[ Monday, January 16, 2017 ]
New Year, Recurring Tasks:
Jeff [3:22 PM]
It's a new year, so that should get you thinking about two things: reporting any "small" breaches of unsecured PHI that occurred during 2016 (you have until the end of February to do so, using the HHS on-line reporting tool
) and planning your next HIPAA risk assessment. You do that annually, don't you? Of course you do, maybe not at the beginning of the year, but now's a good time to start planning it.
While you're mapping out your risk analysis and getting your ducks in a row, you might want to consider a slightly larger scope to your risk assessment: don't just look for PHI issues, but look for all data concerns. In that regard, you might want to consider using both the OCR tools as well as the NIST tools. In fact, here's a good article
making that exact point.
[ Wednesday, January 11, 2017 ]
OCR Announces First Fine for Failing to Provide Timely Notice:
Jeff [6:10 PM]
As you know, HIPAA requires Covered Entities to notify affected individuals if there is a breach of their unsecured PHI. Specifically, 45 CFR 165.404(b) requires each affected individual to be notified of the breach "without unreasonable delay and in no case later than 60 calendar days after discovery of a breach."
Presence Health, an integrated healthcare provider in Illinois, discovered that paper surgery scheduling records had gone missing; the surgery schedules contained PHI of 836 individual patients. The records were noted to be missing on October 22, 2013. However, notice was not provided to OCR until January 31, 2014 (101 days after the breach was discovered), and individual patients weren't notified until February 3 (104 days after discovery), and the media was not notified until February 5 (106 days after discovery). Obviously, this caused Presence to miss the "in no case later than 60 days" notification requirement. Presence blamed the tardiness on miscommunication between workforce members.
OCR noted that each of these tardy reminders is a separate HIPAA violation, and each day beyond the regulatory deadline is a separate violation
. That's at least 131 violations, perhaps more if you count each individual who didn't get a notification as a separate violation. That's a potential maximum penalty of almost $200 million. Fortunately, OCR only fined Presence $475,000.
This should be a reminder to covered entities that they are not just obligated to provide notice, they are obligated to provide timely
notice. But what does that mean, really?
Let's unpack a few things from the requirement. First, you have the question of whether a particular incident is a breach; next, when is it discovered; and finally, who should be reporting it (and how does that impact the question of when it is discovered). Be aware that the incident is "discovered" for the entity when it's known to a workforce member of the entity or the entity's "agent."
A reportable breach is an unauthorized access, acquisition, use or disclosure of unsecured PHI; however, the definition of breach gives 3 specific exceptions and one general exception (the "low risk of compromise" exception). That's a whole other blog post, but suffice it to say, you often won't know right off the bat whether you have a "breach" or something that might, upon further investigation, prove to be either a breach or a non-breach. So, given that, when does the clock start?
I'd say it depends on the incident. If it's clear that the incident will meet the definition of a breach when the investigation is over, then it's a breach. If an employee's car is burgled and a laptop containing unencrypted PHI was stolen, you should consider that the covered entity "discovered" the "breach" when the employee discovered the burglary. On the other hand, suppose you discover a security incident where the IT department discovers some malware that is capable of exporting data, including PHI. However, you don't have any reason to believe that data has been exported yet. It takes the IT department (and maybe a forensic vendor) a week to determine that yes, in fact, PHI was exported. I would argue that the "breach" is "discovered" when the exfiltration is found. However, keep in mind that the presumption goes to the breach, so (i) your confidence must be very high that the incident will not turn out to be a breach and (ii) your investigation must be swift and thorough.
And, it's useful to point out here that if the IT department discovers the exfiltration, that's the discovery point (because the IT department is full of "workforce members" of the entity; if it's a vendor that discovers it, but the vendor doesn't notify the entity for a few days, the discovery point will be when the vendor discovers if the vendor is considered the "agent" of the entity under federal common law, but will be the date the vendor notifies the entity if the vendor is not its"agent."
That should raise a question in your mind regarding business associates. As noted above, the reporting obligation falls on covered entities (CEs), and specifically does not fall on business associates (BAs). However, what if the breach is caused by the BA, or more importantly, what if the BA is the one to discover the breach? If the BA causes the breach, your BAA should handle how the BA notifies the CE. (NOTE: if your BAA allows the BA 60 days to notify you, how will you be able to meet the 60-day requirement?
) If the BA discovers the breach, your BAA should also require the BA to notify the CE. If the BA is an "agent" of the CE, then the CE is imputed to have discovered the breach at the exact time the BA discovered it; if the BA is not considered an agent, then the CE will have "discovered" the breach when the BA informed it, and that's when the clock starts ticking.
This can cause obvious problems. If the BA takes 3 months to discover the breach and another 3 months investigating it, AND the BA is your agent, then you better be prepared to throw yourself on the mercy of OCR (whatever that is). And if the BA notifies you that it has determined there was a breach but doesn't know yet whether your patients are involved, you have some issues to consider; if you think all your patients are likely involved, you should consider a preemptive notice to them. If the BA gives you the names of 100 affected individuals this week and 100 more next week, consider sending notice in waves. If your BA blows it, it could definitely be you that gets stuck with a monster fine.
This is why your BAAs should be specific on your BA's breach reporting requirements and should pass along the consequences for failure to investigate or notify to the bad-acting BA (i.e., indemnification). And why you need to be comfortable that your BA isn't an idiot.
[ Wednesday, January 04, 2017 ]
Jeff [3:12 PM]
[ Monday, December 26, 2016 ]
Jeff [12:53 PM]
Section 1557 of the ACA: Notice of Non-Discrimination. I'm going through old emails, and had kept this one, knowing I should make a blog post on it. This goes on the list of things too many HIPAA covered entities fail to do (like good risk analyses, policies and procedures, etc.).
