – when using period trackers and other health information apps on smartphones.

This guidance addresses the circumstances under which the HIPAA Privacy Rule permits disclosure of PHI without an individual’s authorization, and explains that disclosures for purposes not related to health care, such as disclosures to law enforcement officials, are permitted only in narrow circumstances tailored to protect the individual’s privacy and support their access to health care, including abortion care. 

The guidance on the HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care may be found at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html.

NIST Releases New Guidance and Resources on macOS Security

On June 24, 2022, the National Institute of Standards and Technology (NIST) released new guidance and resources on macOS Security, in the final version of Special Publication (SP) 800-219, Automated Secure Configuration Guidance from the macOS Security Compliance Project (mSCP). This document explores mSCP resources that system administrators, security professionals, security policy authors, information security officers, and auditors can leverage to secure and assess macOS desktop and laptop system security in an automated way.

SP 800-219 incorporates and deprecates content from SP 800-179 (December 12, 2016) and SP 800-179 Draft Revision 1 (November 16, 2018).

See SP 800-219 at https://csrc.nist.gov/publications/detail/sp/800-219/final and the announcement at https://content.govdelivery.com/accounts/USNIST/bulletins/31d70e4    

HHS Guidance to Improve Cyber Posture of Healthcare Orgs

On June 16, 2022, The HHS’ Health Sector Cybersecurity Coordination Sector (HC3) published guidance for healthcare organizations to help them improve their cyber posture

HC3 details several steps that can be taken to improve cyber posture such as conducting regular security posture assessments, consistently monitoring networks and software for vulnerabilities, defining which departments own risks and assigning managers to specific risks, regularly analyzing gaps in security controls, defining key security metrics, and creating incident response and disaster recovery plans.  HC3 also recommends following the cybersecurity best practices detailed in CISA Insights for protecting against cyber threats, and draws attention to the importance of the security risk assessment.

See the guidance at:  https://www.hhs.gov/sites/default/files/strengthening-cyber-posture-in-healthcare-tlpwhite.pdf  and a post in HIPAA Journal at:  https://www.hipaajournal.com/hhs-offers-advice-to-help-healthcare-organizations-strengthen-their-cyber-posture/  

HHS Issues Guidance on Audio-Only Teleconferencing and PHI

On June 13, 2022, HHS OCR issued Guidance on How the HIPAA Rules Permit Covered Health Care Providers and Health Plans to Use Remote Communication Technologies for Audio-Only Telehealth addressing questions such as: 

  • Does the HIPAA Privacy Rule permit covered healthcare providers and health plans to use remote communication technologies to provide audio-only telehealth services?
  • Do covered healthcare providers and health plans have to meet the requirements of the HIPAA Security Rule in order to use remote communication technologies to provide audio-only telehealth services?
  • Do the HIPAA Rules permit a covered healthcare provider or a health plan to conduct audio-only telehealth using remote communication technologies without a business associate agreement in place with the vendor?

The answers to the questions are not obvious but do make sense in the overall view of HIPAA compliance, and are good to review if only to help you understand where the boundaries of the Security Rule are, and how the Privacy Rule may still apply when the Security Rule doesn’t, and what that means for security.  

See the guidance at: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-audio-telehealth/index.html  and an article in Healthcare IT News at  https://www.healthcareitnews.com/news/hhs-puts-out-new-notice-audio-only-telehealth-and-hipaa  

HHS Revises Security Risk Assessment Tool (SRA Tool) to v3.3

On June 3, 2022, HHS OCR and the Office of the National Coordinator for Health Information Technology (ONC) released an updated SRA Tool version 3.3 as an application for Windows, as well as in an Excel spreadsheet-based version.  The target audience of this tool is medium and small providers; thus, use of this tool may not be appropriate for larger organizations.

The SRA Tool is a desktop application that walks users through the security risk assessment process using a simple, wizard-based approach. Users are guided through multiple-choice questions, threat and vulnerability assessments, and asset and vendor management. References and additional guidance are given along the way. Reports are available to save and print after the assessment is completed.

The Excel spreadsheet version of the SRA Tool takes the same content from the Windows desktop application and presents it in a familiar spreadsheet format. The Excel Workbook contains conditional formatting and formulas to calculate and help identify risk in a similar fashion to the SRA Tool application.

See: https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool

More Enforcement: 2 Access Rights, 1 Blabbing PHI online, and 1 Providing PHI to an Election Campaign (yes, really)

On March 28, 2022, HHS OCR announced four new HIPAA enforcement actions, two involving individual access issues (#26 and 27, if you’re counting), one involving a dentist posting PHI in a mocking reply to an on-line review (what, again??) and not responding to OCR investigators (see the next story, below, for advice), and one dentist that gave its patient list to a political campaign manager (that one takes the cake).  It’s hard to think of anything to say about these, they’re just so, well, stupid!  So many have so much to learn still about simple HIPAA rules.

The HHS OCR announcement is available at:  https://www.hhs.gov/about/news/2022/03/28/four-hipaa-enforcement-actions-hold-healthcare-providers-accountable-with-compliance.html  

And articles on the announcement are available in Healthcare IT News at:  https://www.healthcareitnews.com/news/ocr-steps-hipaa-enforcement-4-news-providers-facing-settlements  and in HealthITSecurity at:  https://healthitsecurity.com/news/ocr-announces-four-hipaa-enforcement-actions  

AHIMA Provides Lessons to Help Prevent ROI Mistakes

On March 22, 2022, AHIMA published an article in AHIMA Journal on Lessons to Help Prevent Release of Information Mistakes.  Individual access of information is a key issue with HHS OCR, and if you are investigated by HHS, work with your investigator to respond to any technical assistance and ensure you deal with any issues promptly, or you may suffer significant penalties.  Eight Mistakes to Avoid and Steps to Avoid OCR Violations are included.  See the article at:  https://journal.ahima.org/lessons-to-help-prevent-release-of-information-mistakes/ 

HHS OCR Quarterly Newsletter Provides Security Guidance

On March 17, 2022, HHS OCR released the OCR Q1 2022 Cybersecurity Newsletter focusing on Defending Against Common Cyber-Attacks.  Common threats (such as Phishing) and mitigations are discussed, with a list of resources.  

See the OCR newsletter at:  https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-first-quarter-2022/index.html  and a March 18, 2022 article on it in HIPAA Journal at:  https://www.hipaajournal.com/ocr-hipaa-security-rule-compliance-can-prevent-and-mitigate-most-cyberattacks/  

DOJ Settles Civil Cyber-Fraud On Poor Security of Health Info

On March 8, 2022, The US Department of Justice settled false claims allegations involving inadequate protection of medical information being managed under contract, for $930,000.  The DOJ announcement is available at:  https://www.justice.gov/opa/pr/medical-services-contractor-pays-930000-settle-false-claims-act-allegations-relating-medical  and an article in HealthIT Security is available at:  https://healthitsecurity.com/news/doj-settles-first-case-under-civil-cyber-fraud-initiative  

NY State Fines $600K for Healthcare Data Breach of 2.1M

On January 24, 2022, New York Attorney General Letitia James announced a $600,000 agreement with EyeMed that resolves a 2020 data breach that compromised the personal information of approximately 2.1 million consumers nationwide, including 98,632 in New York state.  Attackers gained access to an EyeMed email account with sensitive customer information dating back six years.  Among the issues, no MultiFactor Authentication was in place, passwords were not managed well, and activity logs of e-mail were not maintained.

HSCA Publishes Guidance on Supply Chain Security

The Healthcare Supply Chain Association (HSCA) in late 2021 has published two documents for medical device manufacturers, healthcare delivery organizations, and service providers:  Medical Device and Service Cybersecurity: Key Considerations for Manufacturers & Healthcare Delivery Organizations, and Recommendations for Medical Device Cybersecurity Terms and Conditions. Included are 50 requirements statements (search for “should”), 18 of which (the ones in the last two sections) are very good requirements to convince procurement to include in all RFPs and contracts for medical devices and services.

The guidance includes important notifications, such as warrantee and lifecycle information, partnerships to resolve security incidents in a timely fashion, as well as breach/incident sharing with the appropriate ISAOs without non-disclosure provisions. 

Healthcare providers will need to push on their suppliers to ensure they are complying with appropriate security practices prior to signing contracts. Suppliers need to make sure the providers understand the needed security when deploying their products and services. Then healthcare providers need to actively assess their protections regularly.

See: https://www.supplychainassociation.org/wp-content/uploads/2021/12/Cybersecurity-Key-Considerations-FINAL.pdf and https://www.supplychainassociation.org/wp-content/uploads/2021/12/HSCA-Recommended-Cybersecurity-TsCs-FINAL.pdf  

HHS Issues Guidance in Using PHI to Support an ERPO

On December 20, 2021, HHS’s Office for Civil Rights (OCR) released new guidance to clarify how HIPAA permits covered healthcare providers to disclose PHI without a patient’s consent to support applications for extreme risk protection orders (ERPOs). ERPOs can temporarily prevent a person in crisis from accessing firearms if they are perceived to pose a danger to themselves or others.

Concerned family members, law enforcement, healthcare providers, and others may seek an ERPO if they are concerned that an individual may be suicidal or may use a firearm to injure themselves or another person.  See the guidance at:  https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/extreme-risk-protection-orders/index.html  

HHS Announces CSA 405(d) SBAR Brief re Log4j and Healthcare

On December 17, 2021, HHS released a 405(d) Situation, Background, Assessment, Recommendation (SBAR) as mandated by the Cybersecurity Act of 2015, regarding the Log4j security vulnerability that may affect numerous systems.  If you are in charge of security and systems, you should be aware of this document right now.  See:  https://405d.hhs.gov/Documents/405dSBAR-Log4j-Final.pdf  

NJ AG Reaches $425K Settlement re Three Providers’ Breaches

On December 15, 2021, the NJ AG announced that the Division of Consumer Affairs has reached a settlement with three New Jersey-based providers of cancer care that the State alleges failed to adequately safeguard patient data, exposing the personal and protected health information of 105,200 consumers, including 80,333 New Jersey residents.

Under the terms of the settlement, Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC (collectively, “RCCA”)—all headquartered in Hackensack, but with 30 locations throughout New Jersey, Connecticut and Maryland—have agreed to pay $425,000 and adopt additional privacy and security measures to safeguard individuals’ PHI and personal information to resolve the State’s investigation into alleged violations of the New Jersey Consumer Fraud Act and HIPAA.  See the press release at:  https://www.njconsumeraffairs.gov/News/Pages/12152021.aspx 
and the Consent Order at:  
https://www.nj.gov/oag/newsreleases21/RCCA%20MSO%20LLC%20Consent%20Order.pdf  

HHS Announces New Site Supporting CSA 405(d) Program

On December 1, 2021, the US Department of Health and Human Services announced the launch of a new website for the HHS 405(d) Aligning Health Care Industry Security Approaches Program, at https://405d.hhs.gov/public/navigation/home.  To get right to the most important information to act on, use the tab for “Protect Patients and Organizations”, at  https://405d.hhs.gov/public/navigation/protectPatients   

The HHS 405(d) Program website was developed in partnership with the HHS 405(d) Task Group which includes more than 150 individuals from industry and the federal government.  Through this new website, the 405(d) Program supports the motto that Cyber Safety is Patient Safety and provides the Healthcare and Public Health (HPH) sector with resources, products, videos, and tools that help raise awareness and provide cybersecurity practices.

The HHS 405(d) Program was established in response to the Cybersecurity Act of 2015. HHS convened the CSA 405(d) Task Group to enhance cybersecurity and align industry approaches by developing a common set of voluntary, consensus-based, and industry-led cybersecurity guidelines, practices, methodologies, procedures, and processes that healthcare organizations can use.

The press release is available at:  https://www.hhs.gov/about/news/2021/12/01/hhs-launches-website-405d-aligning-health-care-industry-security-approaches-program.html  

Also see, in SCMagazinehttps://www.scmagazine.com/analysis/policy/hhs-unveils-healthcare-cybersecurity-threat-mitigation-resource-website  

And, in HealthITSecurity:  https://healthitsecurity.com/news/hhs-launches-new-website-to-align-healthcare-cybersecurity  

Access Rules Strike Again: Five New Settlements/Penalties

On November 30, 2021, HHS Office for Civil Rights announced four new settlements and one civil money penalty for right of access violations, bringing the total in the Right of Access enforcement campaign up to twenty-five.

The five actions include various delays in responding to records requests, some requiring repeated complaints to HHS, and one where the provider is simply ignoring HHS, leading to a Civil Money Penalty being applied.  The five actions include: 

  • Advanced Spine & Pain Management (ASPM), which provides management and treatment of chronic pain services in Cincinnati and Springboro, Ohio, has agreed to take corrective actions that include two years of monitoring, and has paid OCR $32,150 to settle.
  • Denver Retina Center, a provider of ophthalmological services in Denver, CO, has agreed to take corrective actions that includes one year of monitoring and has paid OCR $30,000 to settle.
  • Rainrock Treatment Center, LLC dba Monte Nido Rainrock (“Monte Nido”), a licensed provider of residential eating disorder treatment services in Eugene, OR, has taken corrective actions including one year of monitoring and has paid OCR $160,000 to settle.
  • Wake Health Medical Group, a provider of primary care and other health care services in Raleigh, NC, has agreed to take corrective actions and has paid OCR $10,000 to settle.
  • Dr. Robert Glaser, a cardiovascular disease and internal medicine doctor in New Hyde Park, NY, did not cooperate with OCR’s investigation or respond to OCR’s data requests after failing to provide a patient with a copy of their medical record.  Dr. Glaser waived his right to a hearing and did not contest OCR's findings.  Accordingly, OCR closed this case by issuing a civil money penalty of $100,000.

See:  https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/2021-right-of-access-initiative/index.html  for the press releases and settlement agreements.  An article summarizing the five actions and what prompted them is available in HealthITSecurity, at:  https://healthitsecurity.com/news/ocr-settles-5-hipaa-right-of-access-cases  

Criminal HIPAA Charges for Unauthorized Access to PHI

On November 24, 2021, Northwell Health's Huntington (NY) Hospital notified 13,000 patients about a breach caused by inappropriate access of the EHR system by a night shift employee, who has been fired and criminally charged under HIPAA.  Criminal charges under HIPAA are relatively rare, compared to civil actions, but can lead to half-million dollar penalties.

An article on the incident can be found on HealthITSecurity, at:  https://healthitsecurity.com/news/former-ny-hospital-employee-charged-with-hipaa-violation

The announcement by Northwell Health is available on BusinessWire at:  https://www.businesswire.com/news/home/20211124006159/en/Huntington-Hospital-–-Notice-of-Unauthorized-Access-to-Personal-Information    

HHS OCR: Ransomware Resources for HIPAA Regulated Entities

On September 21, 2021, HHS OCR published to its list-serve a list of the resources available to assist in preventing, detecting, and mitigating breaches of unsecured protected health information caused by hacking and ransomware

The list includes links to more than a dozen HHS Health Sector Cybersecurity Coordination Center Threat Briefs; HHS Resources on Section 405(d) of the Cybersecurity Act of 2015; OCR Guidance on Ransomware, Cybersecurity, and Risk Analysis; the HHS Security Risk Assessment Tool; CISA and FBI Ransomware Guides and Resources; and OCR Cybersecurity Newsletters.

The list is available at  https://www.databreaches.net/ransomware-resources-for-hipaa-regulated-entities/  and at  https://cchipaa.com/blog/f/ocr-provides-ransomware-resources  

FTC: Health Apps and Devices Must Comply with Breach Rule

On September 15, 2021, the Federal Trade Commission issued a policy statement affirming that health apps and connected devices that collect or use consumers’ health information must comply with the Health Breach Notification Rule, which requires that they notify consumers and others when their health data is breached.  

Apps have a responsibility to ensure they secure the data they collect, which includes preventing unauthorized access to such information.  The Rule ensures that entities not covered by HIPAA face accountability when consumers’ sensitive health information is breached.  Failure to comply, the agency said, could result in a penalty of up to $43,792 per violation per day.

The announcement is available at:  https://www.ftc.gov/news-events/press-releases/2021/09/ftc-warns-health-apps-connected-device-companies-comply-health  and the policy statement is available at:  https://www.ftc.gov/public-statements/2021/09/statement-commission-breaches-health-apps-other-connected-devices  

The FTC Health Breach Notification Rule is available at:  https://www.ftc.gov/policy/federal-register-notices/health-breach-notification-rule-final-rule   

A September 16, 2021 article on the topic in TechCrunch is available at:  https://techcrunch.com/2021/09/16/ftc-says-health-apps-must-notify-consumers-if-their-data-is-breached-or-face-fines/   

A September 16, 2021 article on the topic in HealthcareITNews is available at:  https://www.healthcareitnews.com/news/ftc-warns-connected-device-orgs-comply-breach-rule-or-pay  

Right of Access Settlement #20 Announced — $80K + CAP

On September 10, 2021, the U.S. Department of Health and Human Services announced the resolution of its twentieth investigation in its HIPAA Right of Access Initiative.  In May 2020, a parent filed a complaint with OCR alleging that Children's Hospital & Medical Center (CHMC) had failed to provide her with timely access to her minor daughter's medical records. CHMC provided some records but did not provide all of the requested records to the parent's multiple follow-up requests.  

OCR initiated an investigation and as a result, the parent finally received all of the requested records.  CHMC has agreed to take corrective actions and pay $80,000 to settle the issue.  The HHS press release and a link to the resolution agreement and CAP are available at:  https://www.hhs.gov/about/news/2021/09/10/ocr-resolves-twentieth-investigation-in-hipaa-right-of-access-initiative-with-settlement.html  

NIST Guide on Ransomware Risk Management in New Draft

On September 8, 2021, the National Institute of Standards and Technology (NIST) released a new Draft NOW Open for Comment (until October 8, 2021) of The Cybersecurity Framework Profile for Ransomware Risk Management, Draft NISTIR 8374, at:  https://csrc.nist.gov/publications/detail/nistir/8374/draft  

The draft profile, prepared by the National Cybersecurity Center of Excellence (NCCoE), identifies security objectives from the NIST Cybersecurity Framework that can help prevent, respond to, and recover from ransomware events. It can be used as a guide to managing risk—including helping gauge an organization’s readiness to mitigate ransomware threats and react to potential impacts. The profile addresses issues that were raised in public comments on a preliminary draft released in June 2021.

