HIPAA Blog

[ Tuesday, December 17, 2024 ]

 

 OCR and Abortion: If you're wondering if OCR is going to try to jump into enforcement actions of the soon-to-be-implemented (and likely soon-to-be-rescinded) reproductive health data rule, you should be aware that OCR has already fined a health system $35K for improperly disclosing a patient's reproductive health PHI.  The patient authorized the release of a single test result to her employer, but the hospital mistakenly disclosed her whole record.  


Jeff [7:10 AM]

[ Wednesday, December 11, 2024 ]

 

The Blinding, Amazing Stupidity of Xavier Becerra's HHS.  

OK, there are plenty examples of this, but the one I'm wrestling with right now is so frustratingly idiotic, and an example of all the problems that happen when a governmental department is run as a virtue-signaling platitude operation rather than a serious governmental agency serving its constituents, the public.  It is all the more frustrating that it comes while so many people are questioning the competence or credentials of Trump's cabinet selections, while ignoring the utter incompetence of Xavier Becerra.

I speak, of course, of the Biden Administration's so-called "HIPAA Privacy Rule to Support Reproductive Health Care Privacy," which was published in final form on June 25, 2024.  Let's be honest, this rule change is solely about one thing: the impotent, petulant cry of the pro-abortion lobby at the Supreme Court's decision in the Dobbs Case, which threw out the social experiment that was Roe v. Wade and returned the question of whether abortion should be legal or not to the legislatures of the various states or, if it chooses, Congress.  

I don't care which way you come down on the abortion debate.  There are intellectually (and societally) consistent rationales on both sides.  But it is not a matter that 9 lawyers, not matter how smart, should decide for the other 330 million of us.  It is a matter best dealt with by the democratic process.  And I will fight you on that.

Back to the matter at hand.  A little background:

Texas passed a law, the Texas Heartbeat Act, in 2021 (i.e., pre-Dobbs), which outlawed abortions once a fetal heartbeat is detectible.  The statute has a peculiar provision: state officials are prohibited from enforcing it, but private citizens may do so.  This prevented abortion-rights groups like Planned Parenthood from suing Texas state officials to have the law deemed unconstitutional under Roe (and Casey's "undue burden" test).  (The Texas statute that was the subject of the Roe decision, which is effectively a total ban on abortions, was never repealed by the legislature, despite being declared unconstitutional by the Roe court; thus, it was still on the books to be "resuscitated" after Dobbs overturned Roe.)  

The Heartbeat Act also prohibits anyone from "assisting" any post-heartbeat abortion; theoretically, this could mean that a private citizen could sue a company that offers to assist Texas woman who want to travel to another state to receive a post-heartbeat abortion, claiming that they are providing the assistance in Texas, where it is illegal.  The Texas Attorney General in fact sent threatening letters to some large employers in the state in an effort to prevent them from offering abortion travel assistance as an employee benefit.

Rather than stay out of the fray, the Biden Administration jumped in with both left feet.  This regulation would have single-handedly destroyed any basis for Chevron deference: if governmental agencies are capable of drafting something as stupid, incoherent, and unwieldy as the HIPAA Privacy Rule to Support Reproductive Health Care Privacy, they should not only not get deference, those challenging the regulations should get the benefit of the doubt.

Basically, the new rule (i) prohibits uses and disclosures that could possibly be used to conduct any type of investigation into someone seeking, obtaining, or facilitating reproductive care (extremely broadly defined); (ii) requires covered entities to get an attestation prior to making any use or disclosure for health oversight, legal proceedings, law enforcement, or to coroners/medical examiners if the use or disclosure might touch on reproductive care (again, broadly defined), and (iii) requires specific reference in every Notice of Privacy Practices to specifically reference the prohibition in (i) and the attestation in (ii).

How bad is this?  Let me count the ways:

Given the awful drafting of this Rule and the confusion regarding its meaning and effect, I can safely say that well over 95% of all healthcare providers will be arguably in violation this Rule as soon as it becomes effective

It does not require mentioning that the decision-makers at HHS will be gone 40 days from now.  The likelihood that this bill will survive in the new administration is extremely low.  And the Texas Attorney General filed suit in September, seeking to have enforcement of the rule enjoined, although the court has not acted yet.

But the stated effective date for all but the Notice of Privacy Practices provisions is December 23, 2024 (less than a month prior to Trump's upcoming inauguration).  Given the lost election, do you think HHS would back off and delay enforcement until the new administration decides to keep it or junk it?

Hell no.  HHS wants all entities subject to HIPAA to have to jump through all of these hoops unnecessarily.  They want covered entities and business associates to require unnecessary attestations, draft unnecessary policies and procedures, and revise their Notices of Privacy Practices for no good reason.  

Finally, I would note that, while noises have been made by the Texas Attorney General and others, I am unaware of anyone actually attempting to enforce the statute that triggered this Rule.  Certainly, I am unaware of anyone anywhere trying to enforce the Heartbeat Act in a manner that this Rule would prevent.  Thus, the cherry on top here, the chef's kiss, is this: this is a solution in search of a problem, a fix for a non-existent calamity.  All of this is entirely unnecessary.

 Is it any wonder everyone hates the government?



Jeff [4:37 PM]

[ Monday, November 18, 2024 ]

 

Ransomware is the Biggest HIPAA Issue Facing the Healthcare Industry: According to a survey recently conducted by Sophos, 67% of all healthcare providers reported a ransomware attack in 2023.  This number increases every year; it's time for the industry to learn how to prevent it.  The mean cost of recovery is $2.5 million.  

The survey also indicates that ransomware bandits specifically target available backup files for encryption, preventing victims from avoiding the ransom payments.  Providers whose backups were encrypted were twice as likely to have to pay the ransom.

Jeff [5:47 PM]

 

Recent Ransomware settlement: 

OK, I've sort of fallen down on the job here keeping the HIPAABlog updated, but I'm going to try to dump a bunch of items that I've been stacking up.  So here goes.