This is actually old news, but part of the ACA requires all HIPAA covered entities to notify patients (providers), beneficiaries (health plans), and the general public (everyone) that they don't discriminate. This specifically requires every covered entity to post a notice that it does not discriminate, in 15 languages. That's right, 15 languages. In the overall US, those are Spanish, Chinese, Vietnamese, Korean, Tagalog, Russian, Arabic, French Creole, French, Portuguese, Polish, Japanese, Italian, German, and Persian (Farsi). BUT, that's not the list; you have to translate into hte 15 most common languages IN YOUR OWN STATE! Here's a little help for you, courtesy of the AOA. The AOA webpage also provides a template for filing in a tagline poster, as well as a few states that have already done theirs. If you've done your own poster, consider sharing it with the AOA.
The good news is that HHS has provided the form of notice for you. The bad news is that they are ridiculously disorganized. If you haven't already done so, go here, and print out all of the notices of nondiscrimination and statements of nondiscrimination, in each language, and stuff them in a drawer somewhere in case someone asks. Than print out this language, and post it somewhere. But you also have to put up a poster. Some companies offer to sell posters for you; I can't say whether they are right or not.
This is of a piece with so much dumb stuff HHS does. How relevant is this, really? Doing a risk analysis is important; how important is it to put up a poster in languages nobody speaks? I'm guessing that for the vast majority of covered entities, there will NEVER be a person who sees that poster that speaks at least 12 of those languages.
This is stupidity. This is make-work. This is pure virtue-signalling. This, in and of itself, is reason for repealing the entirety of the Affordable Care Act.
I rest my case.
The text of the regulation:
§92.8 Notice requirement.
(a) Each covered entity shall take appropriate initial and continuing steps to notify beneficiaries, enrollees, applicants, and members of the public of the following:
(1) The covered entity does not discriminate on the basis of race, color, national origin, sex, age, or disability in its health programs and activities;
(2) The covered entity provides appropriate auxiliary aids and services, including qualified interpreters for individuals with disabilities and information in alternate formats, free of charge and in a timely manner, when such aids and services are necessary to ensure an equal opportunity to participate to individuals with disabilities;
(3) The covered entity provides language assistance services, including translated documents and oral interpretation, free of charge and in a timely manner, when such services are necessary to provide meaningful access to individuals with limited English proficiency;
(4) How to obtain the aids and services in paragraphs (a)(2) and (3) of this section;
(5) An identification of, and contact information for, the responsible employee designated pursuant to §92.7(a), if applicable;
(6) The availability of the grievance procedure and how to file a grievance, pursuant to §92.7(b), if applicable; and
(7) How to file a discrimination complaint with OCR in the Department.
(b) Within 90 days of the effective date of this part, each covered entity shall:
(1) As described in paragraph (f)(1) of this section, post a notice that conveys the information in paragraphs (a)(1) through (7) of this section; and
(2) As described in paragraph (g)(1) of this section, if applicable, post a nondiscrimination statement that conveys the information in paragraph (a)(1) of this section.
(c) For use by covered entities, the Director shall make available, electronically and in any other manner that the Director determines appropriate, the content of a sample notice that conveys the information in paragraphs (a)(1) through (7) of this section, and the content of a sample nondiscrimination statement that conveys the information in paragraph (a)(1) of this section, in English and in the languages triggered by the obligation in paragraph (d)(1) of this section.
(d) Within 90 days of the effective date of this part, each covered entity shall:
(1) As described in paragraph (f)(1) of this section, post taglines in at least the top 15 languages spoken by individuals with limited English proficiency of the relevant State or States; and
(2) As described in paragraph (g)(2) of this section, if applicable, post taglines in at least the top two languages spoken by individuals with limited English proficiency of the relevant State or States.
(e) For use by covered entities, the Director shall make available, electronically and in any other manner that the Director determines appropriate, taglines in the languages triggered by the obligation in paragraph (d)(1) of this section.
(f)(1) Each covered entity shall post the notice required by paragraph (a) of this section and the taglines required by paragraph (d)(1) of this section in a conspicuously-visible font size:
(i) In significant publications and significant communications targeted to beneficiaries, enrollees, applicants, and members of the public, except for significant publications and significant communications that are small-sized, such as postcards and tri-fold brochures;
(ii) In conspicuous physical locations where the entity interacts with the public; and
(iii) In a conspicuous location on the covered entity's Web site accessible from the home page of the covered entity's Web site.
(2) A covered entity may also post the notice and taglines in additional publications and communications.
(g) Each covered entity shall post, in a conspicuously-visible font size, in significant publications and significant communications that are small-sized, such as postcards and tri-fold brochures:
(1) The nondiscrimination statement required by paragraph (b)(2) of this section; and
(2) The taglines required by paragraph (d)(2) of this section.
(h) A covered entity may combine the content of the notice required in paragraph (a) of this section with the content of other notices if the combined notice clearly informs individuals of their civil rights under Section 1557 and this part.
[ Thursday, December 22, 2016 ]
Community Health Plan of Washington Breach:
Jeff [10:46 AM]
Not much information here, but what appears to be a Medicaid managed care plan suffered some sort of data breach
that potentially exposed information about approximately 400,000 people.
UPDATE: Here's a little more information, via Justin Shafer (@JShafer817 on Twitter
)*. Although you never know with Justin, I suspect he might have found an unprotected FTP server with CHPW's patient data on it. That could be what got the entity to investigate, and to provide the breach notice.
[ Monday, December 12, 2016 ]
New Guidance from OCR:
Jeff [2:20 PM]
Last week the Office for Civil Rights issued some additional guidance
on disclosures that are permitted under HIPAA for "public health activities." Covered entities don't need patient authorization to use and disclose PHI for public health activities such as reporting communicable diseases or tracking adverse events relating to FDA-approved drugs and devices. The CDC's blog is here
, and there's more here from IAPP
[ Monday, December 05, 2016 ]
Glendale (CA) Adventist snooping case:
Jeff [12:37 PM]
A per diem nurse apparently went snooping
in 528 patient files.
