Tag Archives: PHI

Patient Data Exposed on the Web for Two Years

Software development projects within the healthcare sector pose a legitimate risk for breaches of protected health information (PHI). A reported breach of PHI from the University of Iowa Health Care shows how sensitive information can be exposed through an application development site.

Breach Details

UI Health Care was engaged in developing an online application involving patient data. On April 29, they discovered PHI of 5,300 individuals was exposed in unencrypted form on their app’s development site.

A third party who uncovered the data reported it to UI Health Care, prompting UI to delete the files in question on May 1. The investigation noted the exposed PHI in the files included patient names, dates of admission, and medical record numbers.

The root cause was found to be an employee leveraging open source programming tools while developing the web application. The PHI files were not made private and were left on the site after completion of the project.

UI Health Care noted efforts to prevent similar breaches of information in the future:

  • Tightening the process for development and management of custom databases
  • Educating staff and students about how and when to use tools designed to store sensitive data
  • Enhancing employee training on data privacy

Key Takeaways

This event demonstrates how easily health information can be exposed over the Internet… ultimately leading to a breach.

Employee negligence resurfaces again in this data breach. Proper oversight and workforce training are the key administrative safeguards to address this vulnerability. To mitigate the human variable, healthcare organizations should consider using test data for projects under development to keep PHI safe from compromise.

Mishandling HIV Information Costs Hospital $387,000

St. Luke’s hospital came under fire after faxing two patients’ sensitive medical information against their request.

The Office for Civil Rights (OCR) reached a settlement with St. Luke’s-Roosevelt Hospital Center over violations of HIPAA’s Privacy Rule related to impermissible disclosure of protected health information (PHI).

Who is St. Luke’s?

According to the OCR press release, St. Luke’s-Roosevelt Hospital Cetner Inc. (St. Luke’s) operates the Institute for Advanced Medicine, formerly Spencer Cox Center for Health, which provides comprehensive health services to persons living with HIV or AIDS and other chronic diseases. St. Luke’s is 1 of 7 hospitals that comprise the Mount Sinai Health System.

Data Breach Details

OCR received an initial complaint in 2014 regarding impermissible disclosure of patient health information by the staff at Spencer Cox Center.

OCR launched an investigation, finding the Spencer Cox Center staff faxed the patient’s PHI directly to his employer, and not his personal post office box as he requested.

Information disclosed included highly sensitive medical information: HIV status, medical care, sexually transmitted diseases, medications, sexual orientation, mental health diagnosis, and physical abuse.

Through the OCR investigation of this event, they discovered Spencer Cox Center was also responsible for a related breach of sensitive information and took no action to address the apparent issue. In the related breach nine months prior, staff faxed PHI of another patient (against their expressed instructions) to an office where the patient volunteered.

Settlement Details

The settlement includes a $387,000 penalty for St. Luke’s, along with a corrective action plan.

The corrective action plan includes several remediation steps:

  • Revise and distribute written policies and procedures concerning the uses and disclosures of PHI (mail, fax, or email), and update them annually
  • Revise and distribute training materials to include instruction on safeguarding PHI

Key Takeaways

For a case that involves the PHI of only two individual patients, this might seem like a heavy assessment by OCR. This high settlement amount conveys OCR’s focus on two areas in this case: 1) penalty proportionate to sensitivity of information and 2) penalty for avoidance of addressing compliance issues.

The settlement amount clearly reflects the sensitive nature of the patient’s information disclosed. The high penalty also addresses the avoidance of initial vulnerabilities. Had the Spencer Cox Center addressed issues within their compliance program during the initial breach, the procedures and policies would be in place to mitigate future events and prevent these types of impermissible disclosure.

It is no surprise to see OCR targeting a case with minimal individuals impacted. OCR noted last year they would start focusing more on smaller breaches. With this example, we see that OCR has been true to their word. We also reported on a $2.4 million penalty earlier in May for an incident involving only one patient’s information.

$2.4 Million HIPAA Penalty for Disclosing One Patient’s Name

The Office for Civil Rights (OCR) announced a curious settlement with Memorial Hermann Health Systems (MHHS) last week after an OCR compliance review. The review found impermissible disclosure of a single patient’s PHI… leading to a $2.4 million whooper of a fine.