NSA Guidance on Securing Wireless Devices in Public Places

On July 29, 2021, the US National Security Agency (NSA) published Guidance on Wireless Device Security for people traveling or working remotely. The cybersecurity information sheet “describes how to identify potentially vulnerable connections and protect common wireless technologies, and lists steps users can take to help secure their devices and data.”  See https://media.defense.gov/2021/Jul/29/2002815141/-1/-1/0/CSI_SECURING_WIRELESS_DEVICES_IN_PUBLIC.PDF and for a related article in BleepingComputer, see: https://www.bleepingcomputer.com/news/security/nsa-shares-guidance-on-how-to-secure-your-wireless-devices/

StopRansomware.gov Launched by CISA, Provides Resources

On July 16, 2021, HHS OCR shared information from the Cybersecurity and Infrastructure Security Agency (CISA), announcing the new StopRansomware.gov website, the U.S. Government’s One-Stop Location to Stop Ransomware.

StopRansomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts. The Web site assists organizations understand the threat of ransomware, mitigate risk, and in the event of an attack, know what steps to take next.  The site is an interagency resource that provides ransomware protection, detection, and response guidance that includes ransomware alerts, reports, and resources from CISA, the FBI, and other federal partners.  See:  https://www.cisa.gov/stopransomware  

NIST Cyber Supply Chain Practices SP 800-161 Rev 1 Coming

NIST SP 800-161 Rev. 1 Draft Cyber Supply Chain Risk Management Practices for Systems and Organizations is in development and receiving comments through June 25, 2021.  Developers and Managers need to ensure the products they procure from others are developed securely.  See  https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/draft  

NIST Extends Comment Period on SP 800-66 Revision 1

On June 8, 2021, NIST announced it has extended the due date to July 9, 2021, for providing comments on the current NIST Special Publication (SP) 800-66 Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule

NIST is collecting comments in preparation for the release of a draft of a new Revision 2 of SP 800-66.  If you have comments on how to improve SP 800-66, please speak up now so your concerns can be addressed in Revision 2.  See the call for comments for more details and instructions for submitting comments, athttps://csrc.nist.gov/publications/detail/sp/800-66/rev-2/draft

Now Up To #19 in Access Settlements - Enough Examples Yet? 

On June 2, 2021, HHS OCR announced enforcement settlement #19 in its HIPAA Right of Access Initiative.  The Diabetes, Endocrinology & Lipidology Center, Inc. (“DELC”), a West Virginia based healthcare provider that provides treatment for Endocrine disorders, has agreed to take corrective actions and pay $5,000 to settle a potential violation of the HIPAA Privacy Rule's right of access standard. 

In early August 2019, a complaint was filed with OCR alleging that DELC failed to take timely action in response to a parent’s records access request for a copy of her minor child’s protected health information. OCR initiated an investigation and determined that DELC’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access standard.  As a result of OCR's investigation, DELC provided the requested records in May 2021, nearly two years after the parent’s request.

In addition to the monetary settlement, DELC will undertake a corrective action plan that includes two (2) years of monitoring.  For more information, see:  https://www.hhs.gov/about/news/2021/06/02/ocr-settles-nineteenth-investigation-hipaa-right-access-initiative.html  

HIPAA Security Rule Violations Cost Lab $25K and a CAP

On May 25, 2021, HHS OCR announced Peachstate Health Management, LLC, doing business as AEON Clinical Laboratories (Peachstate), has agreed to pay $25,000 and implement a corrective action plan to settle potential violations of the HIPAA Security Rule.  Peachstate, based in Georgia and certified under the CLIA, provides diagnostic and laboratory-developed tests, including clinical and genetic testing services.

In December 2017, OCR initiated a compliance review of Peachstate to determine its compliance with the HIPAA Privacy and Security Rules.  OCR’s investigation found systemic noncompliance with the HIPAA Security Rule, including failures to conduct an enterprise-wide risk analysis, implement risk management and audit controls, and maintain documentation of HIPAA Security Rule policies and procedures.

Once again, it’s not hard to do, you just have to do it.  RA, RM, and P&Ps.

See:  https://www.hhs.gov/about/news/2021/05/25/clinical-laboratory-pays-25000-settle-potential-hipaa-security-rule-violations.html  

And an article in HealthITSecurity with lots of background details:  https://healthitsecurity.com/news/ocr-settles-with-aeon-clinical-for-25k-over-multiple-hipaa-failures  

NIST Calls for Comments on Updating SP 800-66 Revision 1

On April 29, 2021, the National Institute of Standards and Technology issued a call for comments on NIST Special Publication (SP) 800-66, Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

NIST SP 800-66 Rev 1 is one of the more useful tools that entities can use to help inform information security risk analyses and compliance work.  NIST is planning to update SP 800-66, Revision 1, and is seeking stakeholder input on the purpose of the Resource Guide to educate readers about information security terms used in the HIPAA Security Rule, amplify awareness of NIST cybersecurity resources relevant to the HIPAA Security Rule, amplify awareness of non-NIST resources relevant to the HIPAA Security Rule, and provide detailed implementation guidance for covered entities and business associates.

Recognizing that covered entities and business associates have diverse ways of implementing the HIPAA Security Rule, NIST is soliciting feedback about how organizations are implementing the Resource Guide, its application, and its use in practice.  You can view the Call for Comments here:  https://csrc.nist.gov/publications/detail/sp/800-66/rev-2/draft.

The comment period is open through June 15, 2021.  Comments may be submitted via email to: sp800-66-comments@nist.gov with “Resource Guide for Implementing the HIPAA Security Rule Call for Comments” in the subject field.   Once completed, the resulting draft of SP 800-66, Rev. 2, will be provided for public review and comment.

If you have used SP 800-66r1 and have something to say about it, speak up.  If you haven’t looked at it, take a look and think about how it might be improved and updated.  See:  https://csrc.nist.gov/publications/detail/sp/800-66/rev-1/final  

No let-up: HHS OCR Announces #17&18 in Access Settlements

On March 24, 2021, HHS OCR announced its seventeenth settlement of an enforcement action in its HIPAA Right of Access Initiative.  The Arbour, Inc., doing business as Arbour Hospital ("Arbour"), has agreed to take corrective actions and pay $65,000 to settle a potential violation of the HIPAA Privacy Rule's right of access standard.  Arbour is located in Massachusetts and provides behavioral health services.

In July 2019, a complaint was filed with OCR alleging that Arbour failed to take timely action in response to a patient's records access request made in May 2019. OCR provided Arbour with technical assistance on the HIPAA Right of Access requirements. Later, in July 2019, OCR received a second complaint alleging that Arbour still had not responded to the same patient's records access request. OCR initiated an investigation and found potential violations.  As a result, Arbour provided the patient with a copy of their requested records in November 2019, more than 5 months after the initial request.

See:  https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/arbour/index.html  

Then, on March 26, 2021, HHS OCR announced its eighteenth settlement of an enforcement action in its HIPAA Right of Access Initiative.  Village Plastic Surgery ("VPS") has agreed to take corrective actions and pay $30,000 to settle a potential violation of the HIPAA Privacy Rule's right of access standard. VPS is located in New Jersey and provides cosmetic plastic surgery services.

In September 2019, a complaint was filed with OCR alleging that VPS failed to take timely action in response to a patient's records access request made in August 2019. OCR initiated an investigation and determined that VPS’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access standard.  As a result of OCR's investigation, VPS sent the patient their requested records.

See: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/vps/index.html

NIST Issues Draft of Guidance for Mobile Security — BYOD

On March 18, 2021, the National Institute of Standards and Technology (NIST) released a draft of Mobile Device Security--Bring Your Own Device (BYOD): Draft SP 1800-22, now available for comment.  Many organizations now support their employees' use of personal mobile devices to remotely perform work-related activities. BYOD (Bring Your Own Device) provides employees with increased flexibility to telework and access organizational information resources.  Ensuring that an organization's data is protected when it is accessed from personal devices, while ensuring employee privacy poses unique challenges and threats.

The goal of Draft NIST Special Publication (SP) 1800-22 practice guide, Mobile Device Security: Bring Your Own Device (BYOD), is to provide an example solution that helps organizations use both a standards-based approach and commercially available technologies to help meet their security and privacy needs when permitting personally-owned mobile devices to access enterprise resources. 

The draft guide and link for providing comments are available at: https://csrc.nist.gov/publications/detail/sp/1800-22/draft  The public comment period is open through May 3, 2021. 

Also see other NIST resources on Mobile Device and Remote Access Guidance under that heading (scroll down) on our page: Resources: Guidance from NIST

More Time for Comment on Proposed Privacy Rule Changes

On March 9, 2021, HHS OCR announced a 45-day extension of the public comment period for the Notice of Proposed Rulemaking (NPRM) to modify the HIPAA Privacy Rule.  OCR first released the NPRM to the public on the HHS website on December 10, 2020, and it was published in the Federal Register on January 21, 2021.  The 45-day extension moves the current deadline for the public to submit comments from March 22, 2021, to May 6, 2021. The notice of extension of the comment period is available at https://public-inspection.federalregister.gov/2021-05021.pdf.  

The proposed rule is available in the Federal Register at: https://www.federalregister.gov/documents/2021/01/21/2020-27157/proposed-modifications-to-the-hipaa-privacy-rule-to-support-and-remove-barriers-to-coordinated-care.  Comments may be submitted at https://www.regulations.gov

Read and comment — there are a LOT of changes in the rule to be considered!

41 State Attorneys General Hold AMCA’s Feet to the Fire

On February 11, 2021, 41 state attorneys general announced a settlement with the Retrieval-Masters Creditors Bureau, d/b/a American Medical Collection Agency, which could lead to a $21 million fine, to resolve a multi-state investigation into its massive healthcare data breach from 2019.

The AMCA security incident was by far the largest healthcare data breach that year, impacting at least 21 million individuals across the country.  First disclosed in June 2019, a hacker gained access to the billing collections vendor for eight months between August 1, 2018 and March 30, 2019. The access provided the hacker with troves of billing and medical data from a range of AMCA clients.

The breach notices spurred multiple investigations and patient-related lawsuits, and soon after, AMCA filed for Chapter 11 bankruptcy.  See the settlement at:  https://ag.ny.gov/sites/default/files/new_york_agreement_signed.pdf  and an article on the settlement in HealthITSecurity at:  https://healthitsecurity.com/news/41-states-settle-with-amca-over-2019-data-breach-affecting-21m-patients  

Like A Broken Record: Access Settlements Numbers 15 and 16

On February 10, 2021, HHS OCR announced the fifteenth settlement in its HIPAA Right of Access Initiative.  In February 2019, OCR received a complaint alleging that Renown Health, P.C., a private, not-for-profit health system in Nevada failed to timely respond to a patient’s request that an electronic copy of her protected health information, including billing records, be sent to a third party.  OCR’s investigation determined that Renown Health’s failure to provide timely access to the requested records was a potential violation of the HIPAA right of access standard.  

As a result of OCR’s investigation, Renown Health provided access to all of the requested records, and has agreed to take corrective actions and pay $75,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.  See:  https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/renown/index.html  

Then, on February 12, 2021, HHS OCR announced the sixteenth settlement in its HIPAA Right of Access Initiative.  Sharp HealthCare, located in California and doing business as Sharp Rees-Stealy Medical Centers ("SRMC"), has agreed to take corrective actions and pay $70,000 to settle a potential violation of the HIPAA Privacy Rule's right of access standard. 

In June 2019, a complaint was filed with OCR alleging that SRMC failed to take timely action in response to a patient's records access request directing that an electronic copy of protected health information in an electronic health record be sent to a third party. OCR provided SRMC with technical assistance on the HIPAA Right of Access requirements. In August 2019, OCR received a second complaint alleging that SRMC still had not responded to the patient's records access request. OCR initiated an investigation and determined there was a potential violation of the HIPAA right of access standard, and then, SRMC provided access to the requested records.  See:  https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/sharp/index.html  

Do we have the message yet?  Individual access rights are a big issue with HHS OCR and with patients.  It’s time to get it right!  The proposed rules will only make it tougher.

HHS Relaxes Enforcement for Insecure Vaccination Scheduling

On January 19, 2021, HHS OCR announced it will exercise enforcement discretion and not impose penalties for violations of the HIPAA Rules in connection with the good faith use of online or web-based scheduling applications (collectively, “WBSAs”) for the scheduling of individual appointments for COVID-19 vaccinations during the COVID-19 nationwide public health emergency, effective immediately, and retroactive to December 11, 2020.

The Notification explains that the exercise of enforcement discretion applies to covered health care providers and their business associates, including WBSA vendors, when the WBSA is used in good faith and only for the limited purpose of scheduling individual appointments for COVID-19 vaccinations during the public health emergency. 

The Notification encourages the use of reasonable safeguards to protect the privacy and security of individuals’ protected health information (PHI), such as using only the minimum necessary PHI, encryption technology, and enabling all available privacy settings.

The Notification of Enforcement Discretion for Use of Online or Web-Based Scheduling Applications during the COVID-19 Nationwide Public Health Emergency may be found at https://www.hhs.gov/sites/default/files/hipaa-vaccine-ned.pdf

OCR’s COVID-19 webpage and materials concerning the continued enforcement of civil rights laws and HIPAA during this public health emergency can be found at https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-covid19/index.html

ONC Issues Updated Information Blocking FAQs

On January 15, 2021, the Office of the National Coordinator for Health IT released an updated list of FAQs about Information Blocking, including several new entries that address certified health IT, electronic health information, interferences, and the “Preventing Harm” exception.  If you’re wondering about the rules and the issues involved with Information Blocking, this set of FAQs is a fine place to start.  See:  https://www.healthit.gov/curesrule/resources/information-blocking-faqs  

Health Insurer Pays $5.1 Million for Breach of 9.3 Million

On January 15, 2021, Excellus Health Plan, Inc., a New York health services corporation that provides health insurance coverage to over 1.5 million people in Upstate and Western New York, agreed to pay $5.1 million to HHS OCR and to implement a corrective action plan to settle potential violations of the HIPAA Privacy and Security Rules related to a breach affecting over 9.3 million people.  

On September 9, 2015, Excellus Health Plan filed a breach report stating that cyber-attackers had gained unauthorized access to its information technology systems for almost a year an a half.  The hackers installed malware and conducted reconnaissance activities that ultimately resulted in the breach of more than 9.3 million individuals’ PHI.

OCR’s investigation found potential violations of the HIPAA Rules including failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, information system activity review, and access controls.  In addition to the monetary settlement, Excellus Health Plan will undertake a corrective action plan that includes two years of monitoring.

The OCR Press Release and settlement agreement are at:  https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/excellus/index.html  

MD Anderson Weasels Out of HIPAA Penalty, For Now

On January 14, 2021, the U.S. Court of Appeals vacated University of Texas MD Anderson Cancer Center's $4.3 million HIPAA fine for losing more than 35,000 patients' protected health information.  The court ruled that HHS had acted arbitrarily and inconsistently in finding that the MD Anderson had violated two information security regulations stemming from three data breach incidents in 2012-13, after completing its investigation of the theft of an unencrypted laptop from the cancer center and loss of two unencrypted flash drives.  

MD Anderson appealed the HHS fine in April 2019, arguing that since HHS is a federal agency it did not have the authority to impose civil monetary penalties against the cancer center since MD Anderson is a state agency.  The hospital also argued that HHS's penalty was excessive.  After MD Anderson filed its petition with the Court of Appeals, HHS conceded it could not defend a fine for the breaches of more than $450,000. The court vacated the civil monetary penalties and remanded the case for further proceedings consistent with the opinion.

Wait a sec…  Didn’t Alaska Medicaid (also a State agency) pay their penalty a few years ago??  And the fine should have been $450K and not $4.3 million??  What other inappropriate fines have been levied??

See the story at Becker’s Hospital Review:  https://www.beckershospitalreview.com/cybersecurity/md-anderson-avoids-4-3m-hipaa-penalty.html  

Now Up To 14 Settlements in the Right of Access Initiative

On January 12, 2021, HHS OCR announced its fourteenth settlement of an enforcement action in its HIPAA Right of Access Initiative, supporting individuals’ right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule.  Banner Health, a non-profit health system based in Phoenix, Arizona, on behalf of the Banner Health affiliated covered entities (Banner Health ACE), has agreed to take corrective actions and pay $200,000 to settle potential violations of the HIPAA Privacy Rule’s right of access standard.  Banner Health operates 30 hospitals and numerous primary care, urgent care, and specialty care facilities and is one of the largest health care systems in the United States. 

OCR received two complaints filed against Banner Health ACE entities alleging violations of the HIPAA Right of Access standard, taking approximately six months and five months respectively.  In addition to the monetary settlement, Banner Health will undertake a corrective action plan that includes two years of monitoring.  

The OCR press release and settlement agreement are at:  https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/banner/index.html  

HIPAA Safe Harbor Bill Yields Points for Using Good Practices

On January 5, 2021, President Donald Trump officially signed HR 7898 into law. The HIPAA Safe Harbor bill amends the HITECH act to require the Department of Health and Human Services to incentivize best practice cybersecurity for meeting HIPAA requirements.  The legislation directs HHS to take into account a covered entity’s or business associate’s use of industry-standard security practices within the course of 12 months, when investigating and undertaking HIPAA enforcement actions, or other regulatory purposes.

Further, the bill requires that HHS take cybersecurity into consideration when calculating fines related to security incidents. HHS is also required to decrease the extent and length of an audit, if it’s determined the impacted entity has indeed met industry-standard best practice security requirements.

The law also expressly noted that the HITECH changes do not give HHS the authority to increase fines or the extent of an audit, when an entity is found to be out of compliance with the recognized security standards.

“The term ‘recognized security practices’ means the standards, guidelines, best practices, methodologies, procedures, and processes developed under…the NIST Act, the approaches promulgated under… the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities,” according to the law.  “Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security rule,” it continued.

This means, if you can show you have been using good practices for a year, any investigations will be easier and fines lower.  So, start doing it right, right now!

An article in Health IT Security is available at:  https://healthitsecurity.com/news/hipaa-safe-harbor-bill-becomes-law-requires-hhs-to-incentivize-best-practice-security  

Lucky 13th Settlement Announced in Right of Access Initiative

On December 22, 2020, HHS OCR announced its 13th enforcement settlement in the Right of Access Initiative, with a $36K financial settlement and corrective action plan for a failure of a primary care provider to respond to a records request.  The patient filed a complaint with OCR, OCR provided guidance on how to respond, and the records were still not delivered until a follow-up complaint was filed with OCR.  Get the message?  If OCR gives you advice on what to do following a patient’s complaint, follow OCR's advice or risk a penalty.