[ Thursday, December 01, 2016 ]
Jeff [10:45 AM]
You might've heard of this earlier, but someone is using OCR's Phase II audits as a pretext for sending what OCR is calling "a phishing email.
" I haven't seen an actual email (if someone has one, send it my way), but I'm not sure it's exactly phishing so much as spam.
Apparently the email says you may be included in OCR's HIPAA Privacy, Security, and Breach Rules Audit Program, but the link takes you to a cybersecurity company's website, where they apparently hawk their cybersecurity wares (maybe they do phish testing?).
Hat tip to Ron Holstford of Central Alabama Radiation Oncology for giving me the first heads up on this. And sorry I've been so blogless these days -- it's been an insanely busy year, which is good.
[ Tuesday, November 29, 2016 ]
Jeff [4:28 PM]
[ Thursday, November 17, 2016 ]
California data breach notification law undergoes changes:
Jeff [3:45 PM]
I don't think this is ultimately as big a deal as I initially thought, but Governor Jerry Brown has signed into law a revision to the California data breach notification law
, requiring notification where encrypted data is part of the breach. Under existing law, if the data is encrypted, no breach notification is required. Under the new law, if the data is encrypted and lost, and the encryption key is believed to be acquired as well,
then reporting is required. That makes sense, and I would have thought that it would have been the case prior to the law change. I would have certainly advised California clients to report a breach of encrypted data if the encryption key was compromised as well. Presumably, if encrypted data is lost but the encryption key remains in safe hands, then no notification is required.
[ Monday, November 14, 2016 ]
Idaho State University
Jeff [10:16 AM]
: Update: My apologies, this appeared in a newsfeed of mine last week, and while I was surprised I hadn't seen it otherwise, I figured out I might have missed it. Turns out it's not current news, and I did, in fact, report on it back in 2013
when it happened.
Thanks to Dissent Doe for pointing that out.
Today's earlier post: A contractor failed to reactivate a firewall
after doing some work on a server, potentially exposing PHI of 17,000 patients. ISU apparently had a BAA with the contractor, but the OCR investigation determined that they hadn't done a risk assessment recently enough. Fine? $400,000. I'm guessing the contractor paid it (probably out of insurance), but that detail is harder to find. More here
[ Wednesday, November 09, 2016 ]
Jeff [1:23 PM]
A friend emailed from Florida asking what I thought about the election. Here's my hot take.
Surprised but not surprised. Do you read Scott
Adams? He writes the Dilbert cartoon. He’s been saying all along that Trump would
win just because Trump is a master of persuasion. Read his post from yesterday on confirmation
bias and you’ll see what he’s up to. If
you have time, it would be very interesting to go back and read what he wrote back
at the beginning. I said early that there’s no way Trump can win. I knew he’d have popularity as a protest
vote, an “I’m mad as hell and I’m not going to take it anymore” vote. People in early primaries would vent their
spleens and he’d poll well, drawing a couple second place finishes as the herd
got thinned. Then folks would get
serious, realize that burning down the house is not the way to get rid of the
cockroach infestation, no matter how bad it might be. He’d start losing, make a noisy exit, and
build on the free publicity for his next reality TV show. But as it progressed, and he stayed in, and
kept winning, and took the lead, I threw my hands up and said whatever I’ve
thought all along has been wrong all along: I know in my brain that it’s
impossible for Trump to win, so he’s going to win. I can’t explain it; nobody can; it’s like the
EM Drive: it violates the laws of physics, but it’s real and it works.
I kept that as my mantra from the latter
parts of the primary season throughout the entire election season until about a
week ago, when I finally faced reality and said there’s no way. I can’t deny the ultimate truth: despite
being the worst, most crooked, lamest, least likeable presidential candidate in
history (Nixon and LBJ may have been a little less likeable, but she leads so
far in all other categories that she’s cumulatively way out in front of them),
Hillary was still going to beat the least prepared, most ridiculous candidate on
a non-fringe party ticket in at least my lifetime. Ultimately, the Democrat machine would beat the
MAGA crowd: the Philly transit strike was ended, mail-in ballots in Colorado and
Nevada were stacking up in some of the greatest voter fraud efforts ever, and
the press was relentlessly encouraging the flyover rubes to stay home in
droves. It was gonna be relatively
close, but the Never-Trumpers would outweigh the hold-your-nose, vote-for-the-orangutan-its-important
voters, and Hillary and all her baggage would end up in the White House, where
she could use the levers of government to prevent her criminal enterprises from
taking her down. There would be an
exceedingly strong push to impeach her, and the House might eventually even do
so, but the Senate Dems, having already sold their souls, would have no problem
finding that being caught red-handed committing a felony (not just a felony,
but a felony involving the loss of State Secrets, death of diplomats and HumInt
assets, and the sale of government favors to Arab dictators) isn’t enough to
impeach, as long as the target is someone on your team.
Maybe I needed to return to my certainty
for it to happen; maybe, like Charley Brown and the football, it’s only once I
truly believe my eyes that I get to learn that I was wrong again. But sure enough, as soon as I stopped
believing Trump would actually win despite the facts in front of my face, he
won despite the facts in front of my face.
If Trump had lost, the next candidate would
be much worse than Trump. Keep in mind
how we got here. In response to
government overreach (specifically the Stimulus Bill, doubled-down on by
Obamacare) the Tea Party rose as an absolutely true grass-roots political
movement. No leader, no spokesman, no
organizer. It was respectful and polite,
up after its
rallies, and it gave voice to a lot of people who really (and legitimately,
and rightly) felt that government was not only not listening to them, but was
actively and arrogantly going in the opposite direction. And what was the response to the Tea Party? They were vilified as racists and fascists,
not only by the Democrats and the press (he said, repeating himself), but by
the Republican establishment (GOPe) itself.