Who is MHHS?

Memorial Hermann Health Systems is a Houston-based, non-profit healthcare system. Their services include 16 hospitals and specialty service centers.

Breach Details

In September 2015, office staff at an MHHS clinic were presented a patient’s allegedly fraudulent identification card.

The staff immediately contacted law enforcement and the patient was arrested.

This disclosure of information was allowed under HIPAA’s Privacy Rule. Covered entities are permitted to disclose information to law enforcement for the purpose of aiding in an investigation.

However, a media response by MHHS subsequently disclosed the same PHI. Senior management approved this impermissible disclosure and even added the patient’s name to the headline of the press release.

Despite the previous law enforcement exception, this new impermissible disclosure qualified as a violation under HIPAA’s Privacy Rule.

OCR’s new Director Roger Severino commented, “This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere.”

OCR also notes in their findings from the compliance review that MHHS failed to document the sanctioning of its workforce members for the press release incident.

Settlement Details

The focal point of the OCR / MHHS settlement is the hefty $2.4 million penalty. Some industry experts are surprised to see such a large fine here, given the disclosure was a single piece of PHI.

A few factors might have contributed to the size of the penalty:

  • The nonchalant attitude from management regarding patient privacy and PHI disclosures
  • The failure to apply sanctions to staff in the aftermath of the disclosure
  • The larger size of the healthcare system

The settlement also included a corrective action plan. The compliance measures on MHHS’ to-do list include:

  • Updating policies and procedures on safeguarding PHI from impermissible disclosures
  • Training workforce members on the policies and procedures
  • Confirming their understanding of permissible disclosures of PHI, including to the media

Key Takeaway

OCR is sending the message loud and clear: Covered entities need to use proper discretion according to the Privacy Rule when disclosing patient information.

If your organization is questioning whether a use or disclosure of patient information is permissible under HIPAA, reach out and validate with our Cybersecurity team.

If you’d like assistance, send us a note and brief explanation to cyberteam@eplaceinc.com and we’ll help guide you in the right direction.

Additional Notes

If you’re following along with us and keeping tally, this marks the 8th HIPAA enforcement action in 2017. Those enforcement actions have netted the OCR a grand total of $17 million in penalties.

This particular data breach reminds us of a case we reported on last year. New York Presbyterian Hospital found themselves in a similar conundrum when mixing media and patient privacy. You can read that article here.

OCR Clarifies Healthcare Permitted Uses and Disclosures

When can Healthcare organizations disclose patient information for public health purposes? The Department of Health and Human Services Office for Civil Rights (OCR) issued a guidance document to address that question. The purpose of the OCR guidance is to illustrate what uses and disclosures of patient information for public health reporting, surveillance, and investigations are allowed under HIPAA.

Guidance Details

The guidance document presents several scenarios to give examples of the situations in which healthcare organizations can share and disclose patient information.

Here’s one example of the scenarios presented:

The state’s Department of Health investigates the source of a recent measles outbreak in a local school, and state law authorizes the Department to access medical records to complete the investigations. The Department of Public Health asks all health providers in the state to report confirmed diagnoses of measles, including patient identity, demographic information, and positive test results. Under 45 CFR 164.512(b)(1)(i), providers within the state may use certified health IT to disclose PHI to the Department of Health.

The OCR is hoping to demonstrate how HIPAA supports and facilitates the exchange of health information. Of course, when protected health information is shared for public health purposes, the HIPAA Security Rule requirements still need to be met.

The goal is to encourage these types of disclosures to public health agencies authorized to collect the relevant health information.

Key Takeaway

This guidance shows the OCR’s effort to strike a balance between business and healthcare operations, public health and safety, and patient privacy and security.

The guidance gives healthcare organizations a practical look at these types of disclosures allowed under HIPAA for public health purposes.

Use of PHI for Marketing Results in HIPAA Violations

The Department of Health and Human Services agreed to a settlement and resolution agreement with Complete P.T., Pool & Land Physical Therapy involving the improper use of protected health information for marketing purposes.