In September, OCR settled with Cascade Eye and Skin Centers (WA) regarding Cascade's HIPAA failures that resulted in Cascade suffering a ransomware event that exposed 291,000 PHI-containing files (it is unclear how many individuals were affected).  OCR cited 2 specific failures on Cascade's part: failure to conduct a proper risk analysis, and failure to have procedures in place to monitor system activity.  Risk analysis is the linchpin of HIPAA security -- if you haven't done it, you don't even know if your security is good.  And monitoring the activity on your information systems can give you an early warning that something is amiss.

The settlement agreement is here.


Jeff [5:40 PM]

[ Friday, October 04, 2024 ]

 

Providence Medical Institute Ransomware Fine: Providence Medical Institute has been fined $240,000 by OCR for HIPAA violations in connection with a ransomware attack that exposed the PHI of over 80,000 individuals.  Interestingly, OCR only noted 2 HIPAA violations warranting the fine: lack of an appropriate BAA, and lack of policy restrictions on the people and programs who can access PHI.  OCR did NOT note a lack of a sufficient risk assessment (but maybe that's implied since a good risk assessment would have noted the access problem and lack of BAAs?).


Jeff [11:55 AM]

[ Monday, September 16, 2024 ]

 

Offshore Outsourcing of Tech Services Can Be Problematic: A few weeks ago, HHS removed two Obamacare enrollment companies from accessing the ACA Marketplace based on concerns that the companies potentially allowed consumers' personal information to be accessed in India. The companies operate the BenefitAlign and TrueCoverage websites, and use an Indian data center.

US privacy law does not generally prohibit the use of offshore companies as business associates, as long as a business associate agreement is in place.  However, even with a BAA in place, HIPAA covered entities still have an obligation to vet their contractors and cannot turn a blind eye to whether their offshore business associates will abide by their BAA obligations.  There's always a question of whether a rogue business associate can be dragged into a US court if they violate the BAA.  

Additionally, some federal and state payment programs (including some state Medicaid programs) specifically limit the ability to use offshore contractors, if they will have access to PHI.  

Some tech companies set up elaborate systems to limit the transmission of PHI outside the US, including systems where theoretically the data never leaves the US and the offshore consultant does not technically receive the data, but is merely able to "see" it from afar (although that seems like a convenient fiction).  Certainly, most legitimate Indian, Philippine, and Pakistani tech companies have elaborate systems in place to ensure that their human staff can't take data with them (employees are not allowed to bring cameras or cell phones into the workspace and are searched coming and going, there are no USB ports or other ways to access the data system, etc.).

It's almost impossible to obtain any tech services where no aspect of the service is done outside the US.  However, you should be aware of these concerns and especially careful if you are bound by Federal Acquisition Regulations or other obligations that might restrict the offshoring of personal data.


Jeff [11:38 AM]

[ Wednesday, August 21, 2024 ]

 

Great Write-Up on OCR's 3rd Ransomware Settlement: Theresa Defino of Report on Patient Privacy has an excellent article on the recently-announced settlement Heritage Valley Health System entered into with OCR.  Heritage Valley got hit by the NotPetya ransomware attack back in 2017 through no real fault of their own -- they used Dictaphone transcription software as part of iChart, and that was the vector of the attack.  Dictaphone had been acquired by Nuance Communications, which aggressively expanded overseas; the ransomware originated in the Ukraine, and entered Heritage Valley's system through a trusted VPN they had with Nuance.  Unfortunately for Heritage Valley, they never signed a new contact with Nuance, so their suit against Nuance was dismissed.  

It's hard to imagine how Heritage Valley could've protected itself and prevented this attack; they had a contract with Dictaphone, but their failure to sign a new agreement with Nuance wasn't the cause of the attack.  Regardless, OCR hit Heritage Valley with the biggest ransomware-related fine yet, almost $1 million.


Jeff [2:59 PM]

[ Thursday, August 01, 2024 ]

 

Baim Institute for Clinical Research Suffers Ransomware event and Data Disclosure: According to this analysis by Safety Detectives, Baim Institute for Clinical Research was a victim of a ransomware event, did not pay the ransom, and some of the data was subsequently posted on the internet.

There are many interesting aspects to this breach.  First, it's unclear whether HIPAA is implicated; Baim is not a covered entity, but it could be a business associate, depending on who it contracts with and provides services to.  To the extent the incident was caused by Baim's lack of sufficient security, it could be a contractual breach by Baim.  The data disclosed contains little that would be PHI, and that which is PHI is not likely to be useful for identity theft, since it only includes very limited information about adverse events, and it's unclear if even patient names are included (age and gender are data points that can remain in de-identified PHI); however, the data could potentially be useful for blackmail, public embarrassment of the study participants, etc.  The disclosed data seems to have 3 value points: (i) reputational damage to Baim by exposing them as potentially bad data stewards; (ii) possible disclosures of Baim's business relationships that a competitor might exploit; and (iii) information about particular studies that could indicate whether a drug in development might be a blockbuster or flop (and therefore potentially affect the stock price of the sponsor).

It is yet one more message to the industry: it's not a question of if, but of when, and if you are not prepared for a ransomware attack, you deserve what you get.  Good backups, good perimeter security, good testing of your systems and staff, and good mapping of your systems can go a long way to preventing most attacks, and allowing you to recover from those lucky dogs that get through.

Good work by Safety Detectives.


Jeff [9:20 AM]

 

OneBlood Blood Donation Center Hit by Ransomware Attack: The blood donation and distribution organization, which supports 350 hospitals across Florida, Georgia and the Carolinas, is suffering disruption of its blood collection efforts due to the attack.  

Jeff [8:35 AM]

[ Wednesday, July 24, 2024 ]

 

2024 Will Be Big:  I have a feeling 2024 will be a record year for data breaches, both in number of breaches overall and the size of the breaches (given the AT&T and Change breachs).