And despite the Tea Party delivering huge Republican victories in 2010
and 2012, the GOPe marginalized them and worked against them, continuing to
work for larger government (or at least not fighting against it, such as by
passing continuing resolutions that continued the growth of the State). The Democrats in particular, but also the mainstream
media, the entertainment industry, even the GOPe, dismissed them as
ignorant fly-over rubes. Being
resented by your superiors is one thing, but being resented by those you
consider incompetent, being told that you and all your friends are racists and
fascists, at some point you fight back.
The Tea Party was the polite, “ahem, excuse me” movement; Trump is the “hey,
I’m talking here!” movement. Unless the
political class took the moment to acknowledge the gulf and actively reach out
to the disaffected, the next movement would have been a punch. And there is NO WAY IN HELL that they were
going to reach out. The smug, arrogant,
narcissism on the Left would not have been conciliatory, but would’ve been as
condescending as ever (they’d have to be, that’s the only way you can defend
against the absolute truth that Hillary is a felon and if you’re a Clinton or
Obama, the laws are for the little people), and the third wave would have been
a bad tsunami for our country. If you
think Obama’s “I won” attitude was off-putting, wait until you get to hear it
from someone with much less charm than Obama, like Hillary.
Our betters in the Democratic party,
academia, the media, and the entertainment industry should learn a lesson from
this, but they won’t. They are entirely bought into their perception that the
only way you could be opposed to Hillary is if you are a racist or sexist (or
both). Here’s the Slate homepage on the
day after the election:
If you voted for Trump, you are a white
supremacist, misogynist, anti-democratic, anti-gay, anti-semitic hater. That’s just one page. Do you think the people who voted for Trump,
faced with this attack/accusation, will look deep into their souls, and look at
their Trump-voting peers, acknowledge their guilt and change their ways? Or will they say, “no, I’m not, and I know I’m
not, and I know my friends aren’t, . . . ” and no longer listen to said
Democrats, academia, media, and press? My
youngest looked at the front page of today’s paper and said, “We should keep
this, it’s a historic day and this might be valuable in the future.” I agreed, not so much because of Trump, but because
it might be the signal of the end of newspapers themselves: the press’
self-beclowning becomes suicide. This is
a shameful day for the media, although obviously they (at least those at Slate)
don’t see it this way. Unless they
figure that out, and figure out why they don’t know the country they think they
have the pulse of, they will be done.
They have no factual authority any more, and they have squandered their
moral authority, and there are too many other ways/places to get
information. You can only tell your
target audience that they are stupid, racist, fascists rubes for so long before
they go away. . . .
Ever heard of the Gell-Mann
Amnesia effect? Once you begin to realize
that the media is lying about you, you begin to realize that the rest of what
it’s saying may be lies as well. Less
power to the media.
So, Trump-administration-wise, what do I
think will happen? Ultimately, I don’t
think it will be too bad. First, unlike
Hillary, if Trump tries to do something stupid, the Republicans in Congress
will stop him. Keep in mind, he’s not
a Republican; he contributed to Hillary’s campaign against Obama in 2008,
and has always aligned with Democrat (statist) policies until he decided to run
for President. He does not have that
many genuine Republican ideas (enforcing existing immigration laws is not the
same thing as building a wall), and his trade policies are closer to Bernie
Sanders than Ted Cruz. But if he goes too
far, the Republicans in Congress will keep him in check. That would not have been true of the
Democrats; like they did in 2009, they would have taken legislation to the last
inch they could get, and would support any bad idea Clinton came up with (hey, they
might get the Vince Foster treatment if they didn’t; you don’t want a naked
Rahm Emanuel coming after you). That
actually was sufficient reason to hold your nose and vote for Trump, especially
if the Democrats were going to win the Senate.
As I noted on Twitter a few days
Secondly, Trump has not expressed much in
the way of policy specifics. There’s too
much out there to bite off all at once, or perhaps even at all, for one iconoclast. I suspect whatever policies he does come up
with won’t be bold or far-reaching.
Sure, he said he’ll Build The Wall, but Obama said he’d close
Gitmo. How’d that work out? And Obama really, really, really wanted/wants
to close Gitmo. I don’t think Trump
really cares about the Wall, it was only red meat to his audience. The other stuff he’s likely to do will be a
ratcheting back of the regulatory machine, which is actually an absolute must
to regenerate legitimate and deep-reaching economic recovery. I don’t think he’ll even “repeal” Obamacare,
although it will be substantially dismantled (more “amend and restate” than “repeal
and replace”). But in fact, nobody
knows. We are in entirely unknown
Trade may be an area where he really does
something, but like with the Wall, I think his rhetoric was “boob bait for
Bubbas” and what he actually does will be much less dramatic. Also, remember that while he was
pontificating about the Wall (“just got 10 feet higher,” “I’ll make Mexico pay
for it”), he still went and had a completely civil meeting with the President
of Mexico. He seems to know when to say
outrageous things and when not to. That
being said, he’ll have to do something splashy regarding trade. Maybe that will work out (probably not).
[ Tuesday, November 08, 2016 ]
Jeff [3:02 PM]
[ Thursday, November 03, 2016 ]
Hmm, I'd expect a better level of understanding from the National Coordinator for Health Information Technology.
Jeff [10:45 AM]
Or maybe it's just the reporting that's bad, and something is lost in the translation. At the Brainstorm Health conference yesterday
, Dr. Vindell Washington, head of ONCHIT, said that patient data belongs to the patient (true), and that the providers who hold the data do not own it (hmm, not true).