The OCR press release and settlement agreement are available at:  https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/elite-primary-care/index.html  

NIST Issues NIST SP 1800-24 on Cybersecurity and PACS

On December 20, 2020, NIST published Special Publication 1800-24, on Securing Picture Archiving and Communication System (PACS): Cybersecurity for the Healthcare Sector.  The practice guide helps health delivery organizations (HDOs) implement current cybersecurity standards and best practices to reduce their cybersecurity risk and protect patient privacy while maintaining the performance and usability of PACS.  

This NIST Cybersecurity Practice Guide demonstrates how organizations can securely configure and deploy PACS. This guide presents an example solution that helps HDOs improve medical imaging ecosystem privacy and cybersecurity.  If your organization uses a PACS, best to read!  See:  https://csrc.nist.gov/publications/detail/sp/1800-24/final  

OCR Issues Guidance on HIPAA, HIEs, PHI, and Public Health

On December 18, 2020, HHS OCR issued guidance on how the HIPAA permits covered entities and their business associates to use health information exchanges (HIEs) to disclose PHI for the public health activities of a public health authority (PHA).  The guidance provides examples relevant to the COVID-19 public health emergency and answers these questions:

  • What is an HIE?
  • When does the HIPAA Privacy Rule permit a covered entity or its business associate to disclose PHI to an HIE for purposes of reporting the PHI to a PHA, without an individual's authorization?
  • Can a covered entity rely on a PHA's request to disclose a summary record to a PHA or HIE as being the minimum necessary PHI needed by the PHA to accomplish the public health purpose of the disclosure?
  • May a covered entity disclose PHI to a PHA through an HIE without receiving a direct request from the PHA?
  • May an HIE provide PHI it has received as a business associate of a covered entity to a PHA for public health purposes without first obtaining permission from the covered entity?
  • Is a covered entity required to provide notice to individuals about its disclosures of PHI to a PHA for public health purposes? Is an HIE that is a business associate required to provide such notice?

The Guidance is available at: https://www.hhs.gov/sites/default/files/hie-faqs.pdf

OCR Issues Almost Useless Report on HIPAA Audit Program

On December 17, 2020, HHS OCR finally announced the release of the long-awaited report on HIPAA compliance, based on the 2016-2017 HIPAA Audits.  This report, which has serious flaws based on my personal experience with the audit process, is nearly useless.  The conclusions are simplistic and inaccurate.  Planned for years, the report was ill-conceived and obviously pushed out the door to clear off someone’s desk before the administration change.  Don’t waste your time at https://www.hhs.gov/sites/default/files/hipaa-audits-industry-report.pdf

Amendments to HIPAA Privacy Rule Proposed

On December 10, 2020, HHS OCR announced proposed changes to the HIPAA Privacy Rule to support individuals’ engagement in their care, remove barriers to coordinated care, and reduce regulatory burdens on the health care industry. 

While continuing to protect individuals’ health information privacy interests, the proposed changes include:

  • Strengthening individuals’ rights to access their own health information, including electronic information; 
  • Improving information sharing for care coordination and case management for individuals; 
  • Facilitating greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises; 
  • Enhancing flexibilities for disclosures in emergency or threatening circumstances, such as the Opioid and COVID-19 public health emergencies; and 
  • Reducing administrative burdens on HIPAA covered health care providers and health plans.

Links to the proposed rule, a fact sheet, a press release, and the Federal Register publication of the request for information are available at https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/index.html

The proposed rule was published January 21, 2021 in the Federal Register at: https://www.federalregister.gov/documents/2021/01/21/2020-27157/proposed-modifications-to-the-hipaa-privacy-rule-to-support-and-remove-barriers-to-coordinated-care, and the 60-day comment period is open through March 22, 2021 (subsequently extended to May 6, 2021, on March 9, 2021).  Comments may be submitted at https://www.regulations.gov

One of the modifications proposed is to eliminate the requirement to try to get an acknowledgement of receipt of the HIPAA Notice of Privacy Practices, which sounds like a reduction in regulatory burden, but actually increases the regulatory burden.  Why?  Because the acknowledgement of receipt of the HIPAA NPP provides the required consent to call or text someone’s cell phone for healthcare purposes under the Telephone Consumer Protection Act of 1991.  If the acknowledgement is removed, so is the consent, and providers will have to get a written consent to contact people by their cell phone.  Reduction in burden?  Zero.  Cost to change processes in every healthcare provider’s office?  Millions.  

I warned HHS OCR about this at the NIST/OCR HIPAA conference in 2019, but they seem to have paid no notice.  I suggest this topic be included in any comments you may submit during the comment period.

Now an Even Dozen Access Rights Enforcement Settlements

On November 19, 2020, HS OCR announced settlement number twelve in its quest to ensure individuals’ right to timely access to their health records at a reasonable cost, for $65,000 and a Corrective Action Plan.  University of Cincinnati Medical Center, LLC (UCMC) failed to respond to a patient’s records access request directing UCMC to send an electronic copy of her medical records maintained in UCMC’s EHR to her lawyers.  HIPAA individual rights include the right to direct electronic copies to a third party of the individual's choice.

The press release and resolution agreement are available at:  https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ucmc/index.html  

Examples for Access Rights Enforcement Keep Being Set

On November 12, 2020, HHS OCR announced its eleventh settlement of an enforcement action in its HIPAA Right of Access Initiative, with Dr. Rajendra Bhayani, who is a private practitioner specializing in otolaryngology in Regal Park, New York, agreeing to take corrective actions and pay $15,000.  

A patient complained that access was not provided as requested, and OCR responded by providing Dr. Bhayani with technical assistance on complying. In July 2019, however, OCR received a second complaint alleging that Dr. Bhayani still had not provided the complainant with access to her records. OCR investigated, and the complainant finally received a complete copy of her medical records in September 2020.  Clearly providers, large and small, must comply.

The press release and resolution agreement are available at:  https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/bhayani/index.html  

Right of Access Initiative Settlements Roll On - Now Number 10

On November 6, 2020 HHS OCR announced settlement of its tenth enforcement action in its HIPAA Right of Access Initiative.  OCR announced this initiative as an enforcement priority in 2019 to support individuals' right to timely access to their health records at a reasonable cost under the HIPAA Privacy Rule.

Riverside Psychiatric Medical Group (“RPMG”), a group practice specializing in child and adolescent psychiatry, geriatric psychiatry, neuropsychiatry, psychology, and substance use disorders, has agreed to take corrective actions and pay $25,000 to settle a potential violation of the HIPAA Privacy Rule's right of access standard.  

In March 2019, OCR received a complaint from a patient alleging that RPMG failed to provide her a copy of her medical records despite multiple requests to RPMG beginning in February 2019.  Shortly after receiving the complaint, OCR provided RPMG with technical assistance on how to comply with the HIPAA Right of Access requirements and closed the matter.  

In April 2019, however, OCR received a second complaint alleging that RPMG still had not provided the complainant with access to her medical records. OCR initiated an investigation and determined that RPMG’s failure to take action in response to the individual’s request was a potential violation of the HIPAA right of access standard.  

RPMG claimed that because the requested records included psychotherapy notes, they did not have to comply with the access request.  While the HIPAA Rules do not require production of psychotherapy notes, they do require covered entities (1) to provide requestors a written explanation when it denies any records request in whole or in part (which RPMG did not do), and (2) to provide the individual access to his or her medical records other than psychotherapy notes (and information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding).  

As a result of OCR’s investigation, RPMG sent the individual all the requested information in her medical record, excluding psychotherapy notes, in October 2020.

The press release and resolution agreement are available at:  https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/riverside/index.html  

New Haven, CT Health Department Fails to Terminate Access

On October 30, 2020, HHS announced the City of New Haven, CT has agreed to pay $202,400 to HHS Office for Civil Rights and to implement a corrective action plan to settle potential violations of the HIPAA Privacy and Security Rules, following a January 2017 report to HHS OCR of a breach stating that a former employee may have accessed a file on a New Haven computer containing the protected health information (PHI) of 498 individuals. 

OCR’s investigation revealed that, on July 27, 2016, a former employee returned to the health department, eight days after being terminated, logged into her old computer with her still-active user name and password, and downloaded PHI that included patient names, addresses, dates of birth, race/ethnicity, gender, and sexually transmitted disease test results onto a USB drive. 

Additionally, OCR found that the former employee had shared her user ID and password with an intern, who continued to use these login credentials to access PHI on New Haven’s network after the employee was terminated.

OCR’s investigation determined that New Haven failed to conduct an enterprise-wide risk analysis, and failed to implement termination procedures, access controls such as unique user identification, and HIPAA Privacy Rule policies and procedures.

The press release and resolution agreement are available at:  https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/new-haven/index.html  

Aetna Pays $1,000,000 to Settle Three HIPAA Breaches

On October 28, 2020 HHS announced Aetna Life Insurance Company and the affiliated covered entity (Aetna) has agreed to pay $1,000,000 to the Office for Civil Rights (OCR) at HHS and to adopt a two-year corrective action plan to settle potential HIPAA Privacy and Security Rule violations. The breaches include a June 2017 report of a web-services problem that exposed the PHI of 5002 individuals, an August 2017 breach report involving benefit notices mailed to 11,887 members using window envelopes exposing the words "HIV medication" through the envelope's window below the member's name and address, and a November 2017 breach report to OCR involving a research study mailing sent to 1,600 Aetna plan members containing the name and logo of the atrial fibrillation (irregular heartbeat) research study in which they were participating, on the envelope. 

OCR's investigation revealed that in addition to the impermissible disclosures, Aetna failed to perform periodic technical and nontechnical evaluations of operational changes affecting the security of their electronic PHI (ePHI); implement procedures to verify the identity of persons or entities seeking access to ePHI; limit PHI disclosures to the minimum necessary to accomplish the purpose of the use or disclosure; and have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.

The press release and resolution agreement are available at:  https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/aetna/index.html  

Another Right of Access Settlement for $100K for Delay

On October 9, 2020, HHS OCR announced a $100,000 settlement and corrective action plan with NY Spine Medicine (a private medical practice specializing in neurology and pain management with offices in New York, NY, and Miami Beach, FL) related to the HIPAA Privacy Rule's right of access.  In July 2019, OCR received a complaint from an individual alleging that beginning in June 2019, she made multiple requests to NY Spine for a copy of her medical records but NY Spine did not provide the diagnostic films that the individual specifically requested

OCR initiated an investigation and determined that the failure to provide timely access to all of the requested medical records was a potential violation of the right of access standard.  As a result of OCR’s investigation, the complainant received all of the requested medical records in October 2020.  It shouldn’t take an OCR investigation to get your records!   See the press release and settlement at:  https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/nyspine/index.html  

CHS/Community Health Systems Pays 28 States $5 million

On October 8, 2020, 28 states announced a $5 million settlement and corrective action plan with CHSPSC, LLC, related to a breach of 6.1 million patients’ records that resulted in an HHS OCR settlement of $2.3 million, announced September 23, 2020, and settlement in 2019 of a $3.1 million class action lawsuit.  The Iowa AG’s announcement is here:  https://www.iowaattorneygeneral.gov/newsroom/chs-community-data-breach-settlement  and an article in Fierce Healthcare is at:  https://www.fiercehealthcare.com/tech/chs-to-pay-5m-to-28-states-to-settle-2014-data-breach  

Health Center Pays $160,000 for Delaying Access of PHI

On October 7, 2020, HHS OCR announced a $160,000 settlement of a potential violation of the HIPAA Privacy Rule's right of access provision with Dignity Health, doing business as St. Joseph’s Hospital and Medical Center (“SJHMC”), a large, acute care hospital with several hospital-based clinics that provide a wide range of health, social, and support services in the Phoenix, Arizona area.  

A mother alleged she made multiple requests to SJHMC for a copy of her son’s medical records, as his personal representative.  SJHMC provided some of the requested records, but despite multiple follow up requests, SJHMC did not provide all of the requested records. OCR initiated an investigation and as a result, SJHMC sent all of the requested medical records to the mother more than 22 months after her initial request.  The press release and settlement are available at:  https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/sjhmc/index.html  

Anthem Settles with 44 States for $39.5 Million over Breach

On September 30, 2020, Anthem announced a settlement with 44 states including a $39.5 million payment, for a breach of 79 million patients’ records that has also led to a $16 million settlement with HHS OCR, and a $115 million settlement in a class action lawsuit brought by the victims of the breach.  Quick math shows a total cost in settlement payments alone of $170+ million for this incident.  See Anthem’s announcement in BusinessWire at:  https://www.businesswire.com/news/home/20200930005525/en/Anthem-Announces-Settlement-with-State-Attorneys-General-Following-2015-Cyber-Attack   and an article in HealthITSecurity at:  https://healthitsecurity.com/news/anthem-settles-with-44-states-for-40m-over-2014-breach-of-78.8m  

Health Insurer Pays $6.85 Million for Breach of 10.4+ Million

On September 25, 2020, HHS OCR announced a $6.85 million settlement and corrective action plan for a breach of 10.4 million individuals’ records by Premera Blue Cross (PBC). This is the second-largest payment to resolve a HIPAA investigation in OCR history (though only about 66 centenaries per person affected).  PBC operates in Washington and Alaska, and is the largest health plan in the Pacific Northwest, serving more than two million people.

Hackers used a phishing email to install malware that gave them access to PBC’s IT system in May 2014, which went undetected for nearly nine months until January 2015.  OCR’s investigation found systemic noncompliance with the HIPAA Rules including failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, and audit controls.  The press release and settlement are available at:  https://www.hhs.gov/about/news/2020/09/25/health-insurer-pays-6-85-million-settle-data-breach-affecting-over-10-4-million-people.html  

Business Associate Breach of 6 million Records = $2.3 million

On September 23, 2020, HHS OCR announced a $2.3 million settlement and corrective action plan for a breach, ignored for months despite FBI warnings, by CHSPSC, LLC, a Business Associate of hospitals and clinics owned by Community Health Systems, Inc.  OCR found longstanding, systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls.  So, who is your Business Associate, and how good is their security?  The press release and settlement are available at:  https://www.hhs.gov/about/news/2020/09/23/hipaa-business-associate-pays-2.3-million-settle-breach.html  

New NIST SP 1800-11 on Recovering from Ransomware

On September 22, 2020, the National Institute of Standards and Technology released a new NIST Cybersecurity Practice Guide, Special Publication (SP) 1800-11, Data Integrity: Recovering from Ransomware and Other Destructive Events that demonstrates how organizations can develop and implement appropriate actions following a detected cybersecurity event. The solutions encourage monitoring and detecting data corruption in commodity components as well as custom applications and data composed of open-source and commercially available components.  See:  https://csrc.nist.gov/publications/detail/sp/1800-11/final  

Monthlong Breach Affecting 208K+ Patients = $1.5 million+CAP

On September 21, 2020 HHS OCR announced Athens Orthopedic Clinic PA has agreed to pay $1.5 million and to adopt a two-year corrective action plan to settle potential HIPAA Privacy and Security Rule.

Get this: On June 26, 2016, a journalist notified Athens Orthopedic that a database of their patient records may have been posted online for sale. On June 28, 2016, a hacker contacted Athens Orthopedic and demanded money in return for a complete copy of the database it stole. Athens Orthopedic subsequently determined that the hacker used a vendor's credentials on June 14, 2016, to access their electronic medical record system and exfiltrate patient health data. The hacker continued to access protected health information (PHI) for over a month until July 16, 2016.  On July 29, 2016, Athens Orthopedic filed a breach report informing OCR that 208,557 individuals were affected by this breach, and that the PHI disclosed included patients' names, dates of birth, social security numbers, medical procedures, test results, and health insurance information.

No surprise: OCR's investigation discovered longstanding, systemic noncompliance including failures to conduct a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements with multiple business associates, and provide HIPAA Privacy Rule training to workforce members.

The resolution agreement and corrective action plan may be found at https://www.hhs.gov/sites/default/files/athens-orthopedic-ra-cap.pdf and the HHS press release is available at:  https://www.hhs.gov/about/news/2020/09/21/orthopedic-clinic-pays-1.5-million-to-settle-systemic-noncompliance-with-hipaa-rules.html  

NIST Publishes SP 1800-21 on Mobile Device Security: COPE

That stands for Corporate Owned, Personally Enabled devices.  On September 16, 2020, NIST announced the publication of Special Publication (SP) 1800-21, Mobile Device Security: Corporate-Owned Personally-Enabled (COPE).

One deployment model for mobile devices is COPE devices, owned by the enterprise and issued to the employee. COPE architectures provide the flexibility of allowing both enterprises and employees to install applications onto the enterprise-owned mobile device.  The NIST Cybersecurity Practice Guide demonstrates how organizations can use standards-based, commercially available products to help meet their COPE mobile device security and privacy needs.  See:  https://csrc.nist.gov/publications/detail/sp/1800-21/final  

HHS OCR Settles With Five More Entities Re: Right of Access

On September 15, 2020, HHS OCR announced is has settled five more investigations in its HIPAA Right of Access Initiative, to support individuals' right to timely access to their health records at a reasonable cost under the HIPAA Privacy Rule. The five settlements bring OCR's total to seven completed enforcement actions under the Right of Access Initiative; penalties ranged from $3,500 to $70,000 and included multi-year corrective action plans.  See:  https://www.hhs.gov/about/news/2020/09/15/ocr-settles-five-more-investigations-in-hipaa-right-of-access-initiative.html  

ONC/OCR HIPAA Security Risk Assessment Tool Updated

On September 14, 2020, the HHS Office of the National Coordinator for Health IT (ONC) and the Office for Civil Rights (OCR) released an update to the HHS Security Risk Assessment (SRA) Tool, which provides support for small- and medium-sized health care organizations in their efforts to assess security risks. The newly enhanced version 3.2 of the SRA Tool includes a variety of new features like improved navigation throughout the assessment sections, export options for reports, and enhanced user interface scaling. See:  https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool  

NIST Announces Draft SP 1800-27, Securing Property Management Systems

On September 14, 2020, the National Institute of Standards and Technology announces the draft of Special Publication (SP) 1800-27, Securing Property Management Systems.  NIST's National Cybersecurity Center of Excellence (NCCoE) built an example solution showing how hospitality organizations can use a standards-based approach and commercially available technologies to meet security needs for protecting a hotel's property management system.  