Jeff [8:28 AM]

[ Thursday, July 11, 2024 ]

 

 Change Healthcare Updates its Breach Notice. They added a timeline, apparently, and are going to finally start sending notices to affected individuals.

I expect that most of us will get a letter, since I expect at least 3/4 of all Americans had data passing through Change one way or another.  I am also still expecting a record fine from OCR on this, perhaps 9 figures. 


Jeff [8:47 AM]

[ Tuesday, July 09, 2024 ]

 

If you're using MOVEit, you should PATCHit first: Lots of folks in the healthcare industry use MOVEit for file transfers; about a year ago, there were a lot of breaches because of a vulnerability in the software.  Well, it appears that there are a couple more.

Bad news: hackers have already figured and deployed the exploits to those flaws.  Good news: Progress Software, which owns MOVEit, has patches.  Meh news: you need to apply the patches for them to fix the problems.  

If you use MOVEit, patch it now!

Jeff [8:53 AM]

[ Tuesday, July 02, 2024 ]

 

Geisinger data breach impacted 1.2 million people: This breach is interesting because it's a disgruntled former employee of a vendor who accessed the data for 2 days, so the spread of it might be more limited than a general hacking attack. 


Jeff [9:51 AM]

 

OCR settles ransomware and cybersecurity investigation involving Heritage Valley Health for $950,000: This is the 3rd settlement of a ransomware incident by OCR and may indicate a focus by OCR specifically on cyberattacks.  OCR cited Heritage Valley for the usual problems, including failure to do a sufficient risk analysis, failure to implement a contingency plan, and failure to implement appropriate HIPAA policies and procedures.


Jeff [9:41 AM]

 

New Social Engineering Schemes Target Healthcare: The FBI and HHS are warning healthcare industry participants warning healthcare industry participants about increased phising and other schemes targeting the healthcare industry.  Ransomware and cyberattacks are up, protect yourself.


Jeff [9:25 AM]

[ Monday, June 24, 2024 ]

 

Federal Court Blocks HHS Rule Prohibiting Use of Web Tracking Technologies Such as Google Pixel:  As you probably know, HHS has issued guidance to HIPAA Covered Entities that they cannot use web-tracking technology if the tech provides any possible PHI to the tech provider.  Most websites have tracking technology; it tells the site owner what pages attract viewers and how they act when they get there (i.e., which buttons they click and how they respond to certain elements on the site).  These allow the site owner to know what's working, what customers are looking for, where they should provide more or less services, etc.  

The problem is that the tech provider usually also wants the data generated by the tracking tech.  The tech provider can use the greater amount of consumer action data to make the technology better, improve their algorithms, etc.  The problem is that the tech providers generally don't sign BAAs; they are not really getting PHI (the information may be entirely random, such as when a student is looking at a site for information on types of clinical treatment for a particular type of cancer).  However, in some instances, such when people with that type of cancer are looking for treatment for themselves, the fact that the person looked up treatment options could be evidence that the person has that condition, which would be PHI.  

In most instances, the websites have Terms of Use and Privacy Policies that note that tracking technologies are used, so website visitors are forewarned of the potential disclosures.  However, those warnings certainly don't meet the requirements of a HIPAA authorization.

There have been class action lawsuits (one even settled with a large payout!) claiming that the use of the technology by a HIPAA-covered Entity is a HIPAA violation because of those instances where it is a person with the condition; the Covered Entity has disclosed that website visitor's PHI (the visitor's IP address linked to the cancer diagnosis) to the technology provider for a non-HIPAA-permitted purpose without a BAA.  

The American Hospital Association sued HHS over the guidance, and a Federal District Court in the Northern District of Texas has ruled that HHS overstepped its legal authorityruled that HHS overstepped its legal authority in attempting to enforce HIPAA in that fashion.  

For now, providers can go back to using trackers, but keep an eye out, HHS might appeal.


Jeff [8:43 AM]

[ Friday, May 24, 2024 ]

 

CentroMed: Lightning Strikes Twice: It's a dumb aphorism that "lightning never strikes twice."  Lightning is always more likely to strike the tallest thing around.  Why have a lightning rod as a defense if not for the fact that you want lightning to strike it rather than some other place?   

But an aphorism it is, so it makes the headline when a major event recurs.  In this case, CentroMed, a string of clinics in San Antonio, has had 2 major data breaches within a 12 month period.

Jeff [8:20 AM]

[ Tuesday, May 21, 2024 ]

 

HHS, ARPA-H announce UPGRADE program to automate cybersecurity for healthcare entities: The Advanced Research Projects Agency for Health (a technology funding agency in HHS) has announced that it will put $50 million toward finding ways to enhance and automate cybersecurity in the healthcare arena through a new program called UPGRADE (Universal PatchinG and Remediation for Autonomous DEfense -- yes, like most clinical research trials, it's a tortured acronym).  If they can actually set up a program that sets automatic patching and recognized-security-practices-type policies that the average healthcare entity can easily adopt, that would be great.  I have a feeling that instead they'll produce hour-long videos and 1,000-page white papers that spend WAY too much time rationalizing the agency's people and processes, such that the end product will be a huge waste of time for users.  

We'll see. . . .


Jeff [10:34 AM]

[ Tuesday, May 14, 2024 ]

 

AHA and H-ISAC Issue Black Basta Warning: The American Hospital Association and the Health Information Sharing and Analysis Center (H-ISAC) have jointly issued a warning to health systems about a Russian hacker group known as Black Basta that is specifically attacking the US health sector.  The warning comes on the heels of the Ascension cybersecurity incident that is still snarling that system's ability to provide care.