You know the Cubs won the World Series, right? That's data, and you have it, and you own it. I also know the Cubs won, so I also have and own that data. If you stayed up late enough, you'd have seen that the MVP, Ben Zobrist, got a Chevy Camaro. That's also data, and you and I and Ben all have and own that. The car itself? Only Ben owns that; you and I don't. That's the thing about data -- it's an asset capable of being owned, but it's not a zero-sum game, and the fact that one person owns it doesn't prevent others from owning it as well.
The medical RECORD (the actual specific paper or digital representation of the data), on the other hand, is a different story. Dr. Washington noted that 20 states say that the medical provider owns the data; I don't think that's true. I believe those 20 states' laws refer to ownership of the record, not ownership of the data. And that does make sense; while both the patient and provider may own the data, and while the patient has a right to get a copy of the data from the provider, the provider actually is the owner of the specific copy of the data that is the medical record. Additionally, if the patient owns the data and the provider does not also own it, presumably the patient could require the provider to delete its copy of the data. That would not be a good idea, for reasons that you and I (and even Ben Zobrist) can figure out.
The lesson is, don't confuse the concepts of "data" and "records." They mean the same thing in many situations, but not always.
The article also states, ""Contrary to what some people may believe, patients have the right to ask their health care providers for access to their personal data." I guess it may be true that "some" people believe that patients DON'T have that right, but I'd suspect it's a precious few who are so ill-informed. OF COURSE people have the right to "ask . . . for access"; you also have the right to ask your provider to fix you a sandwich, or to marry you, but don't expect him/her to agree. But more importantly, assuming your provider is covered by HIPAA which 99.99% are, your provider is OBLIGATED to actually give you that access. Not necessarily for free, as Dr. Washington implies, but at a cost not to exceed the cost of producing the data. But your provider doesn't have to give you the only copy, or delete his/her copy after giving you access.
[ Friday, October 21, 2016 ]
Jeff [10:37 PM]
[ Wednesday, October 19, 2016 ]
Interesting (Yet Entirely Wrong) Article
Jeff [1:50 PM]
: A doctor writing for Slate
shows that he doesn't know how HIPAA works (see the first comment - all the way at the bottom of the comments). But hey, at least he spelled it right. . . .
[ Tuesday, October 18, 2016 ]
Jeff [1:53 PM]
Jeff [1:49 PM]
Jeff [12:59 PM]
Another Day, Another big HIPAA settlement
: $2,140,500 paid by St. Joseph Hospital of Irvine, California
. The hospital installed a new server for its "meaningful use" process, but didn't remove the default settings that made the server generally accessible over the internet. They hired consultants and did some risk analysis, but none of it was system-wide; I'm not sure that a system-wide review would've fixed the problem, but if we've learned anything lately, the fact that the error didn't cause damage doesn't mean you don't have to pay for it.
Good, solid, system-wide risk analysis, reaching across your entire enterprise (geographically, lines of service, operationally, administratively, whatever) is mandatory, and (if you get caught, even by an unrelated issue) failure to do so will probably bring a fine.
Robocalls for Flu Shots: Interesting article
Jeff [6:25 AM]
on the intersection of two federal privacy-related laws: HIPAA and the TCPA. The Telephone Consumer Protection Act protects consumers against unwanted commercial phone calls, but there are exceptions for healthcare and treatment. A Safeway customer got a flu shot at a Safeway pharmacy and gave Safeway her cell phone number. The next year, Safeway robo-called her 3 times with reminders to get another flu shot. She sued under the TCPA.
Safeway won on summary judgment because the calls were permitted under TCPA's exception for exigent health treatment, and because they were not "marketing" under HIPAA. At least part of the case is dependent on Safeway having good documentation, specifically in its Notice of Privacy Practices.
The real lesson for healthcare providers, though, is to keep in mind that HIPAA is not the only privacy statute you must follow. Any form of communication that might be considered advertising is potentially problematic, so be careful out there.
[ Thursday, October 13, 2016 ]
Jeff [5:04 PM]
[ Monday, October 10, 2016 ]
The Lesson of Care New England:
Jeff [1:45 PM]
Even if the breach isn't caused by it, the fact that you failed to manage your BAAs can cost you almost half a million dollars
(OK, $400,000; I was telling some folks at a conference today it was $500,000, but I mis-remembered the amount, obviously). That's the lesson: once OCR comes to investigate, whether as the result of a breach, a complaint, or an audit, anything that they find that you've done wrong is up for discussion, even if it has nothing to do with your particular breach.
[ Thursday, September 29, 2016 ]
Filing PHI in Court Documents:
Jeff [2:27 PM]
It's OK for providers to sue patients who don't pay their bills; providers don't have to work for free, and they aren't slaves of their patients. However, if you do so, make sure you don't include any PHI more than is necessary for the filing, and consider seeing a qualified protective order for any PHI you really need to disclose. The disclosure is permitted as a disclosure for payment or healthcare operations purposes, but the "minimum necessary" rule applies. So it's OK to state the debtor's name, and the name of the entity providing the care, but you probably don't need to include particular specifics such as the patient's social security number or birth date, the specific treatments provided, diagnosis, prognosis, or similar information that's not relevant to the debt.
WakeMed found out the hard way
. It wasn't a HIPAA ruling, but it was a $130,000 lesson. Of course, OCR could still weigh in on it, too . . . .
[ Wednesday, September 28, 2016 ]
HHS' HIPAA guidance doesn't reach NIST standards:
Jeff [1:09 PM]
That's the GAO's conclusion
, and they're right. However, while NIST's CyberSecurity Framework (CSF) is a good place to get guidance and a worthy goal of any entity looking for data security, it's not really required. HIPAA is for every covered entity, and the vast majority of HIPAA covered entities (think one-doctor practices) won't have the infrastructure, much less the potential risk of loss or breach, that would warrant a full-blown CSF-compliant security plan.