HHS’s Office for Civil Rights received a complaint about testimonials on CPT’s website. They found that the testimonials impermissibly disclosed individuals’ PHI by including full names and full face photographs.

The OCR investigation identified several HIPAA violations:

  • Failure to reasonably safeguard PHI
  • Impermissibly disclosing PHI
  • Failure to implement policies and procedures with respect to patient consent to use PHI in marketing campaigns

OCR Director Jocelyn Samuels stated, “With limited exceptions, the rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing.”

Lessons Learned

As with all PHI, covered entities need to obtain valid authorization from a patient before disclosing their photograph or testimonial in any marketing materials – including posting on a website or social media page. A valid authorization should include the following:

  1. A meaningful description of the PHI to be used or disclosed,
  2. The names of persons authorized to make the requested use or disclosure,
  3. The names of persons to whom the Covered Entity may make the requested use or disclosure,
  4. A meaningful description of the purpose of the requested use or disclosure,
  5. The date or event that marks the end of the authorization, and
  6. The signature of the individual and the date.

Many covered entities fall into the same boat, with a lot of confusion surrounding the use of patient information for marketing purposes. This case highlights why it’s essential to train the marketing team on how the HIPAA Privacy Rule specifically applies to them.

Healthcare Provider Hit with Penalties for Employee’s Mishandling of PHI

Lincare Inc. – a provider of services to in-home patients – has been ordered to pay a civil monetary penalty of $239,800 for violations of the HIPAA Privacy Rule.

An investigation by the Office for Civil Rights (OCR) found that an employee improperly removed protected health information (PHI) of 278 patients from the Lincare building and stored it in her vehicle and home.

“Evidence established that this employee removed patients’ information from the company’s office, left the information exposed in places where an unauthorized person had access and then abandoned the information altogether,” OCR reports.

Lincare failed to keep track of the PHI once leaving the premises and its privacy policy doesn’t address protecting PHI after an employee takes it offsite. Also, Lincare didn’t take any corrective action after learning of the incident and complaint.

OCR concluded that Lincare committed three HIPAA Privacy Rule violations:

  1. Impermissibly disclosing PHI
  2. Failing to reasonably safeguard PHI
  3. Neglecting to implement policies and procedures to comply with HIPAA Privacy Rule requirements

Key Takeaways

This OCR investigation reminds healthcare companies that they need to address the security of paper records as well as electronic information. Even with the relatively small number of people affected by the incident, the fine is based on the lack of controls in place. OCR wants to see that policies and processes are in place to protect PHI. OCR gave Lincare opportunities to address their HIPAA violations, but no changes were made.

HIPAA Guidance: Are You Giving Patients Access to Their Information?

The Office for Civil Rights (OCR) released a guidance that clarifies the provision under the HIPAA Privacy Rule giving individuals a right to access their protected health information. OCR has found that individuals often face resistance when trying to access their health information from healthcare entities under HIPAA.

Under the HIPAA Privacy Rule, individuals have the right to access medical and health information from covered entities and business associates. The information covered includes, but isn’t limited to, medical records, billing and payment records, insurance information, clinical laboratory test reports, and x-rays.

There are a couple of exceptions that aren’t subject to individual access under the HIPAA Privacy Rule:

  • Psychotherapy notes are not required to be released when maintained separately from the medical records.
  • Information collected in preparation for a legal proceeding are not required to be released.

The healthcare entity is required to respond to the individual’s request no later than 30 calendar days after receiving the request. A fee may also be applied to the individual for a copy of their records.

Safeguarding PHI Against Riot Looting and Theft

Retail pharmacy chain Rite Aid issued a statement on June 3 to notify the media that an undisclosed number of customers from several Baltimore area stores might have been affected by breaches of their protected health information (PHI) resulting from the looting and riots that took place in late April.

“A number of our Baltimore locations, along with many other Baltimore businesses, were broken into and looted and/or severely damaged as a result of civil unrest,” the Rite Aid statement says. “Due to these criminal activities, a number of prescriptions were either damaged beyond recovery or stolen. The stolen prescriptions or prescription information would have contained sensitive information such as patient names, patient address, medication name, and [drug] directions. It is important [to note] that no financial information such as credit card numbers or Social Security numbers was involved.”

