Tag Archives: HHS

OCR Issues Guidance for Sharing Medical Information During Hurricane Florence

As Hurricane Florence approaches the North Carolina coastline, OCR has released guidance to ensure that medical information is shared appropriately during the hurricane.

The Secretary of HHS has declared a public health emergency in North Carolina, South Carolina, and Virginia. Under these circumstances, the Secretary has exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule.

  • The requirement to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care.
  • The requirement to honor a request to opt out of the facility directory.
  • The requirement to distribute a notice of privacy practices.
  • The patient’s right to request privacy restrictions.
  • The patient’s right to request confidential communications.

Continue reading OCR Issues Guidance for Sharing Medical Information During Hurricane Florence

Guidance on Disposing Sensitive Data-Storing Devices

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently released their July 2018 newsletter entitled: Guidance on Disposing of Electronic Devices and Media(Guidance) , which provides suggestions for properly disposing technology that may contain sensitive data – such as financial or protected health information (PHI). While directly applicable to the healthcare sector, this guidance is best practice for all organizations.

OCR’s Mission

Part of OCR’s mission is to provide guidance to health care providers, insurers and other stakeholders on cybersecurity issues like properly disposing equipment that contains sensitive information. This equipment includes desktops, laptops, tablets, copiers, servers, smartphones, hard drives, USB drives and other type of electronic storage devices.

Improper disposal of devices can lead to a data breach that can be costly to an organization, both financially and reputationally. Some of the financial costs include notifications, investigations, lawsuits, consultants, legal counsel, fees paid to security specialists and loss of clients. Continue reading Guidance on Disposing Sensitive Data-Storing Devices

HHS Releases Training Module for HIPAA’s Right of Access

The Department of Health and Human Services (HHS) recently addressed the concerns of many healthcare providers regarding patient access to health information. Their newly released training module and reportImproving the Health Records Request Process for Patients – provides clarity and guidance around the issue.

Under HIPAA, patients have the right to access their health records. However, healthcare providers are often hesitant to comply due to concerns of insecure communication and the potential for a data breach.

Patient Challenges

HHS is attempting to solve several key issues for patients trying to access their health records. Common problems noted include:

  • Slow responses from healthcare providers
  • Inconsistent information from administrative staff about obtaining records
  • Inaccessibility of complete or accurate requested records

Taking Action

According to the HHS report, healthcare providers have the opportunity to improve their process for record requests and thus reduce the burden on themselves and patients.

Creating a streamlined, transparent, and electronic records request process may include:

  • Allowing patients to easily request and receive their records from their patient portal
  • Setting up an electronic records request system outside of the patient portal
  • Creating a user-friendly, plain language online request process
  • Using e-verification to quickly confirm the record requestor’s identity
  • Including a status bar or progress tracker so consumers can see where they are in the request process – for example, indicate when the request is received, when their records are being retrieved, and when they’re ready for delivery
  • Making sure consumers know that they can request their records in different formats (i.e. PDF or CD) and different delivery options, (i.e. email or sent to a third party)
  • Encouraging use of patient portals by promoting features like online appointment scheduling, secure messaging and prescription refills

[VS1]Duplicative of one above

HHS Announces a New Cybersecurity Initiative Focused on Medical App Security

It seems the Department of Health and Human Services (HHS) is stealing a page from the Homeland Security Department’s playbook with the launch of a new cybersecurity initiative.

This new HHS project is clearly modeled on the Homeland Security Department’s National Cybersecurity and Communications Integration Center (NCCIC). NCCIC works to boost awareness and understanding of cyber threats across a variety of private and public sector entities.

The new healthcare initiative will be deemed Health Cybersecurity and Communications Integration Center, or HCCIC.

HHS has already stated a few of the primary goals for the new HCCIC program:

  • Reduce unnecessary hype about cyber threats while increasing education outreach on threats in the healthcare sector
  • Provide more and better information and education on cyber threats to health data
  • Offer best practices – i.e. what a small doctor’s office can do to protect patient privacy
  • Work collaboratively with mobile app developers to encourage better security practices
  • Help equip affected organizations with tools to take action on threats

The new HHS center represents a continual effort by the federal government to address healthcare application cybersecurity. The new focus for healthcare’s war against cybersecurity correlates with the recent explosion of mobile health applications. In 2016, a total of almost 260,000 mobile health apps were found in app stores. The industry’s fear and concern is that cybersecurity is lagging far behind the uptake in new health technologies.

While HHS published a 5-year plan to build and foster this initiative, most industry experts are noting that this is not going to be a simple endeavor with few if any “near-term” benefits.

Is Ransomware a Breach Under HIPAA?

Keyboard equipped with a red ransomware dollar button.

With the dramatic rise in ransomware, there has been much speculation on whether ransomware attacks constitute a reportable breach under HIPAA. The Department of Health and Human Services (HHS) issued guidance to provide clarity on this controversy once and for all. Short answer: yes, it does.

HIPAA Rules

HIPAA defines a breach as “the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromise the security or privacy or the PHI.”