Expectations and requirements must both be reasonable. HIPAA-covered entities should look at CSF, especially the crosswalk provided by OCR
. But don't feel inadequate if you can't hit every target; instead, try for the reasonable stuff. Besides, your Privacy Rule compliance is going to give you a lot more comfort in meeting Security Rule requirements than fretting about technical compliance requirements that are beyond your organization's ability.
[ Tuesday, September 27, 2016 ]
Why did Care New England Pay $400,000 for Failing to Update Internal BAAs?
Jeff [11:03 AM]
The healthcare system management entity is technically a business associate of the related providers, and thus there must be business associate agreements between the provider entities and the management entity. They apparently entered into appropriate agreements in 2005, but failed to update them in 2013 after the Omnibus Rule was issued.
The management entity apparently lost 19 unencrypted backup tapes
containing PHI on 14,000 individuals. There is no evidence that the tapes have been acquired by any unauthorized individual or that the information in the tapes has been used in any way. However, there's also no evidence that they haven't been acquired or used.
The State of Massachusetts fined Care New England $150,000 for the actual breach, so OCR did not fine them for the breach itself. Instead, OCR fined them for failing to update their BAAs. That is, they failed to update the BAA between the two related entities, the hospital whose data was lost and the closely-related management company.
It should be noted that the required updates from the Omnibus Rule (specific reference to subcontractors, specific reference to BA's obligations under the Security Rule, and a specific statement relating to BA's performance of CE's obligations under the Privacy Rule) have absolutely nothing to do with the breach that occurred and the potential damages.
Yes, that's right: if Care New England had done what they're paying $400,000 for failing to do, they would be in the exact same position they are now. Fixing that glitch would have had absolutely no impact on the loss of data (which actually occurred in 2012, before the Omnibus Rule was even published).
[ Friday, September 23, 2016 ]
Magical Incantations of Blockchain: I must confess: I was a liberal arts major, and I've never written a line of code in my life. So maybe I'm just an idiot (a real possibility), but I just don't see how Blockchain works, and how it's going to be the next great thing in healthcare. My understanding is that the benefit of Blockchain is that there's no intermediary in transactions, and no central location for storing transaction information. Rather, multiple parties can view the chain links so as to ensure that the links are correct, and that's why no intermediary is needed to ensure that both parties to the transaction are presenting it identically. However, that seems to allow a lot of additional people to view a transaction, including people who aren't connected to it, and that would cause HIPAA problems if there's PHI in the transaction. This article indicates that only authorized persons can view the transactions; who authorizes them? And if they're interested parties, what's to prevent them from tampering with the transaction information (in a way that an intermediary would prevent)?
Jeff [5:29 PM]
I just don't get it. Anyone got a good explainer for this?
[ Thursday, September 22, 2016 ]
Want Some Free HIPAA Advice? Are you a North Texas healthcare provider looking for help and ideas on how to conduct a good risk analysis for your organization? How would you like the assistance of a dozen Masters of Healthcare Management graduate students in analyzing your business operations and HIPAA risks, to help determine if your HIPAA policies and procedures are up to snuff? If you're available on October 6th from 7-9:30 pm, I've got a deal for you. Contact me at jdrummond-at-jw.com for details.
Jeff [3:18 PM]
Providers Must Understand [and Practice] Cybersecurity:
Jeff [11:09 AM]
Ft. Worth's own Theresa Meadows serves on HHS' Health Care Industry Cybersecurity Task Force and has some good points to make
. Like understanding your risks.
[ Tuesday, September 20, 2016 ]
YouTube broadcasts of plastic surgery procedures? Yes, they can do that
Jeff [12:44 AM]
, as long as they have sufficient patient consent. It's the patient's PHI, and if they agree, it's OK. But if you're the provider, make sure their consent is sufficient.
[ Friday, September 02, 2016 ]
Jeff [9:44 AM]
Q from @JShafer817: We do
not encrypt SMS messages and they are absolutely not secure enough for PHI in
general, whether or not we encrypted them for out part of the journey. In
other words Jeff.. SMS sucks.. and once it
leaves the server it isn't encrypted anyways... So..
should SMS be used for... appt confirmations???
A: HIPAA requires reasonable safeguards to protect the
confidentiality, integrity and availability of PHI. It does not require
or expect perfection.
Covered entities are required to do a risk analysis of their
operations, determine what safeguards are appropriate, and adopt those
reasonable safeguards. A covered entity may determine that the increased
benefits of a particular modality over a second modality outweigh the increase
in safety the second modality provides. For example, a covered entity may
determine that the lower costs of a postcard reminder notice (versus an
enclosed letter) outweigh the increased risk of postcard versus letter, given
the minimal nature of the PHI that is or could be exposed. While a
provider like a dentist might make that decision (“who cares if everyone knows
I go to the dentist?”), a provider who deals with much more sensitive
information, such as an infertility specialist or oncologist, might determine
that the increased risk is not worth the cost savings. Likewise, a
provider might determine that postcards are good for certain communications
(annual appointment reminders) but not others (transmitting lab results), and
should always insure that the minimum necessary information is included,
regardless of the transmission mechanism. Those are legitimate choices,
and in proper circumstances would be reasonable under HIPAA.
The question regarding texting is similar. Unencrypted
texting is less secure than encrypted texting, and much less secure than
communication via a patient portal. But using an encrypted texting
solution or patient portal adds complexity that might be sufficient to cause
the patient to not utilize the service, and therefore entirely lose the benefit
of good communications with his/her provider. In that case, the benefit
of ensuring increased and effective communication might outweigh the risks of
using unencrypted texting instead of a more secure means of
communication. In either case, secure email or insecure texting, the
minimum necessary information should be included.