Grab a printout of your last Security Risk Assessment and look at any cyber-defenses that you are lacking; if there's anything that a hacker could exploit, fix it now (or at least put warning bells and buzzers around it.  If you can't put your hands on your last SRA, you don't have one (basically in violation of HIPAA).  You should also be (i) auditing access and data transfer flows (your staff should be accessing data and you should be moving it around -- transferring to other providers and payors, etc. -- but if people are accessing data they shouldn't, or large data files are being transferred to a Nigerian IP address at 3 am on Saturday, something's probably wrong); (ii) regularly backing up your data to serial, secure, and encrypted data backup sites that are disconnected from the internet; (iii) implementing MFA; (iv) mapping your data systems, which will allow you to close unused data ports and shut down internet access to any parts of your computing environment that don't need it;  implementing encryption where possible; (v) using firewalls and virus scanning tech; and (vi) testing your people and systems to keep your most vulnerable line of defense sharp (penetration testing from the outside in, phish testing and training from the inside out).

If you aren't taking a serious look at your cyber defenses, you'll have no one to blame but yourself if you get caught by one of these bandits.


Jeff [8:38 AM]

[ Monday, May 13, 2024 ]

 

Ascension Hit With Ransomware Attack: The story is still breaking, but Ascension Health was the victim of a cyberattack that affected its EMR and MyChart, in addition to disrupting service at hospital, clinics, and emergency rooms. 


Jeff [8:52 AM]

[ Thursday, May 02, 2024 ]

 

Size Matters: Just how big is the Change Healthcare breach?  Over 100 million Americans may be affected.  

I rode in a 150-mile bike ride between Houston and College Station, Texas last weekend; the Bike MS 150 raises money for research into a cure for multiple sclerosis.  There were several thousand riders, of all shapes, sizes, athleticism and biking skills.  No matter who you are, odds are there's someone faster than you and someone slower than you.  That gives you the opportunity to find a rider (or more likely a group of riders) who are slightly faster than you, upon whom you can "draft" as they ride past.  One thing you learn while riding in a large group is the benefit of numbers and the concept of the Peloton: the lead rider cuts a path through the air molecules such that trailing riders can exert less energy to keep up the same speed; likewise, the riders close behind the lead rider cut the aerodynamic "drag" on that rider by disrupting the backdraft that would normally happen.  

So when you are riding by yourself and a group passes you by a couple miles per hour faster, you can drop into the air behind them and ride at their speed with the same level of effort (or less) than you were exerting by yourself. The pack of riders create a "wind shadow" that hides you from the mass of air you would otherwise be riding into (as if against the wind). 

I bring this up because something occurred to me this morning: the Change breach may end up creating a "wind shadow" for other providers who are dealing with data breaches over the next few years, at least with respect to lawsuits for breach damages: how can a plaintiff prove that his damages were caused by Dr. Smith's data breach when the plaintiff's data was already exposed via the Change breach?  


Jeff [8:11 AM]

[ Tuesday, April 23, 2024 ]

 

United Healthcare: It's been a bad spring for UHC: their pharmacy order and clearinghouse subsidiary Change Healthcare suffered one of the most impactful cybersecurity events in healthcare, resulting in delayed prescription deliveries and payment processing for providers and plans.  We are now learning that hackers from the AlphV hacker group (also referred to as BlackCat) apparently accessed Change's systems February 12 and began stealing data.  On February 21, AlphV detonated a ransomware bomb that encrypted and froze the bulk of Change's system, basically shutting down Change's claims processing and clearinghouse function, along with its Optum affiliate that processes pharmacy orders.  UHC has now announced that the data was stolen and is now being disclosed by the hackers.

Wired magazine reported that Change paid $22,000,000 in ransom to get the hackers to return or destroy the data.  Now, UHC is announcing that the hackers are disclosing the data anyway.  Who would've thought hackers wouldn't honor their promises?


Jeff [8:20 AM]

[ Wednesday, April 17, 2024 ]

 

Tracking Technologies: In the latest news on the use of website tracking technologies such as Google Pixel, Monument Health has entered into a settlement agreement with the FTC to not use the technology in a way that could leak its patient's PHI to advertisers.  

Technically, the pixels allow technology companies to track behavior of website visitors, such as by tracking where they go on a website.  It helps the website owner know what services people are interested in, what web page language seems to attract visitors, and other information that can help the website owner improve its business.

A user's behavior on a website is not always PHI, but it could be: someone could look at a website for a particular disease because they are curious about it, are researching it, or have a friend or family member who has the disease; however, it's also fairly likely that when someone clicks on a link that says, "if you have health condition X and are interested in treatment options, click here," clicking on the link is at least closely correlated to the person having the condition, which is PHI.  

The company offering Pixels and other tracking technology helps the website owner improve its own website and business; however, the technology company also might use the information to direct advertisers (including its own advertising options).  If someone using a particular computer, phone, or other internet-accessing devise visits a particular website that is associated with a particular subject matter, type of product, or activity, then the user of that computer is much more likely to be someone interested in related products and services; knowing who those people are is valuable to advertisers.

Let's assume a particular smartphone web browser regularly searches for images and information on deer hunting.  If a business sells deer hunting supplies and puts together game hunts, that business would really want to advertise to whoever is using that smartphone.  On the other hand, a business involved in animal rights and veganism would not want to waste its marketing dollars contacting that smartphone user.

The effect to the customer can be creepy: it looks like the website is spying on me.  And when the subject matter is healthcare, it becomes a question: did the company hosting the tracking technology disclose PHI from the user who was searching the healthcare matter?

Not necessarily; the fact that person X looks up healthcare service Y does not mean that person X has condition Y.  HOWEVER, there is definitely a correlation, and in some cases a direct connection.  

More will come from this.

Anyway, that's the reason these tracking technologies are such a hot-button issue.  


Jeff [7:43 AM]

[ Sunday, March 31, 2024 ]

 

Another "Right of Access" Settlement:  OCR has entered into its 47th settlement with a HIPAA covered entity or business associate accused of failing to grant an individual access to his/her PHI.  As you know, in addition to 5 other rights specifically granted to individuals under HIPAA, except for a few specific types of data, covered entities and business associates must allow individuals to access and get a copy of their PHI, if it's in a designated record set.  A few years ago, OCR started vigorously enforcing this, and it doesn't look like they're going to stop any time soon.  This time, the fine is $35,000, in line with recent right-of-access settlements.