What does this have to do with HIPAA?  Well, plenty of my clients have property to manage as a landlord and/or rooms to manage as healthcare providers, and many use Property Management Systems to help with this.  The draft guide addresses the relevant security issues.  See: https://content.govdelivery.com/accounts/USNIST/bulletins/2a09066

HHS OCR Updates Health Apps Section on HHS.gov/HIPAA

On September 2, 2020, HHS OCR launched a new feature on HHS.gov, titled Health Apps, taking the place of OCR’s previous Health App Developer Portal, and highlighting OCR’s guidance on when and how the HIPAA regulations apply to mobile health applications.  The page is available at https://www.hhs.gov/hipaa/for-professionals/special-topics/health-apps/index.html and includes pages dedicated to: 

  • Mobile Health Apps Interactive Tool 
  • Health App Use Scenarios & HIPAA
  • FAQs on the HIPAA Right of Access, Apps & APIs
  • FAQs on HIPAA & Health Information Technology 
  • Guidance on HIPAA & Cloud Computing 

Note also that the FTC is looking at its Breach Notification Rule which covers health information on Apps not covered under HIPAA, and may be revising it.  See:  https://healthitsecurity.com/news/ftc-seeks-comment-on-breach-notification-rule-for-health-data  and  https://www.ftc.gov/news-events/press-releases/2020/05/ftc-seeks-comment-part-review-health-breach-notification-rule  

HHS Newsletter Outlines Basics of Security Rule Compliance

On August 25, 2020, HHS Office for Civil Rights published its summer cybersecurity newsletterMaking a List and Checking it Twice: HIPAA and IT Asset Inventories, providing information on inventorying hardware, software, and data assets to support the required HIPAA Security Rule Risk Analysis.  This is a good summary of what needs to be input to any Risk Analysis and provides some useful guidance and links.  See:  https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-summer-2020/index.html  

HIPAA Guidance Keeps Coming in the Public Health Emergency

Additional guidance and notices of enforcement discretion continue to be produced by the HHS Office for Civil Rights.  On June 12, 2020 HHS issued guidance on how Health Care Providers can contact former COVID-19 patients about blood and plasma donation opportunities, reiterated in August to include contact by Health Plans.  See https://www.hhs.gov/sites/default/files/guidance-on-hipaa-and-contacting-former-covid-19-patients-about-blood-and-plasma-donation.pdf and https://www.hhs.gov/about/news/2020/08/24/trump-administration-adds-health-plans-to-june-2020-plasma-donation-guidance.html 

$1.04 million for Unsecured Laptop, No Device Management, Lack of Proper Business Associate Agreement with Parent

On July 27, 2020, HHS Office for Civil Rights announced a $1.04 million monetary settlement and corrective action plan for HIPAA violations related to the theft of an unencrypted laptop and breach of 20,431 patients’ information in 2017.  Lifespan ACE includes many healthcare provider affiliates in Rhode Island, and has designated itself as a HIPAA affiliated covered entity.

OCR’s investigation determined that there was systemic noncompliance with the HIPAA Rules including a failure to encrypt ePHI on laptops after Lifespan ACE determined it was reasonable and appropriate to do so.  OCR also uncovered a lack of device and media controls, and a failure to have a business associate agreement in place with the Lifespan Corporation.  See:  https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/lifespan/index.html  

Rule Number 1: Encrypt all laptops and portable devices carrying any PHI

Rule Number 2: Follow the rules, do your Risk Analysis, and fully address the safeguards.

Rule Number 3: Make sure you do what’s necessary to properly be an ACE or an OHCA or a Hybrid Entity or a Business Associate, or some combination of any of these!

FQHC gets $25K Penalty for 2011 Breach, Lack of Safeguards

On July 23, 2020, HHS Office for Civil Rights (OCR) announced a $25,000 settlement and 2-year corrective action plan with Metropolitan Community Health Services (Metro), doing business as Agape Health Services, to settle HIPAA Security Rule violations related to a 2011 breach of Protected Health Information affecting 1,263 patients via the theft of an unencrypted laptop.  Metro is a Federally Qualified Health Center that provides a variety of discounted medical services to the underserved population in rural North Carolina and these facts were taken into account in reaching this agreement.

OCR’s investigation revealed longstanding, systemic noncompliance with the HIPAA Security Rule.  Specifically, Metro failed to conduct any risk analyses, failed to implement any HIPAA Security Rule policies and procedures, and neglected to provide workforce members with security awareness training until 2016.  See:  https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/metro/index.html  

Rule Number 1 again: Encrypt all laptops and portable devices carrying any PHI

Rule Number 2 again: Follow the rules, do your Risk Analysis, and fully address the safeguards.

Rules for 42 CFR Part 2 Revised to Ease Communications

On July 13, 2020, HHS announced updates to the rules pertaining to 42 CFR Part 2 and Substance Use Disorder information, and a Fact Sheet on the revisions is available at:  https://www.hhs.gov/about/news/2020/07/13/fact-sheet-samhsa-42-cfr-part-2-revised-rule.html  The revisions are intended to further facilitate better coordination of care in response to the opioid epidemic while maintaining its confidentiality protections against unauthorized disclosure and use.  The press release is available at:  https://www.hhs.gov/about/news/2020/07/13/health-privacy-rule-42-cfr-part-2-revised-modernizing-care-coordination-americans-seeking-treatment.html  Further regulatory changes are under consideration for 42 CFR Part 2 as well, to be announced in the future.

CISA Guidance on Protection From Top 10 Vulnerabilities

On May 12, 2020, The Cybersecurity and Infrastructure Security Agency (CISA)  and the Federal Bureau of Investigation (FBI) released Alert (AA20-133A), Top 10 Routinely Exploited Vulnerabilities, to advise IT security professionals at public and private sector organizations to place an increased priority on patching the most commonly known vulnerabilities.  The guidance provides up-to-date information on the most exploited vulnerabilities and their mitigations.  See:  https://www.us-cert.gov/ncas/alerts/aa20-133a  

HHS Issues Numerous Bulletins on HIPAA in the Pandemic

From March through May, 2020, HHS Office for Civil Rights (OCR) issued several guidance documents and other supporting information to assist in responding to the Pandemic and maintaining compliance with HIPAA.  

• March 24, 2020, OCR Issues Guidance to Help Ensure First Responders and Others Receive Protected Health Information about Individuals Exposed to COVID-19.  See:  https://www.hhs.gov/sites/default/files/covid-19-hipaa-and-first-responders-508.pdf  The guidance explains the circumstances under which a covered entity may disclose PHI such as the name or other identifying information about individuals, without their HIPAA authorization, and provides examples including: When needed to provide treatment; When required by law; When first responders may be at risk for an infection; and When disclosure is necessary to prevent or lessen a serious and imminent threat.  

This guidance clarifies the regulatory permissions that covered entities may use to disclose PHI to first responders and others so they can take extra precautions or use personal protective equipment. The guidance also includes a reminder that generally, covered entities must make reasonable efforts to limit the PHI used or disclosed to that which is the "minimum necessary" to accomplish the purpose for the disclosure.

• March 28, 2020, OCR Issues Bulletin on Civil Rights Laws and HIPAA Flexibilities That Apply During the COVID-19 Emergency.  See:  https://www.hhs.gov/sites/default/files/ocr-bulletin-3-28-20.pdf  

• April 2, 2020, OCR Announces Notification of Enforcement Discretion to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities During The COVID-19 Nationwide Public Health Emergency.  See:  https://www.hhs.gov/sites/default/files/notification-enforcement-discretion-hipaa.pdf  

• April 3, 2020, Alert: Individual Posing as OCR Investigator.  An individual posing as an OCR Investigator has contacted HIPAA covered entities in an attempt to obtain protected health information (PHI).  The individual identifies themselves on the telephone as an OCR investigator, but does not provide an OCR complaint transaction number or any other verifiable information relating to an OCR investigation.  HIPAA covered entities and business associates should alert their workforce members, and can take action to verify that someone is an OCR investigator by asking for the investigator’s email address, which will end in @hhs.gov, and asking for a confirming email from the OCR investigator’s hhs.gov email address.  If organizations have additional questions or concerns, please send an email to: OCRMail@hhs.gov.

Suspected incidents of individuals posing as federal law enforcement should be reported to the Federal Bureau of Investigation (FBI).  The FBI issued a public service announcement about COVID-19 fraud schemes at: https://www.ic3.gov/media/2020/200320.aspx.  

• April 9, 2020, OCR Announces Notification of Enforcement Discretion for Community-Based Testing Sites During the COVID-19 Nationwide Public Health Emergency.  HHS will exercise its enforcement discretion and will not impose penalties for violations of the HIPAA Rules against covered entities or business associates in connection with the good faith participation in the operation of COVID-19 testing sites during the COVID-19 nationwide public health emergency, retroactive to March 13, 2020.

This Notification was issued to support certain covered health care providers, including some large pharmacy chains, and their business associates that may choose to participate in the operation of a Community Based-Testing Site (CBTS), which includes mobile, drive-through, or walk-up sites that only provide COVID-19 specimen collection or testing services to the public.  See:  https://www.hhs.gov/sites/default/files/notification-enforcement-discretion-community-based-testing-sites.pdf  

 April 30, 2020, COVID-19 Cyber Threat Resources

Cyber-criminals may take advantage of the current COVID-19 global pandemic for their own financial gain or other malicious motives.  However, resources are available to raise awareness of COVID-19 related cyber threats and help organizations detect, prevent, respond, and recover from these threats.  Below are resources that may be of interest to the healthcare community.

Cyber Attack Quick Response Checklist: Following the WannaCry ransomware attack in 2017, the HHS Office for Civil Rights (OCR) developed a checklist and corresponding Infographic that identifies the steps for a HIPAA covered entity or business associate to take in response to a cyber-related security incident.  With the increase in COVID-19 related malicious activity, HIPAA covered entities and business associates are encouraged to review this checklist and infographic for steps to take in the event it encounters a cyber-related security incident.

COVID-19 Email Phishing Against U.S. Healthcare Providers: The FBI issued a notice regarding email phishing attempts targeting healthcare providers. These phishing attempts leverage COVID-19 related subject lines and content in an attempt to distribute malicious attachments.  The notice includes information on how to identify specific phishing attacks and recommends actions to take when such attacks are encountered.

Online Extortion Scams Increasing During The Covid-19 Crisis: The Internet Crime Complaint Center (IC3) released an advisory regarding an increase in reports of online extortion scams.  This advisory includes information on how to recognize online extortion scams and steps to take protect oneself from these scams.

Selecting and Safely Using Collaboration Services for Telework: Due to the COVID-19 global pandemic, many people are working from home using various video conferencing and online collaboration tools. The National Security Agency (NSA) published a notice that includes criteria to consider when selecting an online collaboration tool as well as information on how to use online collaboration tools securely.

COVID-19 VTC Exploitation: The increased use of video conferencing and online collaboration tools has led to an increase in malicious activity seeking to exploit the unsecure use of these tools.  The HHS Health Sector Cybersecurity Coordination Center (HC3) released a white paper outlining ways these tools could be exploited and recommendations to mitigate these issues.

COVID-19 Cyber Threats: The HC3 also produced a brief on COVID-19 related cyber threats.  This brief includes details on the increase in COVID-19 related malicious activity as well as information on how COVID-19 themed phishing attacks and websites are used as lures to trick users into downloading malicious software or directing users to malicious websites.

OCR’s Cyber Security Guidance Material may be found here:  https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html.  For more information related to HIPAA and COVID-19, please visit:  https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-covid19/index.html

• May 5, 2020, OCR Issues Guidance on Covered Health Care Providers and Restrictions on Media Access to Protected Health Information about Individuals in Their Facilities.  The HIPAA Privacy Rule does not permit entities to give media and film crews access to facilities where patients’ protected health information (PHI) will be accessible without the patients’ prior authorization.  See:  https://www.hhs.gov/sites/default/files/guidance-on-media-and-film-crews-access-to-phi.pdf  

HIPAA Limits on Teleconferencing Relaxed for the Pandemic

On March 17, 2020, the HHS Office for Civil Rights announced the relaxation during the national health emergency of HIPAA rules on security, encryption, and teleconferencing, to make it easier for medical providers to adopt remote technology in response to the Coronavirus pandemic.  Non-public-facing services, such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, may be used during the emergency, even if they are not established as HIPAA Business Associates.

HHS also listed a number of services that do meet HIPAA requirements and are willing to sign a HIPAA BAA, including Skype for Business, Updox, VSee, Zoom for Healthcare, Doxy.me, and Google G Suite Hangouts Meet.  Public-facing services, such as Facebook Live, Twitch, TikTok, and similar video communication applications should NOT be used.

Personally, I’d say adopt one of the secure services under a BAA now, and you won’t have to switch later when the emergency is over.  Once you start using it, you won’t want to stop.

The announcement is available at:  https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html  

The announcement was augmented by the issuance on March 20 of a set of Frequently Asked Questions about the relaxation.  The FAQs on telehealth remote communications may be found at:  https://www.hhs.gov/sites/default/files/telehealth-faqs-508.pdf 

The press release on telehealth remote communications may be found at: https://www.hhs.gov/about/news/2020/03/17/ocr-announces-notification-of-enforcement-discretion-for-telehealth-remote-communications-during-the-covid-19.html

For more information on HIPAA and COVID-19, see OCR’s February 2020 Bulletin:  https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf 

NIST Releases Final Draft of Revision 5 of SP 800-53 Controls

On March 16, 2020, the National Institute of Standards and Technology released a final public draft of Revision 5 of Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, which now includes the NIST Cybersecurity and Privacy control frameworks and a host of revisions and expansions.  If you’re in information privacy and security, you need to review this and get any comments in by the deadline of May 15, 2020.  If you’re working from home now, spend the time you used to use to commute to look this over — this is a major update.  See the announcement and all the details at:  https://www.nist.gov/news-events/news/2020/03/nist-seeks-comments-final-public-draft-sp-800-53-revision-5-security-and  

Breach + No Risk Analysis Before or After = $100K Settlement

On March 3, 2020, the practice of Steven A. Porter, M.D., a provider of gastroenterological services to over 3,000 patients per year in Ogden, Utah, agreed to pay $100,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a two-year corrective action plan to settle a potential violation of the HIPAA Security Rule.  From the announcement:

"OCR began investigating Dr. Porter’s medical practice after it filed a breach report with OCR related to a dispute with a business associate.  OCR’s investigation determined that Dr. Porter had never conducted a risk analysis at the time of the breach report, and despite significant technical assistance throughout the investigation, had failed to complete an accurate and thorough risk analysis after the breach and failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.”

Once again, if HHS OCR advises you to do something, don’t ignore them. 

The resolution agreement and corrective action plan may be found at:  http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/porter/index.html

Court Invalidates Release of PHI to Third Parties Under Rules for Release to Individuals

On January 28, 2020, The US Department of Health and Human Services announced changes in the enforcement of individual access of information rules pursuant to a court decision to limit the application of the rules on format and costs.  This is not a simple change, so here goes…

  • Individuals still have the right to get copies of records, paper or electronic, sent to them directly, with costs limited to the individual access request fees.
  • Individuals have the right to request electronic records be sent to a third party, but without the cost limitations under the individual access rules.
  • Individuals can allow a disclosure of paper or electronic records to a third party using a HIPAA Authorization, without cost limitations.

Here is the HHS Announcement:  https://www.hhs.gov/hipaa/court-order-right-of-access/index.html  

Comment: This is a step backward that sets up a hurdle for patients who want to share their records with other parties, such as providers, but at least the patients do still have the right to ask for records in the form or format they wish, for a cost-based fee, which they can then pass on to others as they see fit.  In my view it’s an absurd limitation that will likely be changed by the Data Blocking regulations.  It’s time for healthcare to grow up and stop making it hard for people to access and share their records as they see fit.  It’s a national shame.  My two cents.

Also see the article in Health and IT Security at:  https://healthitsecurity.com/news/judge-rules-against-hhs-over-hipaa-right-of-access-third-party-fees  And a great analysis by the Nixon Peabody law firm:  https://www.nixonpeabody.com/en/ideas/articles/2020/02/04/ocr-issues-notice-regarding-medical-record-fees  

NIST Releases Draft of Ransomware Guidance SP 1800-26

On January 28, 2020, The National Cybersecurity Center of Excellence (NCCoE) released a draft of National Institute of Standards and Technology (NIST) Cybersecurity Special Publication 1800-26, Detecting and Responding to Ransomware and Other Destructive Events, for public comment. 

This practice guide can benefit executives, Chief Information Security officers, system administrators, or those who have a stake in protecting their organizations' data, privacy, and overall operational security.  The NCCoE released the full draft which comprises the following volumes:
• SP 1800-26A: Executive Summary (PDF)
• SP 1800-26B: Approach, Architecture, and Security Characteristics (PDF)
• SP 1800-26C: How-To-Guides (PDF)

The project includes the development of a reference design and uses commercially available technologies to develop an example solution.  The project focuses on detailed methods and potential tool sets that can detect, mitigate, and contain data integrity events in an enterprise network.  It also identifies tools and strategies to aid in a security team’s response to such events.

The comment period closes on February 26, 2020.  To see the announcement, with a summary and links to the Draft and the e-mail address for comments, see:  https://www.nccoe.nist.gov/projects/building-blocks/data-integrity/detect-respond  

Lost Laptop+Noncompliance+Ignoring OCR Advice = $65,000

On December 30, 2019, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announced West Georgia Ambulance, Inc. agreed to pay $65,000 and to adopt a corrective action plan, including two years of monitoring, to settle potential HIPAA Security Rule violations.

West Georgia filed a breach report in 2013 following the loss of an unencrypted laptop containing the PHI of 500 individuals. OCR’s investigation uncovered long-standing noncompliance with the HIPAA Rules, including failures to conduct a risk analysis, provide a security awareness and training program, and implement HIPAA Security Rule policies and procedures. According to the OCR Press Release, despite OCR’s investigation and technical assistance, West Georgia did not take meaningful steps to address their systemic failures.

The resolution agreement and corrective action plan may be found at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/westgeorgia/index.html.

