HIPAA Blog

[ Wednesday, June 29, 2016 ]

 

Jamie Knapp: Analysis Update: A couple of folks (@LaClason and @PogoWasRight) pointed out that, in regard to my earlier post this morning,  HITECH did add a change to the actual HIPAA statute that is intended to be used (and has been used) to prosecute employees or third parties for acts that would be violations if they were covered entities, mainly to avoid the anomaly that rogue employees or other bad actors are free from HIPAA criminal liabilities because they aren't the actual covered entity.

Prior to HITECH, Section 1320d-6(a) had one sentence, that says: "A person who knowingly and in violation of this part (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, shall be punished as provided in subsection (b) of this section."  HITECH added a second sentence: "For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1320d–9 (b)(3) of this title) and the individual obtained or disclosed such information without authorization." The copy of 42 USC 1320d-6 that I pulled up online didn't have the added language, which explains my miss of it.

However, it did give me an opportunity to re-review the new statutory language, and in fact I maintain my opinion: Knapp (and Chelsea Stewart in an earlier case) should not have been convicted, because their acts were not in violation of HIPAA.  That's because the HITECH-added language, which is intended to make them criminally liable (and pursuant to which they were held criminally liable), is deficient from a statutory construction standpoint.

The added language says “for purposes of the previous sentence,” which would be fine to change something within the construct of the previous sentence.  (Example: "It is a violation of fashion law to wear white after Labor Day.  For purposes of the preceding sentence, white shall include bone, ecru, ivory, eggshell, and taupe.")  But the preceding sentence still says the obtaining or disclosing must be “in violation of this part.”  It doesn’t change the definition of a covered entity or put obligations onto anyone other than a covered entity.

And you can’t change the meaning of “in violation of this part” by such a passing reference.  In other words, you can’t change the definition of “in violation of this part” to simply mean any obtaining or disclosing of IIHI “if the information is maintained by a covered entity . . . and the individual obtained or disclosed such information without authorization.”  If that’s the case, then any obtaining or disclosing of IIHI that is (i) “maintained by a covered entity” and (ii) “without authorization” would be a violation.  And if that’s the case, every obtaining or disclosing of hospital-held PHI for treatment, payment, or healthcare operations (i.e., uses and disclosures for which an authorization is not required) would be a HIPAA violation.

HITECH was a hastily- and sloppily-written statute.  But it’s also another example of the pure lawlessness of the current federal government.  If we are to live under the rule of law, laws must apply equally to all.  They must be clearly written so citizens can know exactly what conduct is prohibited and what is allowed.  Words have meaning, and the meaning of words has consequences.  When it comes to criminal law, where one’s property or liberty can be removed by the state, there cannot be a “well, you know what I mean” quality to it.  Criminal statutes in particular MUST be clearly and precisely written.  If there is any ambiguity (and there certainly is here), the benefit of the doubt must go to the accused.  

Congress had the opportunity to fix this loophole by changing the definition of Covered Entity or by specifying a new and separate violation (i.e., “a person violates this part if . . . “ or “It is a violation of this part if a person . . . “), but they didn’t do so.

I hope the next person who is charged under this provision challenges it on these grounds.  I don’t object at all to holding employees and other non-covered-entities criminally liable for these types of breaches.  I think this is a loophole that should be and needs to be closed.  But the law should be written to make these types of breaches actual violations of the law, and what is written doesn't do that.  Have some respect for the rule of law.

Jeff [3:24 PM]

 

Jamie Knapp: another HIPAA criminal conviction: a respiratory therapist who accessed PHI of patients she was not seeing has been convicted, apparently of violating HIPAA, by an Ohio federal jury.  I'm still trying to figure out how a respiratory therapist employee of a hospital, who by herself is not a covered entity, was convicted of violating HIPAA.  Not every health care provider is a covered entity; you must also conduct electronic transactions that are HIPAA regulated.  Generally, an employee will not be conducting those transactions. And while the officers and directors of a company may be held liable for their activities as decision-makers of their companies (in other words, they can't hide behind the company for their own acts if the company is responsible as well), I don't see how a low-level employee is bootstrapped into being the covered entity itself.