There are a few reasons why a covered entity won't give an individual access to their PHI, but many times it's not a good reason (the covered entity doesn't want to make it easy for a patient to find another provider).  Take this as fair warning -- if the patient asks, give them the data, unless you have a VERY good reason.


Jeff [9:15 AM]

[ Wednesday, March 20, 2024 ]

 

Do Healthcare Organizations Cheap Out on Cybersecurity Spending?  That's the question Modern Healthcare asks (subscription required).  Based on a survey from last year, healthcare is one of the chintziest industries when it comes to spending on cybersecurity.  It kinda shows, doesn't it?


Jeff [11:31 AM]

[ Thursday, March 14, 2024 ]

 

Ransomware Hits Healthcare Harder: If you've been living under a rock, you may not know this, but healthcare is the hardest-hit industry as far as ransomware and cybersecurity issues go.  

Jeff [10:29 AM]

 

HHS steps in: HHS has started its own investigation into the Change hack; expect a record-setting fine.  I'll predict at least $25 million, possibly over $100 million to break the 9-digit barrier.


Jeff [9:23 AM]

[ Monday, March 11, 2024 ]

 

Change Cyberattack: I guess everyone's finally going to learn what a "health care clearinghouse" is. They've always been the "other" entity that's a covered entity under HIPAA


Jeff [10:10 AM]

[ Tuesday, March 05, 2024 ]

 

HHS Statement on Change Healthcare Cyberattack: In HIPAA-adjacent news, . . .  

Unless you've been buried in a snowbank somewhere, you've probably heard that United Healthcare's technology/service/clearinghouse unit Change Healthcare suffered a cybersecurity incident that has severely affected its timely processing of data and claims.  HHS has issued a statement, outlining that it is in contact with Change and has instructed MACs and other entities to try to assist those whose cash-flow has been adversely affected.

The key take-away from the entire Change fiasco is that the system is not so interconnected that an incident at a single point can nearly destroy the entire system.  This is the proverb, "but for a nail, the kingdom was lost" brought to life.  The fact that it comes on the heels of the pandemic, where we saw how that implementing efficiencies such as offshoring and just-in-time inventory may save money, but they add a great risk that widespread disruption could be caused by any type of problem.


Jeff [1:16 PM]

[ Monday, February 26, 2024 ]

 

LaFourche Medical Group pays $480,000 to settle ransomware attack affecting 35.000 patients: An emergency and occupational medicine practice in Louisiana was a ransomware victim in 2021, the result of a successful email phishing attack. While it does not appear that the attack involved encryption, it did allow the hacker to access patient information, which gave the attacker the ability to seek a ransom payment for the return of the PHI.

Unsurprisingly, OCR cited lack of risk analysis and lack of sufficient policies and procedures as the basis of the fine.  


Jeff [9:21 AM]

 

[Note: This should have been posted early January -- I just noticed it was still in Draft]

HHS announces data blocking penalties: The information blocking rule (IBR) is part of the 21st Century Cures Act, which itself is sort of a hodge-podge of a law addressing a bunch of different healthcare research and IT related matters.  Of course, the Cures Act itself follows in a long line of healthcare policymaking that is both omnibus in presentation and reactive and/or deductive in focus.

Remember, HIPAA started out as a law intended to force insurance companies to provide coverage to an applicant who had similar insurance in the immediate months prior.  One way to "scam" insurance is to not participate when you are healthy and only buy it when you are sick, which it the practical equivalent of not buying fire insurance until your house is on fire.  If you can do so, you avoid paying into the insurance risk pool when you'd lose money, and only pay in when you'll get more back.  In other words, you're "free-riding" on other insurance purchasers.  

It's understandable that insurers want to prevent free-riders, and one way to do it is by refusing to cover pre-existing conditions.  If you don't buy insurance until you're sick, and then show up at the insurer's door with an expensive illness, the insurer will say, "OK, you're covered, but not for what you already got."  That's fair.  However, what if you didn't game the system, you weren't a free-rider: you had insurance previously, but you just need new insurance because (e.g.) you got a new job.  For the insurance company, it's still a pre-existing condition, but it's not fair to the insured.  Ultimately, for a lot of people, the pre-existing condition hurdle meant they were stuck in their current job and couldn't take a better one.  That's "job-lock."

HIPAA was originally drafted to target job-lock: if you had "creditable" health insurance coverage within the last 6 months, a new insurer can't deny you for a pre-existing condition.  Remember, the first 2 letters of HIPAA don't stand for health information privacy, but for health insurance portability.  It's a great idea that every politician could support.  However, great ideas get other ideas attached to them, ideas that might not pass into law on their own, but would pass if they were attached to a great idea.  

Several new foci got attached to HIPAA's portability provision, some with merit but none universally supported.  First, regulators wanted the healthcare industry to be more efficient.  At that time, healthcare was a laggard in adopting information technology; most healthcare providers used primarily paper records, and a large portion of billing was done on paper (and that done electronically was done using multiple systems with no coherent or consistent programming logic).   The drafters of HIPAA thought that if all electronic transactions in healthcare were standardized, more people would bill and pay electronically, and the system would be more efficient.  Thus, the transactions and code sets (T&CS) rule was adopted.

However, if all that data is going to be digitized and sent electronically, the data would be at much greater risk in electronic format than in paper format (you can't make money trying to steal paper records, and a breach of a physical paper storage room is a lot easier to catch and prevent).  If we're going to encourage electronic data interchange in healthcare, we also need to ramp up data privacy and security practices.  Thus, the privacy and security rule were adopted.

You see, Portability begat T&CS standards, which in turn begat Privacy and Data Security standards.  And you know that the HITECH Act contains a lot of HIPAA updates and revisions, including the data breach reporting standards.