HHS and Dept. of Ed. Issue Updated Guidance re HIPAA, FERPA

On December 19, 2019, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services issued Updated Joint Guidance on Privacy and Student Education and Health Recordsaddressing the application of the Family Educational Rights and Privacy Act (FERPA) and the HIPAA Privacy Rule to records maintained on students. 

The guidance, which was first issued in November 2008, clarifies how FERPA and HIPAA apply to education and health records maintained about students.  The revised guidance includes additional frequently asked questions and answers addressing when a student’s health information can be shared without the written consent of the parent or eligible student under FERPA, or without written authorization under the HIPAA Privacy Rule, especially in connection with health and safety emergency situations.  Topics include:

  • When can protected health information (PHI) or personally identifiable information from an education record (PII) be shared with the parent of an adult student?
  • What options do family members of an adult student have under HIPAA if they are concerned about the student’s mental health and the student does not agree to disclosures of their PHI?
  • Does HIPAA allow a covered health care provider to disclose PHI about a minor with a mental health condition or substance use disorder to the minor’s parents?
  • When can PHI or PII be shared about a student who presents a danger to self or others? 
  • Under FERPA, can an educational agency or institution disclose, without prior written consent, PII from a student’s education records, including health records, to the educational agency’s or institution’s law enforcement officials?
  • Does FERPA permit an educational agency or institution to disclose, without prior written consent, PII from a student’s education records to the National Instant Criminal Background Check System (NICS)?

The joint guidance may be viewed at:  https://www.hhs.gov/sites/default/files/2019-hipaa-ferpa-joint-guidance-508.pdf 

Another Access of Records HIPAA Settlement for $85,000

On December 12, 2019 the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announced its second enforcement action and settlement under its HIPAA Right of Access Initiative.  Korunda Medical, LLC, a Florida-based company that provides comprehensive primary care and interventional pain management, has agreed to take corrective actions and pay $85,000 to settle a potential violation of HIPAA's right of access provision. 

In March of 2019, OCR received a complaint concerning a Korunda patient alleging that, despite repeatedly asking, Korunda failed to forward a patient's medical records in electronic format to a third party.  Korunda also failed to provide them in the requested electronic format, and charged more than the reasonable cost-based fees allowed under HIPAA. OCR provided Korunda with technical assistance on how to correct these matters, but Korunda continued to fail to provide the requested records, resulting in another complaint to OCR. As a result of OCR's second intervention, the requested records were provided for free in May 2019, and in the format requested.

"For too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia. We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up healthcare providers to their obligations under the law," said Roger Severino, OCR Director.

The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/korunda/index.html.

What is PHI?  Get it wrong = $2.175 million Breach Settlement

On November 27, 2019, HHS OCR announced a $2.175 Million HIPAA Settlement after Sentara Hospitals, comprised of 12 acute care hospitals with more than 300 sites of care throughout Virginia and North Carolina, failed to properly notify HHS of a breach of unsecured PHI.

Sentara mailed 577 patients’ PHI to wrong addresses, including patient names, account numbers, and dates of services.  Sentara reported this incident as a breach affecting 8 individuals, because Sentara concluded, incorrectly, that unless the disclosure included patient diagnosis, treatment information or other medical information, no reportable breach of PHI had occurred.  Sentara persisted in its refusal to properly report the breach even after being explicitly advised of their duty to do so by OCR. OCR also determined that Sentara failed to have a business associate agreement in place with Sentara Healthcare, an entity that performed business associate services for Sentara.

In addition to the monetary settlement, Sentara will undertake a corrective action plan that includes two years of monitoring. The resolution agreement and corrective action plan may be found at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/sentara/index.html

Exposure of 6,617 Records = $1.6 million Fine for Texas Agency

Well, the hits just keep on comin’!  On November 7, 2019, the HHS Office for Civil Rights (OCR) announced a $1,600,000 civil money penalty (not a settlement, a fine) against the Texas Health and Human Services Commission (TX HHSC), for HIPAA violations between 2013 and 2017. TX HHSC operates state supported living centers; provides mental health and substance use services; regulates child care and nursing facilities; and administers hundreds of programs for people who need assistance, including supplemental nutrition benefits and Medicaid. 

On June 11, 2015, a breach report was filed with OCR stating that the electronic PHI of 6,617 individuals was viewable over the internet. The breach was a result of a flawed migration to a new server, lack of risk analysis, and lack of adequate audit controls, such that the number of accesses of the information was unknown. The Notice of Proposed Determination and Notice of Final Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/txhhsc/index.html

Unencrypted Mobile Devices (Again) leads to $3 million penalty

On November 5, 2019, the U.S. Department of Health and Human Services Office for Civil Rights announced The University of Rochester Medical Center (URMC) has agreed to pay $3 million and take substantial corrective action to settle potential violations of the HIPAA Privacy and Security Rules.  From the press release...

  • URMC filed breach reports with OCR in 2013 and 2017 following its discovery that protected health information (PHI) had been impermissibly disclosed through the loss of an unencrypted flash drive and theft of an unencrypted laptop, respectively. OCR's investigation revealed that URMC failed to conduct an enterprise-wide risk analysis; implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; utilize device and media controls; and employ a mechanism to encrypt and decrypt electronic protected health information (ePHI) when it was reasonable and appropriate to do so. 
  • Of note, in 2010, OCR investigated URMC concerning a similar breach involving a lost unencrypted flash drive and provided technical assistance to URMC. Despite the previous OCR investigation, and URMC's own identification of a lack of encryption as a high risk to ePHI, URMC permitted the continued use of unencrypted mobile devices.

Whoops!  Lessons not learned lead to big penalties!  As OCR Director Roger Severino, says, "When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect.”

See the settlement at: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/urmc/index.html

Miami Hospital Pays a $2.15 million Fine for Several Violations

On October 23, 2019, the U.S. Department of Health and Human Services Office for Civil Rights announced the imposition of a civil money penalty of $2,154,000 against Jackson Health System (JHS) for violations of HIPAA Security and Breach Notification Rules between 2013 and 2016. JHS is a nonprofit academic medical system based in Miami, Florida.

On August 22, 2013, JHS submitted a breach report to OCR stating that it had lost paper records containing the PHI of 756 patients in January 2013. JHS's internal investigation determined that an additional three boxes of patient records were also lost in December 2012; however, JHS did not report the additional loss or the increased number of individuals affected to 1,436, until June 7, 2016.

In July 2015, OCR initiated an investigation following a media report that disclosed the PHI of a JHS patient. A reporter had shared a photograph of a JHS operating room screen containing the patient's medical information on social media. JHS subsequently determined that two employees had accessed this patient's electronic medical record without a job-related purpose.

On February 19, 2016, JHS submitted a breach report to OCR reporting that an employee had been selling patient PHI. The employee had inappropriately accessed over 24,000 patients' records since 2011.

Lessons here: OCR's investigation revealed that JHS failed to 1) provide timely and accurate breach notification to the Secretary of HHS, 2) conduct enterprise-wide risk analyses, 3) manage identified risks to a reasonable and appropriate level, 4) regularly review information system activity records, and 5) restrict authorization of its workforce members' access to patient ePHI to the minimum necessary to accomplish their job duties.

JHS waived its right to a hearing and did not contest the findings, and has paid the full civil money penalty.  "OCR's investigation revealed a HIPAA compliance program that had been in disarray for a number of years," said OCR Director Roger Severino.  See:  http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/jackson/index.html  

No, You Can’t Post PHI on Social Media - Dentist Hit for $10K

On October 2, 2019, the U.S. Department of Health and Human Services Office for Civil Rights settled with Elite Dental Associates for $10,000 and a Corrective Action Plan to Settle Social Media Disclosures of Patients’ Protected Health Information.  

On June 5, 2016, OCR received a complaint from an Elite patient that Elite had responded to a social media review by disclosing the patient’s name and details of the patient’s health condition.  OCR’s investigation found that Elite had impermissibly disclosed the PHI of multiple patients in response to patient reviews on the Elite Yelp review page, and did not have a policy and procedure regarding disclosures of PHI to ensure that its social media interactions protect the PHI of its patients or a Notice of Privacy Practices that complied with the Privacy Rule.  OCR accepted a substantially reduced settlement amount in consideration of Elite’s size, financial circumstances, and cooperation with OCR’s investigation.

“Social media is not the place for providers to discuss a patient’s care,” said OCR Director, Roger Severino.  “Doctors and dentists must think carefully about patient privacy before responding to online reviews.”  Well said!

The resolution agreement and corrective action plan may be found at: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/elite/index.html

HHS Settles Individual Access of Records Case for $85K

On September 9, 2019, the U.S. Department of Health and Human Services announced its first enforcement action and settlement in its Right of Access Initiative, wherein Bayfront Health St. Petersburg (Bayfront) has paid $85,000 to OCR and has adopted a corrective action plan to settle a potential violation of the HIPAA right of access provision, after Bayfront failed to provide a mother timely access to records about her unborn child.  

In addition to the monetary settlement, Bayfront will undertake a corrective action plan that includes one year of monitoring by OCR. The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/bayfront/index.html

This settlement is long in coming and signals that HHS is actually serious about the issue of records access, finally.  This is a wake-up call: no more dilly-dallying in responding to patient requests for records!

AHIMA Updates Guidelines for Cybersecurity Planning

In August 2019, the American Health Information Management Association (AHIMA) published an updated version of their document, AHIMA Guidelines: The Cybersecurity Plan, providing a seventeen-step list of tasks to perform in completing a cybersecurity plan, from conducting a risk analysis to discussing cybersecurity issues with senior management.  Whether or not you follow this process strictly, it does present a good set of questions and issues to be considered in establishing and maintaining any information cybersecurity program.  See:  https://journal.ahima.org/wp-content/uploads/2019/08/AHIMA-Cybersecurity-Guidelines_2019Revision.pdf  

Updates Proposed for 42 CFR Part 2 Rules to Improve Care

On August 22, 2019, the US Department of Health and Human Services announced proposed changes to the rules under 42 CFR Part 2, including changes for clarification of when the rules apply, the definition of “records”, access of central registries (such as prescription drug monitoring programs), generalization of some consents, clarification of allowable disclosures for payment and operational purposes, better research alignment with HIPAA and the Common Rule, and rules on how Part 2 program staff’s personally owned devices must be cleared of any Part 2 data, including texts and e-mail messages.  The NPRM is available at https://s3.amazonaws.com/public-inspection.federalregister.gov/2019-17817.pdf now, and will be published in the Federal Register on August 26, where it will be available at https://www.federalregister.gov/d/2019-17817  

The HHS 42 CFR Part 2 Proposed Rule Fact Sheet outlining the changes is available at https://www.hhs.gov/about/news/2019/08/22/hhs-42-cfr-part-2-proposed-rule-fact-sheet.html

There is a summary article on the proposed rule in Modern Healthcare at https://www.modernhealthcare.com/patients/hhs-changes-privacy-restrictions-around-addiction-treatment

New York State SHIELD Act Changes the Game for Breach Notification

On July 25, 2019, New York Governor Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (the "SHIELD Act”), which amends New York State's current data breach notification law, and breaks new ground by imposing substantive data security requirements on businesses that own or lease the Private Information of New York residents, regardless of whether the businesses otherwise conduct business in New York State.

In addition, the SHIELD Act requires HIPAA covered entities to report to the New York State Attorney General any breaches that must be reported to HHS, even if the data at issue does not count as Private Information under New York's breach notification law, and apparently even if the information subject to HIPAA breach reporting was not in electronic form. 

The SHIELD Act's breach notification provisions take effect on October 23, 2019, and the new data security requirements take effect on March 21, 2020.  The Act is available at https://legislation.nysenate.gov/pdf/bills/2019/A5635A and an article discussing the act by the firm Proskauer Rose is available at https://www.proskauer.com/alert/the-new-shield-act-changes-breach-notification-rules-and-data-security-standards-for-new-yorkers-personal-information  

New NIST Guide re: Mobile Devices (Corporate-owned, Personally-enabled, or COPE)

NIST’s National Cybersecurity Center of Excellence (NCCoE) has released Draft NIST Special Publication (SP) 1800-21, Mobile Device Security: Corporate-Owned Personally-Enabled (COPE), for public comment. The comment period ends September 23, 2019.

Mobile devices bring unique threats to the enterprise that need to be addressed in a manner distinct from traditional desktop platforms. This includes securing against different types of network-based attacks on devices that generally have an always-on connection to the internet, malicious or risky apps that compromise the data that devices can access, and phishing attempts that try to collect user credentials or entice a user to install software. Additionally, this guide addresses how to reduce risks to individuals through privacy protections.

See: https://csrc.nist.gov/publications/detail/sp/1800-21/draft

New Webinar Dates: HHS Security Risk Assessment Tool Overview and User Feedback Session

The hastily announced Webinar for the updated HHS HIPAA Security Risk Assessment Tool has had two more sessions added.  The additional sessions will be on July 30th, from 3:30 to 5:30 PM, and on August 15th, 1:00 to 3:00 PM.  Let it be said, I don’t think much of the tool, but I’ll be watching the July 30 session myself, to see if it’s been improved and hopefully learn something new.  The sessions are available at: 
• July 30th at 3:30 – 5:30 PM EDT:  https://attendee.gotowebinar.com/register/2537874447631761409
• August 15th at 1:00 -3:00 PM EDT: https://attendee.gotowebinar.com/register/1957050833189349121

HHS Announces FAQs re Uses and Disclosures for Care Coordination and Continuity of Care

On June 26, 2019, the Office for Civil Rights at the U.S. Department of Health and Human Services issued a frequently asked question (FAQ) document that clarifies how the HIPAA Privacy Rule permits health plans to share protected health information (PHI) in a manner that furthers the HHS Secretary's goal of promoting coordinated care.  The FAQ explains when and how one health plan can share PHI about individuals in common with a second health plan for care coordination purposes under the Privacy Rule.  https://www.hhs.gov/hipaa/for-professionals/faq/3014/uses-and-disclosures-for-care-coordination-and-continuity-of-care/index.html

HHS Announces 2019 NIST/OCR HIPAA Security Conference

On June 25, 2019, The US Department of Health and Human Services Office for Covil Rights announced the 2019 OCR/NIST Conference: Safeguarding Health Information: Building Assurance through HIPAA Security, to be held October 16, 2019 to October 17, 2019 at the Washington Marriott at Metro Center, Washington, D.C. 775 12th St NW, Washington, DC 20005.  The conference, the only one I go to every year, focuses on the key healthcare information security issues and provides access to the leaders in the area.  Attendance is available in person or by Webcast.  For more information, see:  https://www.nist.gov/news-events/events/2019/10/safeguarding-health-information-building-assurance-through-hipaa-security  

HHS Issues Guide to BA Enforcement Liability Under HIPAA

On May 24, 2019, the US Department of Health and Human Services Office for Civil Rights issued a guide to the direct enforcement liabilities of Business Associates under the HIPAA regulations, detailing the specific rules under which Business Associates must operate.  There are no surprises, just a straightforward list of ten categories of things that can land a Business Associate in hot water, including one big category for “Failure to comply with the requirements of the Security Rule” and one for “Impermissible Uses and Disclosures of PHI”.  It’s a handy list to refer to, available at:  https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html  Also see the starting page for Business Associate guidance at:  https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html  

No Risk Analysis + Breach of up to 3.5m Records = $100K

On May 23, 2019, the US Department of Health and Human Services Office for Civil Rights announced an enforcement settlement agreement with an Indiana Medical Records service, Medical Informatics Engineering, Inc. (MEI).  On July 23, 2015, MIE filed a breach report with OCR following discovery that hackers used a compromised user ID and password to access the electronic protected health information (ePHI) of approximately 3.5 million patients. OCR’s investigation revealed that MIE did not conduct a comprehensive risk analysis prior to the breach.  (Oops!)  The settlement includes a $100,000 payment and adoption of a corrective action plan.  See: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/mie/index.html  

Misconfigured FTP=Breach of 300K Records=$3 million Penalty

On May 6, 2019, the US Department of Health and Human Services announced Touchstone Medical Imaging (“Touchstone”) has agreed to pay $3,000,000 to the HHS Office for Civil Rights (OCR), and to adopt a corrective action plan to settle potential violations of the HIPAA Security and Breach Notification Rules.  An insecure FTP server allowed access to PHI that was indexed by search engines and remained online after the server was taken offline.  

Touchstone claimed there was no exposure, but relented and a late investigation showed otherwise.  Notification was therefore also untimely.  No Risk Analysis had been performed and no Business Associate Agreement was established with their IT vendor or data center.  In addition to the monetary settlement amount, a robust corrective action plan is called for.

The HHS Press Release is available at:  https://www.hhs.gov/about/news/2019/05/06/tennessee-diagnostic-medical-imaging-services-company-pays-3000000-settle-breach.html  and the resolution agreement and corrective action plan are at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/tmi/index.html 

HHS Revises Maximum Annual HIPAA Penalty Amounts

On April 26, 2019, the US Department of Health and Human Services announced, in a notice of enforcement discretion, revisions to the maximum penalty level for the various tiers of violations under HIPAA, to match the language in the HITECH Act more accurately.  

Instead of applying a maximum of $1.5 million for all violations of a similar type in a single year regardless of the penalty tier applied, there is a new set of annual maximum penalties, with a different annual maximum for each tier: 
Tier 1 (no knowledge): $100-$50,000 per violation, capped at $25,000 per year the issue persisted
Tier 2 (reasonable cause): $1,000-$50,000 per violation, capped at $100,000 per year the issue persisted
Tier 3 (willful neglect, corrected): $10,000-$50,000 per violation, capped at $250,000 per year the issue persisted
Tier 4 (willful neglect, not corrected): $50,000 per violation, capped at $1.5 million per year the issue persisted

The goal is to make the maximums relevant to the “level of culpability” involved with a violation, as per the HITECH Act, which previously was interpreted differently, reflecting an ambiguity in the Act.