Whether ransomware constitutes a breach under HIPAA is a fact-specific determination. HHS’s guidance states that when a healthcare organization is hit with a ransomware attack and electronic protected health information is encrypted as a result, a breach has occurred.

During a typical ransomware attack on a healthcare organization, ePHI is encrypted when attackers take control of the information. Thus, the ePHI was acquired and results in a disclosure not permitted by the Privacy Rule.

Unless the attacked organization can show a low probability of PHI being compromised, a breach of the information is presumed. This requires organizations to comply with the breach notification rules in HITECH – i.e. notification to affected individuals, HHS, etc.

“Low Probability”

How can an organization show a low probability that PHI was compromised as a result of a ransomware attack? HIPAA relies on a risk assessment of the breach taking into consideration the following four factors:

  • The nature and extent of the PHI involved
  • The unauthorized person who used the PHI or to whom the disclosure was made
  • Whether the PHI was actually acquired or viewed
  • The extent to which the risk to PHI has been mitigated

As far as ransomware goes, victim organizations should note the following in their risk assessment:

  • The exact type and variant of malware discovered
  • The algorithmic steps undertaken by the malware
  • Communications between the malware and the attackers’ command servers
  • Whether or not the malware infected other systems

Identifying these factors should help an organization determine what type of data the malware was searching for, whether or not the data was taken from the organization’s systems, and whether the information was actually acquired or viewed.

Key Takeaway

The important thing to note from this HHS guidance is that for healthcare organizations, a ransomware attack could result in a reportable breach. Many security experts and breach lawyers viewed ransomware attacks in a different light, and not many organizations were reporting these attacks to the HHS.

With the new guidance, we expect to see more breaches reported to the HHS at the end of the year, as well as more breaches hitting the HHS’s Wall of Shame.

With an uptick in the number of reported breaches, it’s also expected that OCR will get more involved with investigations into ransomware attacks. It’ll be interesting to see if any new HIPAA enforcement actions will arise from organizations hit with ransomware.

If your organization suffers a ransomware attack, it’s crucial to get a breach coach involved right away to help navigate the different reporting requirements.

HIPAA Settlement: Triple-S Fined $3.5 Million

The Office for Civil Rights (OCR) announced a resolution agreement with Triple-S Management Corporation for $3.5 million.

OCR began investigating the company for compliance with the Privacy, Security, and Breach Notification Rules after it received several notifications of data breaches. The previous breaches include a handful that affected more than 500 individuals and made it on the HHS Wall of Shame, as well as a couple of smaller breaches.

  • Two former Triple-S employees were able to access to a database that contained ePHI because access rights were not terminated at the end of employment. The database included names, contact numbers, addresses, diagnoses, and treatment.
  • A Triple-S vendor mailed pamphlets with visible PHI on the outside to beneficiaries. No business associate agreement was in place. The information disclosed included names, addresses, and Health Insurance Claim Numbers (HICN).
  • A former employee of Triple-S’ business associate copied PHI onto a CD, took it home, and downloaded it onto a computer at his new employer. The information included names, dates of birth, HICN, addresses, and SSNs.
  • Unauthorized disclosure occurred when incorrect member ID cards were placed in mailing envelopes. Beneficiaries received the member ID card intended for another individual. The information disclosed included names, ID numbers, contract numbers, effective dates, co-payments, and deductibles.

OCR Findings

OCR concluded from its investigation that there was a trend of widespread non-compliance at Triple-S and its subsidiaries. HIPAA violations included:

  • Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries’ PHI.
  • Impermissible disclosure of its beneficiaries’ PHI to an outside vendor, with no appropriate business associate agreement in place.
  • Disclosure of more PHI than was necessary to perform the intended job.
  • Failure to conduct a thorough risk analysis that accounts for all IT equipment, applications, and data systems using ePHI.
  • Failure to implement security measures sufficient to reduce risks and vulnerabilities to ePHI.
  • Failure to implement procedures for terminating access to ePHI upon end of employment.

Settlement Terms

Along with the hefty $3.5 million penalty, OCR issued Triple-S an extensive corrective action plan to take place over the next three years. Terms of the contract include:

  • Conducting an extensive risk analysis and implementing a risk management plan,
  • Implementing a process for evaluating operational changes that impact the security of PHI,
  • Reviewing and implementing policies and procedures that address the Privacy and Security Rules,
  • Providing training on HIPAA Rules for all staff members and business associates,
  • Providing OCR with reports on the progress of implementing the terms of the contract.

Lessons

OCR has been active at the end of the year, also coming to a settlement with Lahey Hospital last month. Along with the focus on areas of non-compliance in the upcoming HIPAA Phase 2 Audits, the OCR is taking a stance that it will investigate organizations with recurring breaches. OCR proved it’s not afraid to lay down the hammer if it finds patterns of non-compliance with HIPAA requirements.

HIPAA Web Portal Launched

A new web portal was launched to help the Department of Health and Human Services’ Office for Civil Rights (OCR) understand what topics to address and provide guidance on. This portal is designed for mobile health application developers to seek advice on HIPAA compliance issues.