One of the main foci of the HITECH act (remember, the title is "Health Information Technology for Economic and Clinical Health") was the "meaningful use" rule: the encouragement/forcing of healthcare providers to adopt electronic medical records (EMRs); this was actually a follow-on to the genesis of HIPAA's transaction and code sets, as well as the data privacy and security requirements.  While the T&CS rule was intended to entice the industry to become more digital, not enough providers moves in that direction, particularly small health providers.  Many continued their paper ways.  Congress knew that one way to get them to move would be to give them money to do so: if a healthcare provider uses electronical technology in a meaningful way (i.e., becomes a "meaningful user" of it, i.e. adopts an EMR), CMS will pay it money; if it does not, CMS will reduce what it pays for Medicare and Medicaid patients.  

The IBR is intended to address an issue that has come up with regard to EMR companies intentionally designing their systems to be less-than-fully compatible with other EMRs. 



HHS posts penalties

Hospitals, medical groups push back against penalties



Jeff [9:12 AM]

 

Second OCR Ransomware Incident Settlement Announced: OCR has entered into a settlement agreement relating to a ransomware incident, this time a fine of $40,000 for Green Ridge Behavioral Health.

Lack of a Risk Analysis, lack of sufficient security measures, and a failure to monitor system activity were cited as reasons for the fine, which is a pretty common theme for OCR fines.

OCR's press release on the matter included specific actions it expects HIPAA covered entities to take to prevent incidents (and avoid fines if they do happen).  These align with the recommended security practices that Section 405(d) of the Cybersecurity Act considers "mitigating factors" when regulatory action is taken"

"OCR recommends health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA take the following best practices to mitigate or prevent cyber-threats:


Jeff [8:46 AM]

[ Thursday, February 15, 2024 ]

 

Employers can be Blamed for Bad Employees: I don't know of any HIPAA covered entity or legitimate business associate that actively pursues bad data policies.  Hospitals don't intentionally violate their patients' data privacy; physician offices don't operate with the goal of stealing their patient's data and selling it to hackers.  And when hackers do gain access and steal data, they usually encrypt the data and hold it hostage, forcing the HIPAA covered entity or business associate to pay to get the data back.  Thus, the hospitals and physicians and business associates are, in fact, victims of the bad guys.

But even though you're the victim of a bad actor, HIPAA requires covered entities to have taken reasonable steps to keep those bad actors out; failing to do so is a punishable offense.  NYC's Montefiore Medical Center learned that lesson the hard way, to the tune of $4,750,000.  Montefiore first learned about their issue from the police; someone has stolen the identity of one of their patients.  Monetfiore's investigation uncovered that one of its employees stole the data of over 12,000 patients and sold it to ID thieves.  Stealing data was not the employee's job; in fact, it was against Montefiore's policies and employee handbook.

So, Montefiore was the victim of a bad employee.  However, the ensuing investigation brought into question whether Montefiore had done enough proactively to discover, deter, and prevent the thefts from occurring in the first place.  

The linked press release is actually a pretty good compendium of OCR guidance and information for entities that are subject to HIPAA to check out whether your security posture is such that you, too, could be a victim of a hacker and also have to pay a big OCR fine.  If you can't produce a hard-copy document of your most recent security risk analysis, and can't show how your organization has adopted "recognized security practices," you are much more likely to be paying OCR someday.

Jeff [3:20 PM]

 

Hospital Cyberattacks Continue to Rise: This should come as a surprise to nobody, but the biggest data risk to pretty much everyone in the healthcare industry is the risk of cyberattacks, particularly ransomware.  I have had several clients who have suffered ransomware attacks.  These always disrupt care to some extent, and fortunately my clients have not suffered any patient care problems, but others have.  However, they all have had to spend extremely large sums to fix the problems, and many have suffered the follow-on effect of the class action lawsuit by patients whose data was involved.

If you aren't focusing on this now, you need to.


Jeff [12:58 PM]

[ Wednesday, January 10, 2024 ]

 

OCR Lies.  I usually have good things to say about OCR.  For the most part, it's full of good people trying to do good things, and the investigators are probably the nicest enforcement people in the entire government: they really want to help healthcare providers get better and often give the benefit of the doubt to healthcare workers who are really trying to do the right thing but don't always get it right.

But whenever the Xavier Becerra hack-machine gets involved, you can count on things going off the rails, and yesterday brought a sterling example.

It is an indisputable fact that good people can disagree on abortion, but it's equally indisputable that people who believe abortion is murder should not be forced to participate in performing abortions.  But it happens, or at least it did prior to a 2019 rule from HHS threatening hospitals with removal of federal funding for forcing objecting employees to participate in abortions or other acts that violate their legitimate religious beliefs. 

Yesterday, HHS, through OCR, rescinded that rule.  I guess you could quibble that the rule might have given employees too much leeway to refuse to do legitimate work that shouldn't be objectionable, or that full removal of federal funding was too big a penalty, and a $100,000 or $1 million fine would do the trick.  But rescinding it entirely?

And even worse, bragging that REMOMING those conscience protections is actually INCREASING them?  Here's the header of OCR's press release:


And here's the headline and lede of an article in The Hill, which is certainly left-leaning:





Jeff [9:26 AM]

[ Monday, January 08, 2024 ]

 

 New Jersey medical practice Optum Medical Care has settled an OCR investigation regarding Optum's failure to grant patient access to medical records, agreeing to pay $160,000.  


Jeff [12:20 AM]

[ Thursday, December 28, 2023 ]

 

 ESO, CVC, HEC Disclose Data Breach: ESO, a healthcare software company serving hospitals, EMS entities, and governmental agencies, announced a ransomware-triggered data breach affecting 2.7 million individuals.  

Cardiovascular Consultants of Arizona also announced that it suffered a cyberattack that affected almost half a million patients.