The notice is available in the Federal Register of April 30, at:  https://www.federalregister.gov/documents/2019/04/30/2019-08530/notification-of-enforcement-discretion-regarding-hipaa-civil-money-penalties  

In addition, in October of 2018 HHS announced Cost-Of-Living-Adjustments to the penalty amounts, resulting in a new table of penalties:

• Tier 1 (no knowledge): $114-$57,051 per violation, capped at $28,525 per year the issue persisted
• Tier 2 (reasonable cause): $1,141-$57,051 per violation, capped at $114,102 per year the issue persisted
• Tier 3 (willful neglect, corrected): $11,182-$57,051 per violation, capped at $285,255 per year the issue persisted
• Tier 4 (willful neglect, not corrected): $57,051 per violation, capped at $1,711,522 per year the issue persisted

For an excellent summary of the implications of the changes, see Kim Stanger’s article at:  https://www.hhhealthlawblog.com/2019/05/hhs-reduces-the-annual-cap-for-most-hipaa-penalties.html  

MD Anderson Seeks Injunction Against $4.3 Million HIPAA Fine

An April 23, 2019 article published by the Journal of AHIMA reported that the MD Anderson Cancer Center, having lost its appeal to an Administrative Law Judge, is further appealing the decision and seeks an injunction against their fine for mistreatment of PHI related to research.  This seems like a colossal waste of money that ought to go to health care instead — let’s just say the legal experts are skeptical of their case, as it relies on a number of hard-to-accept arguments.  I don’t know why they are listening to anyone who recommends going down this futile path.  See the article about how foolish you can be, IMHO, at:  https://journal.ahima.org/2019/04/23/md-anderson-cancer-center-seeks-injunction-against-4-3-million-hipaa-fine/  

HHS Issues Guidance on HIPAA and 3rd Party Apps

On April 22, 2019, HHS posted guidance on the use of 3rd Party Apps and health information under HIPAA.  The guidance clarifies the rules around and provides examples of uses of 3rd party Apps for communications with providers and how HIPAA applies.  It all boils down to understanding on whose behalf the use of the App is taking place.  The guidance is available at:  https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hippa-access-right-health-apps-apis/index.html and an article on the topic in FierceHealthcare is available at:  https://www.fiercehealthcare.com/tech/hhs-guidance-clarifies-hipaa-liability-use-third-party-health-apps  

Information Blocking Rule Announced, Finally!

On February 11, 2019, The Office of the National Coordinator for Health Information Technology (ONC) issued a Notice of Proposed Rulemaking to Improve the Interoperability of Health Information, the long awaited “Information Blocking” rule, called for by the 21st Century Cures Act.  From the ONC Web site: "The proposed rule is designed to increase innovation and competition by giving patients and their healthcare providers secure access to health information and new tools, allowing for more choice in care and treatment. It calls on the healthcare industry to adopt standardized application programming interfaces (APIs), which will help allow individuals to securely and easily access structured EHI using smartphone applications.

"The proposed rule places a strong focus on a patient's ability to access their health information through a provision requiring that patients can electronically access all of their EHI (structured and/or unstructured) at no cost. Finally, to further support access and exchange of EHI, the proposed rule implements the information blocking provisions of the Cures Act. The rule proposes seven exceptions to the definition of information blocking.”

It’s about time!  Easy access is absolutely necessary today and it’s a shame we have taken so long to start moving in this direction.  See an article on the topic in Healthcare IT News at:  https://www.healthcareitnews.com/news/hhs-unwraps-new-information-blocking-rule  See the article in FierceHealthcare at: https://www.healthcareitnews.com/news/hhs-unwraps-new-information-blocking-rule  See the ONC Announcement, with links to the NPRM and several supporting documents (including Summaries of the 7 exceptions to Information Blocking) at:  https://www.healthit.gov/topic/laws-regulation-and-policy/notice-proposed-rulemaking-improve-interoperability-health  

Misconfigured Servers Cost Cottage Health $3 million

On February 7, 2019 the Department of Health and Human Services Office for Civil Rights announced a $3 million settlement and a “robust” corrective action plan for Cottage Health for having unsecured servers leading to multiple breaches, affecting a total of 62,500 individuals, and lack of risk and technical analyses and business associate agreements as needed.  Cottage Health operates Santa Barbara Cottage Hospital, Santa Ynez Cottage Hospital, Goleta Valley Cottage Hospital and Cottage Rehabilitation Hospital, in California.  Make sure whomever you hire to manage your systems is contracted appropriately and does a good job! And don’t forget, YOU are responsible for your own Risk Analysis.  See:  https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/cottage/index.html  

HHS Releases Health Industry Cybersecurity Practices Guide

On December 28, 2018 the Department of Health and Human Services released a guide to voluntary cybersecurity practices for healthcare organizations ranging in size from local clinics to large hospital systems.  This is an important product of the section 405d requirements under the Cybersecurity Information Sharing Act of 2015 (CISA).

Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients is a four-volume publication, the result of a two-year public-private partnership between HHS and more than 150 healthcare industry professionals, mandated through CISA.  This is good stuff!  

The guidance is a mixture of highly technical solutions and common sense practices applicable to a wide range of healthcare facilities. The core of the document explores the five most relevant threats to the healthcare industry and recommends 10 cybersecurity practices to mitigate them.  See:  https://www.phe.gov/Preparedness/planning/405d/Pages/hic-practices.aspx  

The set of volumes include the report, Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (https://www.phe.gov/Preparedness/planning/405d/Documents/HICP-Main-508.pdf), 
Technical Volume 1: Cybersecurity Practices for Small Health Care Organizations (https://www.phe.gov/Preparedness/planning/405d/Documents/tech-vol1-508.pdf), 
Technical Volume 2: Cybersecurity Practices for Medium and Large Health Care Organizations (https://www.phe.gov/Preparedness/planning/405d/Documents/tech-vol2-508.pdf), and
Resources and Templates (https://www.phe.gov/Preparedness/planning/405d/Documents/resources-templates-508.pdf
Cybersecurity Practices Assessments Toolkit (Appendix E-1) is under development.

NIST Releases Risk Management Framework Revision 2

On December 20, 2018, the National Institute of Standards and Technology published NIST Special Publication (SP) 800-37 Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, the first NIST publication to address security and privacy risk management in an integrated, robust, and flexible methodology.  For an overview of the seven major objectives of the revision, and an explanation of the new “Prepare” step in the framework, see  https://csrc.nist.gov/news/2018/rmf-update-nist-publishes-sp-800-37-rev-2  and for the new revision, see  https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final  

NIST Releases Guidance on Medical Device Security

On December 20, 2018, the National Institute of Standards and Technology released its December 2018 ITL Security Bulletin on the Topic of the Month: Securing Wireless Infusion Pumps, summarizing the information found in NIST SP 1800-8, Securing Wireless Infusion Pumps in Healthcare Delivery Organizations which discusses the cybersecurity risks associated with medical devices, such as infusion pumps, which can connect to a variety of healthcare systems, networks, and other tools within a healthcare delivery organization.

See:https://csrc.nist.gov/publications/detail/itl-bulletin/2018/12/securing-wireless-infusion-pumps/final and the PDF version at https://csrc.nist.gov/CSRC/media/Publications/Shared/documents/itl-bulletin/itlbul2018-12.pdf

For a complete list of ITL Bulletins: https://csrc.nist.gov/publications/itl-bulletin

Failure to Terminate Access of Former Employee = $111.4K

I must say I’m astonished to see this one — this is a topic I’ve been harping about for some time now, with the message mostly falling on deaf ears.  But this enforcement action validates my concern.

On December 11, 2018, the pace of HIPAA enforcement actions continued to increase, with the HHS announcement that Pagosa Springs Medical Center (PSMC) agreed to pay $111,400 and adopt a substantial corrective action plan to settle potential HIPAA violations.  PSMC is a critical access hospital, that at the time of OCR’s investigation, provided more than 17,000 hospital and clinic visits annually and employs more than 175 individuals.

The complaint alleged that a former PSMC employee continued to have remote access to PSMC’s web-based scheduling calendar, which contained patients’ electronic PHI, after separation of employment. OCR’s investigation revealed that PSMC impermissibly disclosed the ePHI of 557 individuals to its former employee and to the web-based scheduling calendar vendor without a HIPAA required business associate agreement in place.

Covered entities that do not have or follow procedures to terminate information access privileges upon employee separation risk a HIPAA enforcement action.  Covered entities must also evaluate relationships with vendors to ensure that business associate agreements are in place with all BAs before disclosing PHI.  The resolution agreement and corrective action plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/pagosasprings.

Share PHI with Unknown Vendor, No BAA = Breach = $500K

On December 4, 2018, HHS OCR announced that Advanced Care Hospitalists PL (ACH) has agreed to pay $500,000 and to adopt a substantial corrective action plan to settle potential HIPAA violations. ACH provides contracted internal medicine physicians to hospitals and nursing homes in west central Florida.  ACH provided services to more than 20,000 patients annually and employed between 39 and 46 individuals during the relevant timeframe.

Between November 2011 and June 2012, ACH engaged the services of an individual that represented himself to be a representative of a Florida-based company named Doctor’s First Choice Billings, Inc. (First Choice). The individual provided medical billing services to ACH using First Choice’s name and website, but allegedly without any knowledge or permission of First Choice’s owner.

On February 11, 2014, a local hospital notified ACH that patient information was viewable on the First Choice website, including name, date of birth and social security number.  ACH filed a breach notification report with OCR on April 11, 2014, stating that 400 individuals were affected; however, after further investigation, ACH filed a supplemental breach report stating that an additional 8,855 patients could have been affected.

ACH never entered into a business associate agreement with the individual providing medical billing services to ACH, as required by HIPAA and failed to adopt any policy requiring business associate agreements until April 2014.  Although ACH had been in operation since 2005, it had not conducted a risk analysis or implemented security measures or any other written HIPAA policies or procedures before 2014

The resolution agreement and corrective action plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ACH/index.html

Allergy Doctor Goes Public With Patient Information = $125K

On November 26, 2018, HHS OCR announced that Allergy Associates of Hartford, P.C. (Allergy Associates), has agreed to pay $125,000 and to adopt a corrective action plan to settle potential HIPAA Privacy Rule violations. Allergy Associates is a health care practice that specializes in treating individuals with allergies, and is comprised of three doctors at four locations across Connecticut.

In February 2015, a patient of Allergy Associates contacted a local television station to speak about a dispute that had occurred between the patient and an Allergy Associates’ doctor. The reporter subsequently contacted the doctor for comment and the doctor impermissibly disclosed the patient’s protected health information to the reporter.

OCR’s investigation found that the doctor’s discussion with the reporter demonstrated a reckless disregard for the patient’s privacy rights and that the disclosure occurred after the doctor was instructed by Allergy Associates’ Privacy Officer to either not respond to the media or respond with “no comment.” Additionally, OCR’s investigation revealed that Allergy Associates failed to take any disciplinary action against the doctor or take any corrective action following the impermissible disclosure to the media.

The resolution agreement and corrective action plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/allergyassociates/index.html

Vendor Banned from New Jersey for Role in Breach of PHI

On November 2, 2018, New Jersey Attorney General Gurbir S. Grewal and the New Jersey Division of Consumer Affairs announced a $200,000 settlement with a now-defunct Georgia company responsible for a 2016 security lapse that allowed the public to view online patient records belonging to more than 1,650 individuals treated by doctors associated with Virtua Medical Group (“VMG”), a southern New Jersey network of medical and surgical practices.

The settlement with ATA Consulting LLC, which did business as Best Medical Transcription, and its owner, Tushar Mathur, resolves allegations that the company violated the federal Health Insurance Portability and Accountability Act (“HIPAA”) and the New Jersey Consumer Fraud Act (“CFA”) in connection with a server misconfiguration that publically exposed the private health information – including the names and medical diagnoses – of up to 1,654 individuals.

In addition to civil penalties and reimbursement of attorneys’ fees and costs, the settlement with Best Medical Transcription permanently bars Mathur from managing or owning a business in New Jersey.

The announcement is available at:  https://www.nj.gov/oag/newsreleases18/pr20181102a.html  and an article on the settlement in HealthcareITNews is available at:  https://www.healthcareitnews.com/news/new-jersey-slams-best-medical-transcription-200k-fine-2016-breach  

Anthem Hit With Huge(?) Penalty: 20 cents per Person = $16M

On October 15, 2018, HHS OCR announced that Anthem, Inc. has agreed to pay $16 million and take substantial corrective action to settle potential violations of HIPAA after a series of cyberattacks led to the largest U.S. health data breach in history and exposed the electronic protected health information of almost 79 million people.  The $16 million settlement eclipses the previous high of $5.55 million paid to OCR in 2016.

Anthem discovered cyber-attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks. OCR’s investigation revealed that between December 2, 2014 and January 27, 2015, the cyber-attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.

In addition to the impermissible disclosure of ePHI, OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014.

The resolution agreement and corrective action plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/anthem/index.html.

HHS Updates the HIPAA Audit Protocol in July, Tells No One

SURPRISE!  HHS OCR Updated the HIPAA Audit Protocol in July 2018.  There was no announcement, and no summary of the changes is provided.  So I began the process of updating my HIPAA Audit Protocol spreadsheet only to discover that the latest posting does not easily copy and paste into a spreadsheet the way the previous one did.  Thanks a lot, HHS!  

Anyway, with a cursory review I don’t see obvious changes, and at the end of next week I’m going to be at the annual NIST/OCR HIPAA Security love fest in Washington, DC, where I can try to find someone from HHS who can say what the difference between the 2016 and 2018 versions is, so I don’t have to spend a day recreating the whole thing again.  (Ugh!)

Anyway, despite the pain, I’m glad a question from a reader revealed to me that they had updated the HIPAA Audit Protocol in some (unknown) way.  How was I expected to hear about it — rumors on the street?  What happened to press releases?  Information?  Oh well…  So here’s the link, and please let me know if you have a summary of the changes!  https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html

Update: There are changes in 13 of the questions, mostly in Breach Notification and some in Privacy.  Please let me know if you’d like me to e-mail you a copy of the new 2018 HIPAA Audit Protocol in Excel format.

Busy Time for Medical Device and IoT Security Guidance

In September, 2018, NIST presented Draft NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks (available at https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8228-draft.pdf ), including IoT devices used in healthcare settings, and is open for comments though October 24, 2018.  See the article in HealthITSecurity at https://healthitsecurity.com/news/nist-warns-about-cybersecurity-vulnerabilities-in-healthcare-iot   

On October 1, 2018 the FDA released a playbook for medical device security developed by MITRE that can enable healthcare organizations to plan for and respond to cybersecurity incidents involving medical devices.  The MITRE playbook Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook Version 1.0 October 2018 is available through https://www.mitre.org/publications/technical-papers/mitre-creates-playbook-on-medical-device-cybersecurity and an article on the release in HealthITSecurity is at https://healthitsecurity.com/news/fda-unveils-mitres-medical-device-security-playbook  A Statement from FDA Commissioner Scott Gottlieb, M.D. on FDA’s efforts to strengthen the agency’s medical device cybersecurity program as part of its mission to protect patients is available at https://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm622074.htm 

In addition, a KLAS/CHIME survey shows providers lack confidence in medical device cybersecurity — is it any wonder?  See the article in Modern Healthcare (registration required) at http://www.modernhealthcare.com/article/20181005/NEWS/181009942  Results suggest that the majority of surveyed provider groups attributed security problems to the device manufacturers, especially if the devices can’t be updated or patched, and that the problem is widespread.  

Clearly, it’s time to look at all the various devices and IoT “things” that may need a serious update to protect patient safety and privacy.  This is not a minor issue.

Health Data Access Wizard Simplifies Records Requests

On September 25, 2018, it was announced that fourteen organizations including AHIMA, X4 Health, CareJourney, and CARIN Alliance recently launched a new health IT tool designed to offer users an easier way to request EHR patient data.  The tool is designed to help patients avoid the cumbersome process of filling out paperwork to obtain copies of their EHRs from providers in apps or other secure locations.

The prototype tool is the Health Record Request Wizard, designed to streamline and simplify patient EHR request processes. The Wizard also helps patients receive their EHR data in digital formats.

See the article in EHR Intelligence, at https://ehrintelligence.com/news/14-healthcare-stakeholders-launch-ehr-patient-data-request-tool and try out the prototype tool at https://www.healthrecordwizard.com   

State AGs Take Aim Using HIPAA for Breach Violations

Where HHS Office for Civil Rights has seemed to be slacking off in enforcement recently, state Attorneys General are taking up the slack and issuing penalties for violations of HIPAA and other state laws.  The latest, reported on September 24, 2018, is a settlement by the Massachusetts AG with UMass Memorial for $350,000 for violations of HIPAA, the Consumer Protection Act, and the Massachusetts Data Security Law when they failed to properly protect patients’ information from access by identity thieves even after the activity had been reported.  See the story at:  https://healthitsecurity.com/news/umass-memorial-to-pay-230000-for-healthcare-data-breaches  

Allowing TV Crews Into Boston Hospitals = $1M in Penalties

On September 20, 2018 the Department of Health and Human Services, Office for Civil Rights (OCR) announced that it has reached separate settlements with Boston Medical Center (BMC), Brigham and Women's Hospital (BWH), and Massachusetts General Hospital (MGH) for compromising the privacy of patients’ protected health information (PHI) by inviting film crews on premises to film an ABC television network documentary series, without first obtaining authorization from patients. Collectively, the three entities paid OCR $999,000 to settle potential HIPAA violations.  Each entity will provide workforce training as part of a corrective action plan that will include OCR’s guidance on disclosures to film and media:  http://www.hhs.gov/hipaa/for-professionals/faq/2023/film-and-media/index.html  

This is the second HIPAA case involving an ABC medical documentary television series, the previous being OCR’s April 16, 2016 settlement with New York-Presbyterian Hospital in association with the filming of “NY Med.”

The respective Resolution Agreements and Corrective Action Plans may be found on the HHS website at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/bostoncases/index.html

New Guidance from NIST on Wireless Infusion Pumps

On August 21, 2018, the NIST National Cybersecurity Center of Excellence (NCCoE) published Special Publication (SP) 1800-8, Securing Wireless Infusion Pumps in Healthcare Delivery Organizations.  The title says it all.  If you use wireless infusion pumps or are thinking about using them, best to consult this.  See  https://www.nccoe.nist.gov/projects/use-cases/medical-devices  

Final NIST SP1800-1 on EHRs and Mobile Devices Released

On July 27, 2018, the National Institute of Standards and Technology National Cybersecurity Center of Excellence (NCCoE) released the final version 1 of Special Publication 1800-1, Securing Electronic Health Records on Mobile Devices, which includes valuable information on establishing strong authentication and secure practices when accessing EHR systems remotely from mobile devices.  