Thus, as long as the provider has done a proper risk analysis of
the issue (and I would recommend documenting the determination), SMS texting
could be allowed under HIPAA, in the right circumstances.
PS: please remember this is not legal advice; consult your own attorney; your mileage may vary.
[ Tuesday, August 30, 2016 ]
Jeff [2:18 PM]
Wanna see a pacemaker get hacked? Not sure how legit this is
Jeff [11:31 AM]
, and there's still no documented evidence of an actual hacked medical device, but the possibility will keep mystery and thriller writers going for a while. . . .
Jeff [11:27 AM]
continues to be a big concern
for healthcare providers.
[ Saturday, August 27, 2016 ]
Beer Science: Beer IS science
Jeff [10:54 AM]
. Seriously, I know more about chemistry, and specifically enzymatic reactions, because of homebrewing than I ever learned in school. Then again, I was a liberal arts major. . . .
Jeff [10:36 AM]
Let's try this again, again:
OCR to investigate smaller breaches. This makes sense
want to look at entities with lots of small breaches, breaches involving the
exact same fact scenario, or breaches that cause a lot of damage even though
there are only a relative few victims (i.e., less than 500 affected
individuals). Timing of notifications
matters: OCR will find out that a big breach has occurred when the individuals
find out, but won't hear about small breaches until January-February of the
next year. And OCR will investigate
small breaches if there's a complaint, but not necessarily if there's not.
However, this initiative really only makes sense if OCR has
extra investigator time on their hands, which I'd guess they don't. Thus, what's the real rationale for a public
announcement of this kind? Probably to
keep people on their toes. If someone
thinks they're in the clear and able to fly under the radar when the breach is
less than 500 people, maybe this is intended to give them a little fear-factor
and make them think twice, at least about doing a good breach risk analysis and
maintaining good documentation.
PS: an earlier version of this post was garbled because I
used the "less than" sign rather than the words, which triggered a
weird HTML effect. Thanks to Theresa
Defino for the heads up.
[ Friday, August 26, 2016 ]
Jeff [1:13 PM]
this is sort of insider-baseball stuff (can you say that about a case involving a football player?), but a court is allowing the suit to go forward
. Pierre-Paul is suing ESPN for violating his privacy and Florida medical confidentiality laws. The network certainly did not directly violate HIPAA (because the network is not a "covered entity" under HIPAA), but query whether ESPN aided/abetted the hospital to do so, or whether ESPN could be held liable anyway under the HITECH provisions that theoretically allow HIPAA prosecutions against employees or agents of covered entities. Interesting possibilities (well, interesting to me, at least).
[ Thursday, August 11, 2016 ]
Jeff [12:25 PM]
Just because you're a healthcare provider does not mean HIPAA is applicable to you.
I was having a conversation just last night regarding this issue: HIPAA only applies to health plans, health care clearinghouses, and health care providers "who transmit any health information in electronic form in connection with a transaction covered by" HIPAA. The 8 HIPAA-covered transactions are:
- Health claims and equivalent encounter information.
- Enrollment and disenrollment in a health plan.
- Eligibility for a health plan.
- Health care payment and remittance advice.
- Health plan premium payments.
- Health claim status.
- Referral certification and authorization.
- Coordination of benefits.
If you are a health plan but don't undertake any of the above transactions in electronic form, then you are not covered by HIPAA. That does not mean you are entirely in the clear.
If you suffer a breach, you may have state law reporting obligations you must still clear. And if you serve as a business associate for a covered entity, you may become subject to HIPAA via that back-door route. However, the potential for big HIPAA fines are not there if you are not a HIPAA covered entity.
This was illustrated by a New Jersey case last year
, which I also blogged about
(albeit in a different, more esoteric context).
[ Monday, August 08, 2016 ]
Jeff [5:57 PM]
Are Ransomware Attacks Per Se HIPAA breaches?
"Not Necessarily," says this National Law Review article.
Of course, I agree. But this is just plain wrong: "If, however, the ePHI is encrypted by the ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule." In most ransomware situations, the malware is injected into the affected system; there is no possession, and certainly no disclosure; there is only "control" in the context of preventing the rightful owner from controlling the data, since the hacker has no control either, and can't even decrypt the data. Preventing someone else from using their data is not "controlling" the data, it's controlling the victim and rightful owner of the data.
Jeff [10:11 AM]
Newkirk, BCBS-KS breaches: Newkirk
is a business associate of a lot of health plans, printing insurance cards for plan members (not too sure what happened there, since the article is behind the WSJ paywall). Blue Cross Blue Shield of Kansas
is one of Newkirk's customers, apparently, and about 800,000 of their customers are impacted. No SSNs or financial information, but insurance information like group numbers and the like, which would be helpful for medical identity theft.
Yes, Healthcare Data is Attractive to Hackers: For a number of reasons
Jeff [10:03 AM]
, as reflected in the value of health information on the "Dark Web." But is the healthcare industry reacting appropriately and increasing defenses? There sure seem to be a lot of breaches being reported, but don't mix in the settlements of old cases with new breaches. In fact, so far, 2016 is experiencing substantially fewer people affected by healthcare breaches. Maybe we are moving in the right direction. . . .
Yes, it is a Big Year for HIPAA Fines:
Jeff [9:58 AM]
but is it proof of more enforcement
(or more strict enforcement), or just bigger fines? Personally, I've had several clients avoid fines where I thought OCR would levy something, but that might be my expectations changing, not the underlying enforcement environment. (For the record, none of those clients deserved a fine, nor could they really afford one, but given the current enforcement trend, I was worried.)