Much of the OCR’s available resources are dedicated to covered entities rather than business associates like app developers. The portal allows questions to be submitted and will be reviewed by the OCR to determine what HIPAA topics need further guidance. The goal is to help shed some light on how HIPAA applies to mobile health apps and other cloud service companies.

One feature to note is the anonymity of users that submit questions. Companies might be hesitant to raise an issue in fear that the information would be used for an OCR enforcement. The portal ensures that identities and addresses will be de-identified to OCR and they aren’t looking to use this information against anyone.

Hopefully this new platform of open information sharing and guidance requests will create a more collaborative approach to privacy and security in the healthcare sector.

HIPAA Settlement Lessons: Risk Assessment and Device Control Policy

The Department of Health and Human Services Office for Civil Rights reached settlement terms with Cancer Care Group for $750,000 in HIPAA violations. The Indiana-based physician group agreed to adopt a corrective action plan to bring its HIPAA program into compliance.

Cancer Care originally reported a breach to the OCR when an unencrypted laptop was stolen from an employee’s car. The computer contained ePHI including names addresses, dates of birth, Social Security numbers, insurance information, and clinical information of around 55,000 patients.

After further investigation, the OCR found Cancer Care to be non-compliant with several HIPAA requirements including:

  • The physician group had not conducted a risk assessment of the potential vulnerabilities to the ePHI stored in its networks.
  • It did not have a written policy in place related to ePHI stored on portable devices that left the organization’s facilities.

OCR found these factors contributed to the data breach. Specifically, OCR Director Jocelyn Samuels stated, “Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information.”

Director Samuels further stated that, “Proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.”

Key Takeaways:

This settlement serves as a reminder to covered entities of the importance of complying with the following HIPAA requirements: Conducting a risk assessment and maintaining a device management policy.

Lost or stolen devices are common causes for security breaches in the healthcare sector. Policies should include encryption provisions and two-factor authentication for mobile devices and electronic media. Training and awareness for employees on the organization’s security policies is also important to protect ePHI.

Lessons Learned from HIPAA Settlement

St_Elizabeth logoThe Department of Health and Human Services’ Office for Civil Rights (OCR) reports it has entered into a resolution agreement with St. Elizabeth’s Medical Center for violations of the Health Insurance Portability and Accountability Act (HIPAA). St. Elizabeth’s has agreed to a fine of $218,000 and adoption of a corrective action plan to correct the deficiencies in its HIPAA compliance program. The agreement comes after investigation of two security incidents.

The first incident involved staff members using an Internet site to share documents containing electronic protected health information (ePHI) of about 500 individuals without taking into account the potential security risks. Furthermore, the investigation revealed that St. Elizabeth’s failed to adequately respond to a known security incident, mitigate the harmful effects, and document the incident.

The second incident involved notification to the OCR regarding the theft of a staff member’s personal laptop and USB flash drive that contained unsecure ePHI. About 600 individuals were affected.

“Organizations must pay particular attention to HIPAA’s requirements when using internet-based document sharing applications,” said OCR Director Jocelyn Samuels. “In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”

The corrective action plan agreed upon calls for the medical center to:

  • Conduct a “self-assessment” of workforce members’ familiarity and compliance with the hospital’s policies and procedures that address issues including transmission and storage of ePHI;
  • Review and revise policies and procedures related to ePHI; and
  • Revise workforce training related to HIPAA and protection of PHI.

Lessons Learned

The OCR learned of the complaints from the staff members. Organizations should consider whether employees know how to report HIPAA issues or security incidents to the privacy and security officers. This gives the organization the opportunity to assess the incident and take any necessary actions to mediate the situation.

The settlement places significance on having a strategy in place when it comes to using the cloud. The strategy should include policies, training, and technical safeguards in place to ensure that ePHI stays secure and off unauthorized sources.

Another issue that continues to come up is preventing unencrypted PHI from being on personal devices. The solutions are clear – PHI shouldn’t be stored on a personal device if it’s not necessary, and kept encrypted if it is necessary.

OCR Audit Readiness

Preparation for the next round of Department of Health and Human Services (HHS) Office of Civil Rights (OCR) audits is gaining attention. OCR will be starting another round of audits in 2015, while the number of healthcare data breaches add up.

Myths to be aware of:

  • There is no such thing as “too small to be audited.” Organizations large and small will be covered in upcoming audits.
  • “Strong enough” security doesn’t equate to audit readiness. What matters in these audits is compliance with HIPAA requirements including documentation, log monitoring, and workforce training.

Key Compliance Steps:

  • Asset management: Take a careful inventory of all sensitive data in your organizations’ possession.
  • Vendor management: Confirm that vendors are also in compliance. They are subject to the same HIPAA data security rules if connected to the Covered Entity’s network.
  • Monitoring: The best method for compliance may be using an in-house security team or a third-party security monitoring service.
  • Encryption: Providers should review encryption policies and encrypt mobile devices and portable media. According to HIPAA breach notification rules, a lost device confirmed to have encryption techniques will not have to be reported as a breach.

In addition to the compliance steps above, having a third-party security expert perform a risk assessment is another way to confirm your organization falls in line with HIPAA requirements.