While much of the report is technical in nature, such that it can be used to guide development of secure implementations, the overall goals of security AND ease of use are well-explained, and a questionnaire for EHR providers is included to help assess the security posture of an EHR vendor.

The NIST page with the Abstract of SP 1800-1 is available at:  https://www.nist.gov/publications/securing-electronic-health-records-mobile-devices  and the publication, including all the subsections, is available at:  https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1800-1.pdf  

Annual NIST/OCR HIPAA Security Conference October 18-19

On July 5, 2018 the National Institute of Standards and Technology and the HHS Office for Civil Rights announced the (11th annual) 2018 OCR/NIST Conference: Safeguarding Health Information: Building Assurance through HIPAA Security, to be held October 18-19, 2018 at the Hyatt Regency, Washington, D.C.  Note that the registration ends at 11:59 PM on October 11.  This is the one event I always attend every year.  See:   https://www.nist.gov/news-events/events/2018/10/safeguarding-health-information-building-assurance-through-hipaa-security  

New California Consumer Privacy Act set for January 1, 2020

On June 28, 2018, the California Consumer Privacy Act of 2018 was signed into law, going into effect at the beginning of 2020, offering many of the same protections for personal information contained within the EU’s GDPR.  You’ll need to go through a similar evaluation process for personal information, but instead of, “is this individual an E.U. resident?” the question becomes, “is this individual a California resident?”

Luckily, information subject to HIPAA is not subject to CCPA, but non-PHI will still be controlled by CCPA, and will need evaluation.  Expect this kind of legislation to spread, as California is typically the trend-setter for privacy and security legislation.  One of the many articles on this topic is available at:  http://www.modernhealthcare.com/article/20180702/NEWS/180709994  

Updated Common Rule for Research Effective January 21, 2019

The revised Common Rule on the use of personal information in research was adopted June 19, 2018 and will go into effect January 21, 2019, finally, after several delays and adjustments.  

Prior to the effective date, institutions may implement three of the “burden-reducing” changes for studies begun prior to January 21, 2019 that will transition to compliance with the revised requirements

  • the revised definition of ‘research,’ which deems certain activities not to be research covered by the Common Rule; 
  • the elimination of the requirement for annual continuing review with respect to certain categories of research; and 
  • the elimination of the requirement that institutional review boards (IRBs) review grant applications or other funding proposals related to the research,” only .

The changes to the Common Rule for secondary research enable low-risk medical studies, such as observational studies designed to find patterns in patient record to improve how procedures are performed.  The changes also encompass: 

  • requiring the most important information regarding a study to be explained clearly and concisely, and in a way that a “reasonable person” could understand; 
  • permitting researchers to seek broad consent, which will help improve the availability of biospecimens and patient-reported data (including real-time data from mobile applications and devices) for secondary research; 
  • clarifying that certain public health surveillance activities are outside the scope of the Common Rule, so that the spread of disease can be more easily monitored; 
  • and providing a new option meant to help screening of potential participants, so patients who qualify for new treatments are more likely to learn about them.

One of many articles on this topic is at:  https://healthitsecurity.com/news/common-rules-final-version-exempts-certain-hipaa-covered-entities  

An article on new HHS OCR guidance issued June 12, 2018 regarding HIPAA and research is at:  https://healthitsecurity.com/news/ocr-guidance-tackles-phi-research-use-under-hipaa-privacy-rule  

MD Anderson Cancer Center hit with $4.3 million HIPAA Fine

On June 14, 2018, a U.S. Department of Health and Human Services Administrative Law Judge (ALJ) ruled that The University of Texas MD Anderson Cancer Center (MD Anderson) violated the HIPAA Privacy and Security Rules and granted summary judgment to the Office for Civil Rights (OCR) on all issues, requiring MD Anderson to pay $4,348,000 in civil money penalties to OCR. From the June 18, 2018 HHS press release (with my bolding):

"OCR investigated MD Anderson following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop from the residence of an MD Anderson employee and the loss of two unencrypted universal serial bus (USB) thumb drives containing the unencrypted electronic protected health information (ePHI) of over 33,500 individuals. OCR’s investigation found that MD Anderson had written encryption policies going as far back as 2006 and that MD Anderson’s own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011 , and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013. The ALJ agreed with OCR’s arguments and findings and upheld OCR’s penalties for each day of MD Anderson’s non-compliance with HIPAA and for each record of individuals breached.

"MD Anderson claimed that it was not obligated to encrypt its devices, and asserted that the ePHI at issue was for “research,” and thus was not subject to HIPAA’s nondisclosure requirements. MD Anderson further argued that HIPAA’s penalties were unreasonable. The ALJ rejected each of these arguments and stated that MD Anderson’s “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” a risk that MD Anderson “not only recognized, but that it restated many times.”

Lessons: Follow the guidance of your risk analysis, follow your own policies, and just because the data is for research doesn’t mean you can forget HIPAA.  ONLY information that is collected solely for research is exempt from HIPAA.

See the press release at:  https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/mdanderson/index.html  

HHS Finally Playing Catch-up on HITECH Law Requirements

It’s been more than nine years since the HITECH Act was passed, and HHS is finally dealing with some of the thorniest issues presented by the law.  The HHS regulatory agenda indicates that in November they will propose:

• A new Accounting of Disclosures rule (see story below), 

• A new rule to clarify that healthcare providers are presumed to be acting in the individual's best interests when they share information with an incapacitated patient's family members unless there is evidence that a provider has acted in bad faith, and

• Change the requirement that healthcare providers make a good faith effort to obtain from individuals a written acknowledgment of receipt of the provider's notice of privacy practices.  This one has me concerned, because getting this signed counts as a consent under the TCPA so you can call a patient’s cell phone without breaking the law.  If you skip this, medical offices will need to get written consent to contact the patient instead.  Savings? NONE.

But the biggest issue is with the requirement in HITECH to come up with a way to share penalty amounts collected with the individuals harmed in a breach.  This has more pitfalls and issues than anything HHS has had to come up with in a long time.  The experts have plenty to say about this one.

There is a great summary of all this, with links to the items in the agenda, in an article by Health IT Security, at:  https://healthitsecurity.com/news/ocr-to-share-hipaa-data-breach-settlements-with-victims  

New Accounting of Disclosures Rule to be Proposed, Finally

The Office of Management and Budget’s regulations agenda indicates that the reviled 2011 proposal for a new Accounting of Disclosures rule based on HITECH Act requirements will be withdrawn, and the process will begin anew.  What was proposed in 2011 was preposterous, and the new proposed rule will have sufficient input to develop a rule that focuses on what patients really want to know when they ask for an Accounting.  See the story in GovInfo Security, at https://www.govinfosecurity.com/ocr-plans-do-over-for-accounting-disclosures-proposal-a-11007

New Guidance, Updated FAQs on SAMHSA 42 CFR Part 2

On May 1, 2018, the Substance Abuse and Mental Health Services Administration (SAMHSA) updated its Frequently Asked Questions page about 42 CFR Part 2 with two new fact sheets on how Part 2 applies to disclosures of information for treatment purposes.  The FAQ page is at:  https://www.samhsa.gov/about-us/who-we-are/laws-regulations/confidentiality-regulations-faqs, with links to new fact sheets , Disclosure of Substance Use Disorder Patient Records: Does Part 2 Apply to Me? (https://www.samhsa.gov/sites/default/files/does-part2-apply.pdf) and Disclosure of Substance Use Disorder Patient Records: How Do I Exchange Part 2 Data? (https://www.samhsa.gov/sites/default/files/how-do-i-exchange-part2.pdf)

Head of HHS OCR Says Texting with Patients is OK, but...

But it needs to be the patient’s preference.  In a “Making Policy from the Podium” moment, HHS Office for Civil Rights chief Roger Severino indicated that HHS guidance regarding using plain e-mail with patients would also apply to using plain texting with patients.  (Wouldn’t it be nice to see some real, formal, legal guidance, rather that just comments off the cuff?  Is anybody doing any real work at HHS OCR or is it just that chaos is so prevalent in the Federal government today that nothing of substance ever gets out?  Anyway, don’t get me started…)  

Plain texting is fine with patients if they prefer, but plan texting between professionals is strictly forbidden.  There’s an article in Mike Semel’s Blog posted March 6, 2018 about the Severino’s comments in response to a question at the recent Spring HIMMS conference in Las Vegas.  See:  https://www.emrandhipaa.com/mike/2018/03/06/texting-patients-is-ok-under-hipaa-as-long-as-you/  

Hospital Data Breaches Lead To Thousands of Deaths

On March 27, 2018, Becker’s Hospital Review reported on a Wall Street Journal article on a research presentation showing that hospitals that suffer a data breach can have negative impacts lasting years, due to diverted resources and attention, and slower responses to healthcare situations.  As a result, people die, some 2,100 per year.  These numbers are not huge, but they are significant and preventable.  Breaches => Patient Deaths.  Good Security = Good Patient Care.  See the Becker's article with a link to the WSJ article at:  https://www.beckershospitalreview.com/cybersecurity/study-hospital-data-breaches-tied-to-thousands-of-additional-patient-deaths.html   

TCPA Allows Healthcare Texting If NPP Is Acknowledged

There has long been some uncertainty as to how the Telephone Consumer Protection Act applies to healthcare and cell phones, but a recent ruling (Latner v. Mt. Sinai Health System, Inc., No. 17-99-cv (2d Cir. Jan. 9, 2018)) indicated that if the Notice of Privacy Practices includes mention of such use, and the individual acknowledges that the NPP has been received, that counts as the necessary consent.  So, to comply with TCPA, make sure your NPP includes the necessary statements about contacting the individual, and make sure the individual acknowledges receipt of the NPP.  There’s an informative March 27, 2018 posting on the Journal of AHIMA Blog pages, available at:  http://journal.ahima.org/2018/03/27/can-texting-get-a-healthcare-provider-in-trouble/  

NOTE! This does not address HIPAA Security Rule requirements for security, so you’ll still need your patients to express a preference to receive any plain text messages that may imply a healthcare connection, depending on the message.  The “everyone should get a flu shot” message sent to all recent patients  in the case cited probably would not count as a breach without consent, but an individualized message with personal details could.  Your mileage may vary.

Get Ready for the GDPR — Compliance Required by May 25

The new European Union General Data Protection Regulation goes into effect May 25, 2018, and it requires the protection of the identifiable personal information of any EU subject no matter where that information may be, even in the US.  The GDPR is far from trivial, and could be expected to become the de facto international standard for protection merely because of its widespread applicability.  If you serve any patients or customers who reside in the EU, you need to be aware of this.  

See great overview articles at http://www.bio-itworld.com/2017/10/10/what-the-eu-general-data-protection-regulation-means-for-you.aspx and http://www.healthcareitnews.com/news/europes-gdpr-privacy-law-coming-heres-what-us-health-orgs-need-know and the EU GDPR Web page at https://www.eugdpr.org   

HHS OCR Director Says No More HIPAA Audits To Be Done

Following a presentation at the HIMSS18 conference on March 6, 2018, HHS Office for Civil Rights Director Roger Severino told an Information Security Media Group reporter that while HIPAA enforcement activity would continue unabated, the HIPAA Audit Program will have no further effort other than to report on the results of the prior work and provide best practices guidance based on that analysis.  This is despite a clear requirement in the HITECH Act for HHS to perform periodic audits of covered entities and business associates.  (Law? What law?)  See:  https://www.govinfosecurity.com/no-slowdown-for-hipaa-enforcement-but-audits-ending-a-10701  

Two New Reports Show Massive Insider Threats to PHI

Two news reports of March 2, 2018 show that healthcare security issues are different from other industries, and that insiders pose a huge threat both in accidental and intentional breaches.  Some of the results are astonishing and contrary to what you’d expect.  

A survey by Accenture reported in Becker’s Hospital Review showed that 18% of respondents would sell PHI for as little as $500, and an amazing 24% of respondents said they knew of someone in their organization who had sold access or credentials to an outsider.  See: https://www.beckershospitalreview.com/cybersecurity/1-in-5-health-employees-willing-to-sell-confidential-data-7-survey-insights.html

MedCity News reported that the latest Verizon Protected Health Information Data Breach Report shows how insiders are the biggest threat to the security of PHI, far beyond that for other industries.  Also, larger organizations tend to find problems before the public does better than smaller organizations.  Any surprise?  Remember that the results of the 2012 HIPAA Audits showed that small healthcare providers tend to have security issues, and that apparently hasn’t changed.  See the story at https://medcitynews.com/2018/03/verizon-cybersecurity-report-protected-health-information-breaches-finds-internal-actors-pose-greatest-threat/ and the Verizon report is at http://www.verizon.com/about/news/new-report-puts-healthcare-cybersecurity-back-under-microscope   

$100K Improper Record Disposal by out-of-Business Associate

On February 13, 2018, the HHS Office for Civil Rights announced a resolution agreement for $100,000 with the receiver appointed to liquidate the assets of records management firm Filefax, Inc., of Northbrook, Illinois, for insecure storage and disposal of records.  Filefax advertised that it provided for the storage, maintenance, and delivery of medical records for covered entities and did not escape a penalty even though it shut its doors during the course of OCR’s investigation into alleged HIPAA violations.

It’s so simple — secure storage and disposal of paper records is required, and filing for bankruptcy doesn’t protect an entity that violates the rules.  See the HHS page with links to the press release and the Resolution Agreement and Corrective Action Plan at  https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/Filefax/index.html  

Fresenius gets $3.5 Million Settlement for Lack of Security

On February 1, 2018, the HHS Office for Civil Rights announced a resolution agreement with Fresenius Medical Care North America (FMCNA) for $3.5 million and a corrective action plan to deal with a lack of risk analysis and risk management that led to multiple breaches of PHI.  Although the total number of records breached was for only 521 individuals, the investigation turned up a variety of risk assessment and management problems at a number of sites and organization-wide.  

The clear message is: YOU CAN’T INGORE THE SECURITY RULE ANY MORE.  If you haven’t done the proper risk analysis or haven’t addressed the risks you found (or should have found), you’re looking for trouble.  See the HHS announcement at: https://www.hhs.gov/about/news/2018/02/01/five-breaches-add-millions-settlement-costs-entity-failed-heed-hipaa-s-risk-analysis-and-risk.html  and the Resolution Agreement and Corrective Action Plan at:  https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/FMCNA/index.html   Also worth a look is the article in Fierce Health:  https://www.fiercehealthcare.com/privacy-security/fresenius-medical-care-ocr-3-5m-settlement-hipaa-data-breach-theft  

CMS Says Secure Texting Is OK But Not For Patient Orders

On December 28, 2017, HHS Center for Medicare and Medicaid Services (CMS) issued a memo to its State Survey Agency Directors to clarify that Texting patient information among members of the health care team is permissible if accomplished through a secure platform, but texting of patient orders is prohibited regardless of the platform utilized.  Computerized Provider Order Entry (CPOE) is the preferred method of order entry by a provider.  So, Texting PHI among the team?  Yes, but must be secure.  Texting Patient Orders?  No, which is aligned with Joint Commission rules.  The memorandum is available at:  https://www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertificationGenInfo/Downloads/Survey-and-Cert-Letter-18-10.pdf  and there are articles on the announcement at:  https://www.fiercehealthcare.com/regulatory/cms-texting-physician-orders-joint-commission-regulations-hipaa-security  and at:  http://www.healthcareitnews.com/news/cms-clarifies-policy-texting-patient-info-across-healthcare-teams  

OCR Finally Announces 21CO $2.3m Settlement 17 Days Later

On December 28, 2017 the HHS Office for Civil Rights finally announced a resolution agreement with 21st Century Oncology (21CO) for HIPAA violations culminating in a breach of 2.2 million records and investigation, resulting in a resolution amount of $2.3 million and a Corrective Action Plan, listed two stories below this one.  The OCR press release is available at https://www.hhs.gov/about/news/2017/12/28/failure-to-protect-the-health-records-of-millions-of-persons-costs-entity-millions-of-dollars.html and the resolution agreement is available at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/21CO/index.html   

HHS OCR Updates Guidance on Sharing Info in Opioid Incidents

On December 19, 2017 the HHS Office for Civil Rights announced expanded and improved guidance relating to the sharing of information in opioid overdose incidents, including revised guidance, new guidance, and new Frequently Asked Question sets on the topic.  Per former HHS honcho Deven McGraw, this should be required reading for all front line personnel dealing with these emergencies!  See the page with links to the new and updated information at:  https://www.hhs.gov/hipaa/for-professionals/special-topics/mental-health/index.html  

OCR Doesn’t Announce Latest HIPAA Settlement for $2.3m?

On December 11, 2017 the HHS Office for Civil Rights did not announce a filed resolution agreement with 21st Century Oncology (21CO) for HIPAA violations culminating in a breach of 2.2 million records and investigation, resulting in a resolution amount of $2.3 million and a Corrective Action Plan.  But that’s not the worst of it for 21CO — they (now bankrupt, no surprise) face a $26 million penalty for false meaningful use attestations

Here’s an article on it in HealthIT Security:  https://healthitsecurity.com/news/2.3m-ocr-settlement-reached-for-21st-century-oncology-data-breach  And here’s a page with the announcement by the Justice Department about the $26m settlement:  https://www.justice.gov/opa/pr/21st-century-oncology-pay-26-million-settle-false-claims-act-allegations  

Finally, here are a couple of sources for the filed settlement:  https://s3.amazonaws.com/assets.fiercemarkets.net/public/004-Healthcare/external_Q42017/21CO_OCR.pdf  and  https://healthitsecurity.com/images/site/attachments/21-century-ocr-settlement.pdf  

But it is not announced on the HHS OCR page where these are all listed (at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html), and there have not been the typical e-mail list announcements from them about this.  What gives?  Has all work stopped in Washington?  VERY unusual...

On-site HHS OCR HIPAA Audits for 2017 Cancelled

At the 2017 AHIMA conference in Los Angeles, on October 7, 2017 a representative of the regional office of HHS spoke about the latest from HHS re HIPAA, and although the presentation slides don’t show it, it was announced that the 2016 HIPAA Audit program has concluded, and the on-site audits promised for 2017 will not take place.  Given the tremendous rate of turnover at HHS under the new administration, the paralysis that has hit HHS operations, and the fact that the leaders of the audit program are now gone, I would be surprised to see the program (required by law) to be resuscitated before 2019.