Finally, New Jersey based population health management company HealthEC also announced a cybersecurity incident of 112,000 individuals.

All of these are offering credit monitoring to affected individuals.  


Jeff [8:42 AM]

[ Tuesday, December 12, 2023 ]

 

Norton Healthcare Hack Exposes Data of 2.5 Million Patients.  The hackers accessed some of the Louisville hospital system's data storage, but not the EMR or MyChart.


Jeff [7:52 AM]

[ Monday, December 11, 2023 ]

 

US health officials call for surge in funding and support for hospitals in wake of cyberattacks that diverted ambulances.  Of course, some of the "funding and support" is imposing stricter fines for providers who have lax cybersecurity.

Some amount of cybercrime is inevitable.  However, there still is a shocking lack of cybersecurity among healthcare providers.  Patching (regularly applying software patches when they are issues by the software providers), good data backups, network segmentation (keeping secure parts of your network -- which don't need internet connections -- separated from the parts of the network that do need internet connections), and phishing training can eliminate the vast majority of cybersecurity incidents.  If you're not doing that, you probably deserve stricter fines.


Jeff [10:04 AM]

[ Tuesday, November 21, 2023 ]

 

St. Joseph's Medical Center Settlement: During the height of Covid, St. Joseph Medical Center allowed a reporter and photojournalist access to its operations as part of a story about hospital overcrowding and St. Joseph's response to swelling numbers of Covid patients.  Some pictures of patients apparently made it into the newspaper, and according to OCR, some information about St. Joseph's patients.  OCR has now entered into a settlement agreement with St. Joseph's regarding the incident.

St. Joseph has admitted no liability in making the settlement.

The settlement involves an $80,000 fine, a review and possible revision of St. Joseph's HIPAA policies (to be reviewed by OCR, and a 2-year oversight plan by OCR.  That's not a big penalty; I'd be extremely surprised if St. Joseph spent less than $80,000 on attorney's fees in conducting its own investigation and response, much less what it might've spent on other consultants to address the investigation.  All HIPAA covered entities should be reviewing their policies and procedures regularly, and most would love to have OCR review them and give their blessing or offer tips for useful revisions.  The 2-year monitoring could be a bit of a pain, but it's shorter than the usual 3-year plan seen in most settlements.

At this point, I have not seen a response from St. Joseph's, nor have I seen copies of the AP story that made the press, but I suspect that there is a legitimate question about whether PHI was actually disclosed in the article.  I suspect the photos do not show patient faces, and any individual information was nearly if not entirely de-identified.  However, it is entirely possible that the reporter was exposed to at least a minimal amount of PHI when he/she was allowed access to non-public areas where patients were gathered, and likely that the hospital didn't get consent from all of those patients before allowing the access.  Still, that's pretty thin gruel.

However, the case is another reminder of the risks a health care entity takes when dealing with the press.  While St. Joseph's probably saw the reporter's request for access and information as an opportunity to tell their story and put on a good face, covered entities must be extremely careful bout what information gets out.  


Jeff [8:51 AM]

[ Wednesday, November 15, 2023 ]

 

Perry Johnson & Associates, a medical transcription service, has apparently suffered a data breach involving a hacker gaining access to its computer systems.  Not much is known at this point, but I'll update you as more information comes in.


Jeff [8:24 AM]

[ Friday, November 03, 2023 ]

 

AHA sues HHS to stop OCR guidance on web trackers.  This is super-inside-baseball HIPAA stuff, folks.  And it has a chance of taking hold.

Here's the background: many websites use some type of technology to track user behavior on the website.  There are tons of legitimate reasons why you would want to do this: If every visitor to one part of your website clicks the same link, or otherwise acts in a non-random way, you want to know it.  For example, lets say you offer weight loss services and have a page with many different choices (exercise programs, diet counseling, Ozempic, psychedelics, etc.), and you have an equal number of staffers working to provide each choice.  But you find out from tracking technology that 90% of your visitors all go to the Ozempic page, but nobody ever clicks on exercise.  If you're running your business responsibly, you'll switch the exercise employees over to the Ozempic team.  But you might never know that website visitors are behaving that way without a tracker.

One of the ways trackers work is by tracking the visitor's choices to the particular visitor, usually by the specific signature of the user's computer or other device that connected to the website (for example, the user's cell phone or iPad).  The company that provides the tracking technology also uses the information they gather to fine-tune its algorithms for their healthcare provider customer, but also uses the information for other purposes, such as the marketing services it sells to other customers. 

Here's the problem: the device ID isn't necessarily the person who owns it (multiple people could have access to and use the same iPad), and the behavior of the person doesn't necessarily tell you anything specific about the person (I could be looking at information about a particular disease not because I have it, but because I know someone who does and I'm curious).  However, it's still a pretty good proxy.  If I go to a weight-loss website, I'm probably looking to lose weight; if I go to a diabetes website, the odds are pretty good that I'm a diabetic.  And if my computer goes to the website, it's probably because it's me that's operating it.  Thus, you can deduce, not with certainty but with some high level of likelihood, that if my cell phone accesses a website for X disease, I have that disease.  HOWEVER, is data that's simply indicative of health status PHI?  How tight does the connection need to be?

And therein lies the problem -- the information derived from the tracking technology COULD be PHI, and letting the technology company have access to that information would make the vendor a business associate.  The vendors don't want to be restricted in how they use that data.

OCR has declared (in a December 2022 bulletin) that providers that use tracking technology must have BAAs with those vendors, but those vendors won't sign BAAs.  The end result is that big hospital systems are prevented from using a technology that can streamline their processes, save them money, and allow them to better serve their patients.  Hence the AHA's actions.

This will be interesting.  

(11/3/23/)

UPDATE 11/9/23: Interesting press release from AHA and other hospital associations relating to its suit against HHS relating to web trackers.  According to Bloomberg Law (subscription may be required), HHS uses the same tracking technology on its websites that HHS guidance warns hospitals about as being potentially violative of HIPAA.  Interestingly, I also learned in that article that hundreds of class-action lawsuits have already been filed against hospitals for using the technology in violation of HIPAA.