The Rite Aid pharmacies weren’t the only ones affected by the looting. Some 27 Baltimore-area pharmacies were looted or broken into during the riots. CVS Health has also said that the chain would be notifying patients whose PHI might have been compromised during the riots.

While looting incidents are relatively rare, pharmacies experience robberies and thefts frequently. To safeguard PHI against thieves, basic information security principles should apply.

  • Encrypting all data, including that in databases and servers
  • Reducing paper-based PHI to the minimum necessary
  • Locking up any papers, labels, and prescription medications after hours
  • Utilizing a just-in-time labeling process for pill bottles can reduce risk of loss of PHI

The HHS Office for Civil Rights provides additional guidance on their website.

Even Encrypted Emails Can Fail…

beacon health logoBeacon Health System, located in South Bend, Indiana, has started notifying 220,000 patients of a breach of their protected health information (PHI). The compromise was the result of phishing attacks on the company’s employees dating back to November 2013 giving hackers access to email accounts containing patient data.

The majority of accessible data includes patient name, doctor name, and internal patient ID number. Other various sensitive data accessible includes Social Security number, date of birth, driver’s license number, diagnosis, and treatment.

Beacon Health’s forensic team discovered the unauthorized access of employee email account on March 26, 2015. On May 1, 2015 the team determined the accounts contained PHI and reported the incident to the U.S. Department of Health and Human Services, the FBI, and various state regulators. The last unauthorized access was on January 26, 2015. Individuals who became patients after that date were not affected by the breach.

Healthcare Targeted

Healthcare providers are increasingly becoming major targets for attackers. Their digital environments are complex and contain more vulnerabilities for attackers to exploit. But attackers are still using the golden standard practice of phishing.

Attackers continue to use fake emails to trick recipients into clicking links to fake websites that collect their account credentials or opening attachments that infect their computer with a virus to steal the credentials.

This incident is another reminder in a string of healthcare breaches this year that healthcare organizations need to increase training about phishing threats and enforce strict email policies. Other considerations should include using multi-factor authentication, encrypted email, and avoiding PHI in email messages.

Safeguarding PHI

Healthcare organizations have increasingly jumped on the encryption bandwagon to secure email communications. While this is an important technical safeguard, it doesn’t guarantee security. In cases such as the Beacon Health incident, when employees release their account credentials, the safety of encryption is gone. Attackers can access the unencrypted messages within the account.

Another safeguard gaining traction is multi-factor authentication. This requires users to not only provide a username and password combination to login, but also another one-time code that’s sent to the individual. This adds additional layers for attackers to get through to compromise an account.

But in the end, the best practice would be refraining from sending PHI in email communications altogether. This ensures that even if an attacker is able to bypass the safeguards in place they wouldn’t compromise critical data assets.

HIPAA Marketing Violation Affects 80,000 Health Plan Members

TRH Health Plan of Columbia, Tennessee launched an investigation after it received numerous questions from its members regarding a Medicare Advantage mailing promotion from BlueCross BlueShield (BCBS) of Tennessee. As a result, TRH is notifying 80,000 members that a limited amount of protected health information (PHI) was inappropriately used by BCBS Tennessee. The information disclosed included names, addresses, and subscriber IDs.

TRH reports that the PHI was inappropriately shared with a third-party vendor that BCBS Tennessee hired to print documents and assist in the mailings. In addition, they believe the potential harm to be mitigated based on the limited amount of PHI released and quick response to the incident.

The HIPAA Omnibus Rule that went into effect in 2013 tightened the restrictions on the disclosure of PHI for marketing purposes and extended HIPAA requirements to apply to business associates as well. Furthermore, under HIPAA Omnibus, covered entities, as well as business associates, can be fined up to $1.5 million per HIPAA violation.

Key Takeaway:

The unauthorized use and disclosure of patient information for marketing purposes by BCBS Tennessee offers a reminder of the importance of complying with HIPAA’s marketing-related provisions.