[ Friday, August 05, 2016 ]
Jeff [11:32 AM]
[ Thursday, August 04, 2016 ]
Biggest Fine Yet (IIRC):
Jeff [4:42 PM]
Illinois' Advocate Health has been fined $5.55 million
by OCR for a series of HIPAA failings. Looks like a lack of a good risk assessment, lack of physical access controls, and BAA failures are part of the mix.
[ Wednesday, August 03, 2016 ]
It's a Banner Day for Breaches. Banner Health suffers a huge one
Jeff [1:54 PM]
: 3.7 million patients. Actually, it looks like 2 breaches in one for the huge western-US healthcare provider. One went after payment card data from food and drink locations at Banner facilities, and the second one went after patient records.
Hacker World Problems:
Jeff [1:54 PM]
a Ukrainian hacker stole 100,000 documents
from Central Ohio Urology Group (mostly internal documents, like surgery schedule spreadsheets) and posted them online.
Was he trying to sell the data on the Dark Web? Engaging in identity theft? Extorting payments from the group?
No, he's trying to bring public awareness to the "fact" that the Pentagon is poisoning people in the Caucasus with secret injections.
on the story.
[ Monday, July 25, 2016 ]
Medical Device Security:
Jeff [10:04 AM]
I still think this is in the realm of TV shows and movies (I've been binge-watching Mr. Robot lately), but while the likelihood is slim, the possibility of hacking a medical device should certainly concern the healthcare IT crowd.
Here's an interesting graphic I got from Arxan Technologies
that is certainly food for thought.
[ Friday, July 22, 2016 ]
No, No, No.
Jeff [10:38 AM]
No, @HealthPrivacy, you cannot draft regulations via guidance. This is just plain wrong.
If a covered entity has, in the course of a reasonable risk analysis, determined that emailing of unencrypted PHI is not secure, then the covered entity is not required to email unencrypted PHI to individuals exercising their access rights. The regulations do not say that, and you can't change the regulations by issuing guidance. If the covered entity has no such policy, or if it allows unencrypted emailing in other situations, if it has the policy but doesn't follow it, or if the policy is unreasonable, then the covered entity may
have to email PHI to the patient. The access regulations (which carry the force of law) say that, if the covered entity maintains the PHI electronically, then it must provide the PHI in electronic format; they do not
say that the covered entity must provide the PHI via electronic transmission.
Follow the rules, OCR. You can certainly change the regulations. If this is important enough for guidance, it's important enough for a regulation. Propose a new rule revising 45 CFR 164.524, publish it, request/receive/review public comments, and finalize it. That is how it works.
And don't try to enforce "guidance
" as if it's a law or regulation. It's not.
[ Thursday, July 21, 2016 ]
Ransomeware: 4 steps for fighting it.
Jeff [11:13 AM]
I'd add my own 4 steps, if I haven't already:
- Patch management and current virus software: whenever vulnerabilities are discovered in software, the developers usually send out patches. Make sure your organization is signed up to get those patches and promptly applies them. It's extremely unlikely you'll be attacked between the time the vulnerability is discovered and the time the patch has been provided; usually, however, businesses don't apply the patches, or don't sign up to get them, and it's a relatively old vulnerability (for which a patch is available) that is ultimately exploited. Same with virus protection software.
- Limit connectivity. Computers that aren't connected to the internet can't get infected by the internet, at least not directly. Don't connect computers unless you have to, and if you do, make sure your connectivity architecture is simple, logical, and traceable. If there's only one gate into the city, there's only one place to focus your protection efforts.
- Have good backups. Ransomware is designed to scramble your eggs. If you can just throw those eggs out and replace them, then you won't need to pay the ransom. Dealing with a ransomware attack is still enough hassle that you want to take all other other steps, but worse case scenario, good backups thwart any ransomware attack. Delete the infected files, scrub the system, and reinsert the backups.
- Train your staff and be prepared. Most ransomware comes from phishing or other social engineering. Most attacks are pretty clumsy, too, if you have the slightest clue what to look for. Make sure you staff has the slightest clue; better yet, make sure they have some pretty good clues. And make sure your organization is ready for any hack, whether it's ransomware, DDoS, or date theft. Who ya gonna call (when something looks funny in the system)? If your team doesn't know the answer, you aren't ready.
Breaking News: Entities not covered by HIPAA have privacy and security gaps
Jeff [10:40 AM]
. Well, duh.
HIPAA isn't intended to be some European-style data rights law that grants everyone specific rights in their own data and the right to demand that third parties, with which they may have no direct relationship and which otherwise owe them no specific duties, either limit their uses/disclosures of that data or provide minimum levels of security and protection to that data. Frankly, that's not how the data rights structure of American law works, and not how it should work. Have you seen what lawyers have done with the Illinois biometric privacy law so far? Imagine what they would do if every person entity who might legitimately come across personal information had a duty to protect it? Consider this: if you have a phone book in your house and it's not locked up, you aren't protecting the identifiable information in it; if there was a law applicable to you that required you to protect it, anyone whose name is in that phone book could sue you. That's crazy; and that's why you have no general obligation to protect that data, and only have an obligation if there's some specific contractual or other relationship, duty, or applicable law.
So it's understandable that, while HIPAA requires certain restrictions and levels of protection from covered entities (and, both directly and indirectly, from business associates), it doesn't require the same level from "non-covered entities."
Update: Here's another article
, and here's a copy
of the HHS report on NCEs.
[ Wednesday, July 20, 2016 ]
I think we knew this: cyber attacks increasing in the health care industry
Jeff [6:02 PM]
. Interesting take on the article: the ACA pushed medical practices to adopt EMRs before they were technologically proficient enough, and now cyber attacks are the price we pay for not really being shovel-ready.
I call bullshit. Plenty of tech-savvy companies have been hacked. It's not a "not ready for prime time" issue of the targets. If they were more ready, they'd still be getting hacked.
Blogger: HIPAA Blog - Edit your Template