This isn't the end of the story, of course: HHS isn't a HIPAA-covered entity (although Medicare and Medicaid are), and people searching the HHS website usually aren't looking for specific medical conditions or providing the same type of information as a visitor to a hospital site might.  However, from a general privacy standpoint, it's an interesting point of hypocrisy.  


Jeff [9:40 AM]

[ Wednesday, November 01, 2023 ]

 

OCR Fines Ransomware Victim due to HIPAA breaches: Doctors' Management Services (DMS), a management company that serves as a business associate of covered entity physician practices, has been fined $100,000 by OCR for failure to do a sufficient Security Risk Analysis (SRA), lack of policies and procedures, and failure to monitor system activity (all the usual suspects).

DMS was itself a victim: a criminal hacker caused the incident.  But DMS still got hit with a big fine because they didn't take the steps needed to avoid being a victim in the first place.

Some covered entities that are ransomware victims get fined, and others don't.  Both groups suffer from the incident, but the second group (ones with good SRAs, policies and procedures, and monitoring) is much less likely to get fined.  Just ask me -- I have personal experience with this!

UPDATE: Thanks to Theresa Defino at Report on Patient Privacy, DMS has had a chance to tell their side of the story.  As I noted in my original post, DMS was a victim here.  I noted that "they didn't take the steps," based on OCR's press release.  Now, I'm thinking maybe OCR overreacted, but I haven't actually talked to DMS.

The point here, though, is that OCR's stated list of wrongdoing is the same list that's applicable to almost every other case involving a fine (other than the access cases).  You want to be able to prove that you have done your SRA, have good policies that you follow, and monitor your system activity.


Jeff [4:03 PM]

 

HHS proposed penalties for information blocking: In addition to stated penalties that can be up to $1,000,000, HHS is proposing that health systems engaging in information blocking (prohibited by the 21st Century Cures Act) be additionally punished by losing "meaningful use" funds, MIPS payments, the ability to share in MSSP payments pursuant to an ACO.  

More here and here.

Jeff [3:43 PM]

 

Did you know HHS has a YouTube channel?  Here's a recent posting explaining how your HIPAA Security Rule compliance activities will also help you avoid a cyberattack.

Obviously, if you've read anything on this site, you know that failure to do a Security Risk Analysis (which is specifically required by the Security Rule) is the number one thing that OCR cites when issuing fines. This makes sense, because (i) it's the number one thing that will help prevent you suffering a breach or other incident, (ii) a breach/incident is usually the thing that leads to an OCR investigation, and (iii) an investigation that shows failure to do a SRA will often end up with a fine and a compliance agreement.  

Just as importantly, a cyberattack can ruin your business, and it's never good for your patients.  Best to take the appropriate steps to avoid them.  


Jeff [3:35 PM]

[ Sunday, October 29, 2023 ]

 

 Cybersecurity Toolkit for Healthcare: HHS and the Cybersecurity and Infrastructure Security Agency (CISA) have joined forces to publish a toolkit to assist healthcare industry work with governmental agencies to "close gaps in resources and cyber capabilities."  The toolkit is here; I haven't reviewed it, but it promises to "contain remedies for health care organizations of all sizes."  


Jeff [4:04 PM]

 

Spooky: OCR is hosting a Halloween webinar on the HIPAA Security Rule's risk analysis requirement.   At 3:00 Eastern time (the invite says EST, but I think it's EDT) on Tuesday, October 31, an OCR panel will discuss how to conduct a risk analysis.  Trust me, you want to be doing what OCR thinks you should be doing; it makes it so much less painful to explain how the breach you suffered wasn't your fault.  And there's no better way to find out what OCR thinks you should be doing than listening to them explain what you should be doing.

You can register for the webinar here: Webinar Registration - Zoom


Jeff [3:10 PM]

 

 Ransomware: the Biggest Threat.  According to research by NCC Group, ransomware attacks were up dramatically in September 2023, both from the preceding year (153%) and, within the healthcare sector, from the preceding month (89%).  It's relatively easy to do, and many victims have no option but to pay.

Patching, MFA, and training can prevent ransomware attacks, and good backups can make the ones that get through a lot less painful.  Those are all easy things to do. . . .


Jeff [3:02 PM]

[ Tuesday, September 12, 2023 ]

 

LA Care Breach and Incident net $1.3M fine: Yesterday, HHS announced a settlement with LA Care, the public health plan run by Los Angeles County, relating to two prior incidents: A 2019 data breach involving 1500 patients whose membership cards were sent to the wrong member, and a 2013 incident involving about 500 people whose information was loaded onto a different patient's page on LA Care's online patient portal.  

Hmm.  Nothingburger breaches, both of them.  The only data exposed was demographic, the provider is a comprehensive service provider so the fact the individual received care from LA Care isn't particularly sensitive (contra: it shows that the individual is likely poor; but the recipient is also poor, so still a minor problem), the lots exposed were small, and the actual problem (misdirected mail or computer data sorting) is pretty common.  So why the big fine?

It's a tale as old as time, or at least as old as HIPAA investigations: it's not the incident that brings the heat, it's what the investigation exposes: LA Care didn't have sufficient data security, certainly not for an organization of its size.  Lack of risk analyses and lack of safeguards were the underlying cause of the 2 minor breaches, and those problems are big enough to warrant an eye-opening fine.

Jeff [9:16 AM]

[ Monday, September 04, 2023 ]

 

 iHealth/Advantum settles HIPAA FTP server breach for $75,000.  I was going through some old emails and came across a HIPAA settlement that I don't think I mentioned earlier.  And it's not an access settlement.  It involves a business associate and an unsecured storage server (likely an FTP server).  Interestingly, the breach was not a "wall of shame" breach.


Jeff [12:51 PM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template