Jeff [8:32 AM]

[ Tuesday, June 28, 2016 ]

 

Tex. Health & Human Services Commission Breach: The HHSC's records vendor, Iron Mountain, lost some boxes with records of 600 people who applied for benefits with HHSC.

In case you didn't know, the HITECH and Omnibus Rule changes to HIPAA's definition of "business associate" make clear that anyone who "creates, receives, maintains or transmits" PHI for a covered entity is a business associate.  "Maintains" includes storage, so wherever a covered entity stores its PHI, whether it's a cloud-based server or Uncle Bob's Self Storage, the storage company is a business associate.  Of course, self-storage places, that never intend to access the records in storage and don't even know what people keep in their storage lockers, really don't want to be BAs, and they sure don't want to sign BAAs.  But have you ever seen the TV show Storage Wars?  Stuff in self-storage facilities sometimes gets disclosed to the general public.  Unfortunately, if you are a covered entity and you're using a self-storage facility, you must get them to sign a BAA, or find another facility.

There are facilities that will sign BAAs, and Iron Mountain is one of them.  This is the first breach I've heard of involving Iron Mountain; hopefully it will be the last.

Hat tip: Virginia Mimmack

Jeff [4:00 PM]

[ Monday, June 27, 2016 ]

 

Is the theft of NFL Players' medical records from a Redskins' trainer a HIPAA violation?  Almost certainly not.  But it is likely a violation of some state data protection laws, and almost certainly raises a data breach notification obligation.

A Redskins trainer left a backpack containing paper medical records, as well as a laptop with electronic medical records, of current and former NFL players in a locked car; the car was burgled and the backpack (and its contents) stolen.  The laptop was password-protected, but the electronic data was not encrypted. This is not good.  But it's also unlikely to be a HIPAA violation, mainly because it's unlikely there is a HIPAA covered entity involved.

No breach without a CE or BA: The NFL itself, and the Washington Redskins specifically, are not health plans, health care providers, or health care clearinghouses.   Therefore, they are not "covered entities" (or CEs) under HIPAA.  The trainer is most likely a health care provider, which would make him/her a CE if he/she engages in electronic transactions of the sort regulated by HIPAA.  These would be submitting billing to insurance, checking for insurance coverage and benefits, tracking payments, etc.  I would be extremely surprised if he/she did so, since I assume he/she is paid by the Redskins for services provided.

It also does not seem likely that the NFL, the Washington Redskins, or the trainer were acting as a "business associate" (or BA) of some other CE in connection with the lost data.  Without a CE or a BA, there can't be a HIPAA breach.

One possible caveat: the Players Association is all over this story.  It is possible that the Players Association is structured in such a way that it (or a component of it) is a CE by virtue of being a health plan.  I doubt that, since I doubt the PA pays or provides for medical care; I assume the teams pay for their own players' medical care.  But that unlikely event is the only way I see HIPAA being involved here.

Employment records aren't PHI: Even if there was a BA or CE involved here somehow, there's still the question of whether the data lost was "protected health information" (or PHI) under HIPAA's definition.  The definition of PHI is extremely broad, and it's likely that this information could be PHI, but the definition does have an exception that might be applicable here.  Namely, "employment records held by a covered entity in its role as employer" are specifically excluded from the definition of PHI.  We don't know for sure, but it seems like the lost data might be "employment records."

Encryption is not required: The article states, "Storage of data on unencrypted devices does not adhere to both local and federal medical privacy standards, including HIPAA, making the breach a potentially costly one for the NFL."  Not true.  Don't get me wrong; encryption is best practice, and I highly recommend it, not the least because HIPAA's breach notification provisions are inapplicable if the lost data is encrypted.  But encryption is not required, and therefore storing data on unencrypted does not fail to meet a standard under HIPAA.  Some states (MA for sure) have state-level encryption requirements, but it's impossible to tell from the article whether those state statutes would be implicated, or if the state regulators would be able to commence an enforcement action.