Read The New NISTIR 8192: Enhancing Resilience of the Internet and Communications Ecosystem

On September 19, 2017 the National Institute of Standards and Technology Computer Security Resource Center released NIST Internal Report (NISTIR) 8192, Enhancing Resilience of the Internet and Communications Ecosystem.  This is a surprisingly readable, actionable document that includes specific items to address the needs of a variety of industry stakeholders.

If you are wondering, What in the world am I going to do about all these incredible security threats??? this is a great place to begin.  See the announcement at https://csrc.nist.gov/News/2017/NIST-Releases-NISTIR-8192  and download it at  http://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8192.pdf 
DO THIS NOW — You will discover things you can do right away, today!

Annual NIST/OCR HIPAA Security Conference Announced

On July 26, 2017, the HHS Office for Civil Rights announced that registration is open for the 10th Annual OCR/NIST conference, Safeguarding Health Information: Building Assurance through HIPAA Security, September 5-6, 2017 at the Hyatt Regency, 400 New Jersey Ave NW, Washington, DC 20001, hosted by OCR and the National Institute for Standards and Technology.

The conference explores the current healthcare cybersecurity landscape and the HIPAA Security Rule. Over two days, presentations will cover a variety of topics including understanding the current cybersecurity threat landscape, managing data breaches, considerations for small provider cybersecurity, managing cybersecurity risk and implementing practical cybersecurity solutions in healthcare environments, updates on OCR's Phase 2 audits and enforcement activities, and more.

Participants can choose to participate in-person or via webcast. All registrants will have access to archived webcast presentations and materials.  Registration ends on 8/29/2017 at 11:59 PM EDT. 

Yes, I am attending again this year, hoping to ask the hard questions of those who should be able to provide answers.

For registration information and additional details, please visit https://www.nist.gov/news-events/events/2017/09/safeguarding-health-information-building-assurance-through-hipaa-security  

HHS OCR Releases “Improved” Wall of Shame for Breaches

On July 25, 2017, the HHS Office for Civil Rights announced an updated HIPAA Breach Reporting Tool (HBRT) featuring improved navigation for both those looking for information on breaches and ease-of-use for organizations reporting incidents.  The tool also helps educate industry on the types of breaches that are occurring, industry-wide or within particular sectors, and how breaches are commonly resolved following investigations launched by OCR. 

New features of the HBRT include:

  • Enhanced functionality that highlights breaches currently under investigation and reported within the last 24 months
  • New archive that includes all older breaches and information about how breaches were resolved
  • Improved navigation to additional breach information
  • Tips for consumers

The HBRT may be found at:  https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf  

For additional information on HIPAA breach notification, visit:  https://www.hhs.gov/hipaa/for-professionals/breach-notification

ONC Releases Report on Issues with Individual Access of PHI

On July 11, 2017, the HHS Office of the National Coordinator for Health IT released a report on patient experiences in the access of medical records, and it’s a pretty sorry looking picture, frankly.  In the examples shown, there is a remarkable lack of understanding of basic HIPAA Access requirements by the involved providers.  The report shows the alarming, life threatening hurdles in the process and offers some ideas what must be done, and NOW.  See the announcement at:  https://www.healthit.gov/buzz-blog/consumer/understanding-patient-experience-improve-patient-access-medical-records/  and the report at:  https://www.healthit.gov/sites/default/files/onc_records-request-research-report_2017-06-01.pdf  

NIST Finalizes Report: Time to Change Password Habits!

On June 22, 2017, NIST released an expected finalized update to Special Publication 800-63-3, Digital Identity Guidelines, published in 4 parts.  The best part of SP 800-63-3 is the password recommendations: see Appendix A to SP 800-63-3 B for the details.

They suggest that periodic password changes are no longer necessary. The report also recommends changes to several other password policies that have become antiquated in the modern computing environment:

  • Allow at least 64 characters in length to support the use of passphrases.
  • Encourage users to make memorized secrets as lengthy as they want, using any characters they like (including spaces), thus aiding memorization.
  • Do not impose other composition rules (e.g. mixtures of different character types) on memorized secrets.

NIST is also recommending checking new passwords against several lists, such as:

  • Context specific words, such as the name of the service, the username, and derivatives thereof.
  • Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
  • Passwords obtained from previous breach corpuses.

Link to Special Publication 800-63-3 are provided below, on the CSRC Special Publications page: 
Main document: http://csrc.nist.gov/publications/PubsSPs.html#SP-800-63-3
SP 800-63-3 A: http://csrc.nist.gov/publications/PubsSPs.html#SP-800-63A
SP 800-63-3 B: http://csrc.nist.gov/publications/PubsSPs.html#SP-800-63B
SP 800-63-3 C: http://csrc.nist.gov/publications/PubsSPs.html#SP-800-63C

AHIMA Releases Template for Request for Access of PHI

On July 6, 2017, AHIMA released a model form for Patient Requests for Access to their PHI that meets the requirements of the HHS Office of the National Coordinator for Health IT and Office for Civil Rights.  While the form is hospital-centric in some of the details, it can be the basis for forms used by other providers.  Remember: An access request is NOT the same as a release under Authorization, and you should not use the same forms or processes for both.  This form is very simple, as it should be according to HHS guidance.  See the announcement at  http://www.ahima.org/modelform  and download the form at: https://engage.ahima.org/viewdocument/patient-request-model-form  

ECRI on Protecting Medical Devices from Ransomware Attacks

On May 26, 2017, Healthcare Informatics reported that the ECRI Institute has released a new guidance article, Ransomware Attacks: How to Protect Your Medical Device Systems, with recommendations to help hospitals identify and protect against ransomware attacks.  The report provides recommendations for adapting general cybersecurity principles to the particular requirements of medical device systems, including a list of immediate do's and don'ts for quickly responding to emerging threats.

The Healthcare Informatics article is available at:  https://www.healthcare-informatics.com/news-item/cybersecurity/ecri-institute-publishes-guidance-protecting-medical-devices-ransomware  and the ECRI guidance, published May 18, 2017 is available at:  https://www.ecri.org/components/HDJournal/Pages/Ransomware-Attacks-How-to-Protect-Your-Systems.aspx  

Provider Sends HIV Information to Employer - Oops! = $387K

On May 23, 2017, HHS OCR announced a $387,200 HIPAA settlement for impermissible disclosure of protected health information (PHI) with St. Luke’s-Roosevelt Hospital Center Inc.  In September 2014, OCR received a complaint alleging that a staff member impermissibly disclosed the complainant’s PHI to the complainant’s employer, including sensitive information concerning HIV status, medical care, sexually transmitted diseases, medications, sexual orientation, mental health diagnosis, and physical abuse

The investigation revealed that staff at the Spencer Cox Center impermissibly faxed the patient’s PHI to his employer rather than sending it to the requested personal post office box.  (!!!)  

Additionally, OCR discovered that the Spencer Cox Center was responsible for a related breach of sensitive information that occurred nine months prior to the aforementioned incident but had not addressed the vulnerabilities in their compliance program to prevent impermissible disclosures.  (Yow!)

Look folks, there’s no excuse for this.  Small breaches are easily prevented if everyone DOUBLE-CHECKS what they’re doing before they send information.  And if you have an issue, ADDRESS IT BEFORE IT HAPPENS AGAIN!!  HELLO!  WHERE IS THE COMPLIANCE DEPARTMENT??

See:  http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/StLukes/index.html  

NIST Says It’s Time To Change Password Habits in Draft 800-63

New guidelines from NIST expected this summer suggest that periodic password changes are no longer necessary. The report also recommends changes to several other password policies that have become antiquated in the modern computing environment:

  • Allow at least 64 characters in length to support the use of passphrases.
  • Encourage users to make memorized secrets as lengthy as they want, using any characters they like (including spaces), thus aiding memorization.
  • Do not impose other composition rules (e.g. mixtures of different character types) on memorized secrets.

NIST is also recommending checking new passwords against several lists, such as:

  • Context specific words, such as the name of the service, the username, and derivatives thereof.
  • Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
  • Passwords obtained from previous breach corpuses.

Draft SP 800-63 is available at, https://pages.nist.gov/800-63-3/, and for the password recommendations, see Appendix A to Draft SP 800-63B at  https://pages.nist.gov/800-63-3/sp800-63b.html#appA  

Also see this article in Quartz Media:  https://qz.com/981941/the-us-standards-office-wants-to-do-away-with-periodic-password-changes/  

Draft NIST Guide on Securing Wireless Infusion Pumps

On May 16, 2017, just in time for the global ransomware attack, NIST announced Draft NIST SP 1800-8, Securing Wireless Infusion Pumps in Healthcare Delivery Organizations, which is now available for public comment.

IF YOU HAVE WIRELESS INFUSION PUMPS, YOU MUST READ AND IMPLEMENT SP-1800-8 or you are playing with fire, and your patient’s lives.

See: http://csrc.nist.gov/publications/PubsDrafts.html#SP-1800-8  for the guide and https://nccoe.nist.gov/news/new-draft-guide-help-healthcare-delivery-organizations-improve-wireless-infusion-pump for the announcement.

Brute Force Attacks on Remote Access Points Under Way

Use RDP for remote access to desktops?  Watch out!  The bad guys are now using brute force attacks to gain entry to networks via open RDP services that use only an ID and password for access.  Time to beef up your Remote Access controls, and require STRONG authentication!  See the article in Healthcare IT News:  http://www.healthcareitnews.com/news/not-remotely-subtle-brute-force-ransomware-attacks-are-rise    

Patient Name in Press Release Headline yields $2.4 million

On May 10, 2017, HHS OCR announced a $2.4 million settlement (and corrective action plan, of course) with Memorial Hermann Health System (MHHS) settle potential HIPAA violations, for issuing a press release about a patient, including details and the patient’s name in the headline, without a HIPAA Authorization, and for not adequately sanctioning the individuals responsible for the violation.

In addition to the $2.4 million settlement, a corrective action plan requires MHHS to update its policies and procedures on safeguarding PHI from impermissible uses and disclosures and to train its workforce members.  The corrective action plan also requires all MHHS facilities to attest to their understanding of permissible uses and disclosures of PHI, including disclosures to the media.  See: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/MHHS/index.html

Stolen Laptop + No Risk Analysis or Management = $2.5 million

On April 24, 2017, HHS OCR announced a $2.5 million resolution agreement with wireless services provider CardioNet, for not having done the proper risk analysis and risk management, resulting in a stolen laptop and a breach.  The message?  No matter who you are, even if you provide cardiac monitoring services, you need to lock down your portable devices, NOW.  See the press release and agreement at:  https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/cardionet/index.html  

No Business Associate Agreement Leads to $31K settlement

On April 20, 2017, HHS OCR announced a $31,000 resolution agreement with Center for Children’s Digestive Health for not having had a proper HIPAA Business Associate Agreement in place with a business associate, FileFax, Inc., which stored health records for CCDH.  See the Resolution Agreement and Corrective Action Plan at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/CCDH  

After a break during March, I guess we’re getting back to a two-a-month settlement rate.  Learn your lessons from others’ mistakes!

No Risk Analysis, Breach, Insufficient Risk Mitigation = $400K

On April 12, 2017, HHS OCR announced a $400,000 resolution agreement with Metro Community Provider Network, a FQHC, for not having conducted a HIPAA Security Risk Analysis, suffering a breach, and then following up with insufficient risk analysis and risk mitigation.  I think it’s getting pretty clear that it’s time start a program of regular risk analysis activity that leads to mitigation of the issues discovered.  See the Resolution Agreement and Corrective Action Plan at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/MCPN.html

OCR’s guidance on the Security Rule may be found at https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html

Lack of Audit Controls Leads to $5.5 million HIPAA settlement

On February 16, 2017 HHS OCR announced a $5.5 million resolution agreement with Memorial Healthcare Systems of Florida, for not having controlled and monitored access to PHI, leading to a breach of the PHI of 115,143 individuals by an insider.  I’ve been waiting to see an enforcement action based on a lack of auditing, and now it’s here.  This, folks, is the tough nut to crack in HIPAA Security compliance and can no longer be ignored.

The Resolution Agreement and Corrective Action Plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/memorial

OCR offers helpful guidance on the importance of audit controls and audit trails in their January 2017 cyber-newsletter, at https://www.hhs.gov/sites/default/files/january-2017-cyber-newsletter.pdf

See a Security Problem?  Fix it!  If not, $3.2 million PENALTY

On February 1, 2017 HHS OCR announced the imposition of a PENALTY for violations resulting from known security problems that went unaddressed for years at Children’s Medical Center of Dallas.  They had problems with breaches from unencrypted portable devices in 2007 and did not implement the proper encryption until further breaches occurred in 2013.  

Amazingly, Children’s did NOT file for a hearing and passed up an opportunity to negotiate a settlement.  They probably could have had a nice simple corrective action plan and a much lower financial amount but decided to just take the financial penalty.  Or did they just not notice the Notice of Proposed Determination?  Um, OK.  Bizarre.  Either way, I have reservations about their compliance processes.  See the announcement and Notices of Proposed and Final Determination at  https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/childrens  and decide for yourself.

NIST Releases Draft Revision to Intro to Information Security

On January 26, 2017, NIST Released Draft Special Publications (SP) 800-12 Revision 1, Introduction to Information Security, open for public comment submissions through February 22, 2017.  The new draft is available at:  http://csrc.nist.gov/publications/PubsDrafts.html#800-12r1

If you’re looking for a place to start with Information Security, this is a fine one.  If you’re interested in making sure the new revision is a good one, read it and submit your comments.

New Update to the Common Rule for Research Finalized

On January 19, 2017, the revised Federal Policy for Protection of Human Subjects, a.k.k. the Common Rule, was published, relating to the proper protections, including privacy, to be afforded to research subjects.  If you do research involving human subjects, you need to review the changes.  Some privacy concerns have been voiced about the new rule.

What with this new rule, there are many new intersections to be explored between HIPAA, 42 CFR Part 2, and research, not to mention the 21st Century Cures Act!  Those of you who do research with health information relating to substance abuse, for instance, have plenty of homework to do.  You have a little time, until 2018, to implement the new rule.  

See: https://www.federalregister.gov/documents/2017/01/19/2017-01058/federal-policy-for-protection-of-human-subjects 

Poor Implementation of Safeguards Following Breach: $2.2M

On January 18, 2017, HHS OCR announced yet another HIPAA settlement, this time for $2.2 million, for reporting a breach and then not following through on risk mitigation as promised to OCR.  Please, if you have a breach, do what you need to to prevent a repeat (in this case, do your risk analysis and encrypt your portable devices) and satisfy HHS OCR that you actually care about security.  Don’t put it off for years, OK?  See: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/MAPFRE 

Changes to 42 CFR Part 2 re Substance Abuse Info Finalized

On January 18, 2017, the Substance Abuse and Mental Health Services Administration (SAMHSA) announced the release of the final updates to 42 CFR Part 2 regarding substance abuse treatment information.  The changes, among other things, allow release of information to a qualified researcher, but more importantly, allow a patient to consent to disclosing their information using a general designation (such as “my healthcare providers”), to allow patients to benefit from integrated health care systems.  Patients do not have to agree to such disclosures, but patients who do agree to the general disclosure designation have the option to request a list of entities to whom their information has been disclosed.  

A nice summary is in the press release, available at https://www.samhsa.gov/newsroom/press-announcements/201701131200 and the new rule is at https://www.federalregister.gov/documents/2017/01/18/2017-00719/confidentiality-of-substance-use-disorder-patient-records

Untimely Reporting of Breach Results In $475K Settlement

On January 10, 2017, HHS OCR announced the first HIPAA settlement based on the untimely reporting of a breach of unsecured PHI.  Presence Health has agreed to settle  by paying $475,000 and agreeing to implement a corrective action plan.  With this settlement amount, OCR balanced the need to emphasize the importance of timely breach reporting with the desire not to disincentive breach reporting altogether.  Good idea!

The Press Release, Resolution Agreement, and Corrective Action Plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/presence

Joint Commission Reaffirms Ban on Texting Patient Care Orders

On January 9, 2017, FierceHealthcare.com reported that the Joint Commission, in its December 2016 issue of The Joint Commission Perspectives, had reaffirmed its ban on using texting of any kind for patient care orders, even if secured.  The issues identified in this recent assessment include:

  • Using texts or other messaging apps to order treatments could increase the burden on nurses or other clinical staff who would be responsible for inputting such data into electronic health records
  • Talking in-person allows for easier clarifications if there are questions about an order, and allows for better confirmation of directives
  • If there are any clinical decision support alerts triggered during the EHR process, the clinician inputting the information into the system will have to take time to contact the ordering physician to resolve the issue, potentially causing treatment delays

The article in FierceHealthcare.com is available at:  http://www.fiercehealthcare.com/mobile/joint-commission-text-order-ban-to-stay-place-for-now  and the Joint Commission’s new “Clarification” is available at:  https://www.jointcommission.org/assets/1/6/Clarification_Use_of_Secure_Text_Messaging.pdf  

New FAQs & Guidance from HHS on Disclosures to Loved Ones

OCR has issued a new FAQ clarifying that  the HIPAA Privacy Rule (45 CFR 164.510(b)) permits disclosures to loved ones regardless of whether they are recognized as relatives under applicable law.  In particular, the FAQ makes clear that the potential recipients of information under the relevant permissive disclosure provisions of 45 CFR 164.510(b) are not limited by the sex or gender identity of the person.

In tandem, OCR is updating its existing guidance on several provisions within the HIPAA Privacy Rule that recognize the integral role that a spouse often plays in a patient’s health and health care.  Consistent with the Supreme Court decision in Obergefell v. Hodges, OCR is issuing updated guidance that makes clear that the terms marriage, spouse, and family member include, respectively, all lawful marriages (whether same-sex or opposite-sex), lawfully married spouses and the dependents of all lawful marriages, and clarifies certain rights of individuals under the Privacy Rule. 

See: https://www.hhs.gov/hipaa/for-professionals/special-topics/same-sex-marriage/index.html 

The FAQ is also available at https://www.hhs.gov/hipaa/for-professionals/faq/2086/does-hipaa-privacy-rule-permit-doctor-discuss-patient-s-health-status.html


Click for the Directory of Older News Stories

https://www.ftc.gov/business-guidance/resources/mobile-health-apps-interactive-tool

              Copyright © 2002-2023 Lewis Creek Systems, LLC  Charlotte, Vermont, USA
Privacy Policy   Terms and Conditions of Use   Contact Us