State laws may apply: Depending on where the theft occurred, the states of residents of the affected individuals, the location of the responsible parties (are the Redskins actually in DC or in Maryland or Virginia?), and the location of the theft (Indianapolis), various state laws may be impacted.  Some states have laws requiring reasonable security for personally-identifiable information; most have laws requiring the notification of individuals whose data has been breached.  Those laws vary greatly, but it's pretty safe to say some would be implicated by this situation.  Some do not require notification if there is little or no risk of harm from the breach, and it's possible that the NFL and the Redskins could come to that conclusion based on the fact that the data was password-protected; that wouldn't cure the problem with the paper data, though.  Regardless, that's a fact-specific matter based on the reasonable conclusion of the parties involved.  I would expect the NFL and/or the Redskins to notify all individuals involved, regardless of whether it's legally required or not.

Jeff [5:50 PM]

[ Monday, June 06, 2016 ]

 

(wrote this back in April, don't know why it didn't post): NY Med HIPAA Fine: NY Med was a reality TV show filmed in NY hospitals.  It's relatively famous because NY Presbyterian Hospital and ABC are being sued by the family of a man who was hit by a garbage truck and was dying in the hospital; the film crew filmed his plight, without his authorization.  The show pixilated the man's face and included no identifying information, but some family members were able to determine that it was him, and they're now suing the hospital and ABC.  It's unlikely that anyone would have been able to determine who the dying man was if not for his family's publicizing the case by filing suit.  I believe that ABC has been released from the suit, but the suit goes on against the hospital.

OCR has now fined NY Presbyterian 2.2 million dollars for this case and for a similar issue involving another individual.  

Jeff [11:30 AM]

 

University of New Mexico Hospital breach: A change in software led to invoice information on about 3,000 patients being sent to 18 incorrect addresses.  Definitely PHI included in the improper disclosures, but none of the traditional identity theft markers like social security numbers.

Jeff [11:17 AM]

 

ProMedica Michigan breaches: Two hospitals in Michigan operated by ProMedica are under investigation by HHS for breaches apparently involving employee snooping.  Seven employees were involved; 3 were fired, the other 4 disciplined.  About 3500 patients were impacted.  None of the files were printed, which makes large-scale identity theft less likely (of course they could've been saved to a flash drive, but I'm assuming they ruled that out too).  That makes it more likely to either be pure nosy snooping (although the number is pretty high -- can't imagine that each snooper would know 500 people in the hospital), improperly-restrained curiosity, or some less-nefarious intend, such as wanting to see if hospital policies are being applied evenly.

Jeff [10:57 AM]

 

Abortion: HIPAA makes its way into the Planned Parenthood fetal tissue sales story.

Jeff [10:47 AM]

[ Tuesday, May 31, 2016 ]

 

Yelp: HIPAA covered entities must be careful in responding to Yelp reviews, good or bad (but especially bad).  Just because the patient has posted his/her own PHI, doesn't mean the doctor, dentist, or other provider can.

You can, however, respond in a way that doesn't bring up a specific patient or discuss an individual's specific PHI.  If a Yelp poster complains that "this provider did X," the provider can post that "my office policy is to never do X, and that I looked at all my files for all patient visits in the last year and could not find an instance of anyone doing X."  But you shouldn't say you looked into that patient's files and didn't find X; in fact, you shouldn't even acknowledge that the poster is your patient.

Yes, it's unfair.  Yes, the provider's hands are tied.  But that's the way it goes.

Jeff [3:32 PM]

[ Tuesday, May 24, 2016 ]

 

Symantec's Tactical Cyber Security Checklist: this is good advice and easy to do.

Jeff [11:05 AM]

 

Good News for Data Breach Defendants: a Pennsylvania appeals court has upheld a trial court's determination that the class action route is inappropriate for litigation regarding data breaches.  The claims are too individual, particularly where damages are so uncertain and hard to define.  

Jeff [9:56 AM]

[ Monday, May 23, 2016 ]

 

Often mentioned possibility comes to fruition: Kansas Heart Hospital got hit by a ransomware attack last week and paid the ransom to get their data back.  The hackers returned for a second bite, but this time the hospital is not paying.  Presumably "baby got backups."

Actually, this is not a re-encryption, but rather a refusal to give up the full decryption in response to the payment of the ransom

I've heard of this as a possibility, but this is the first time I've heard of a healthcare provider getting hit with a second ransom demand.  In every other incident I'm aware of, the hackers did provide the encryption key.  Of course, in some instances, not all of the data is recoverable; the process of encryption might overflow usable memory, so that the decrypted data is corrupted or incomplete, so even if the hackers give the correct key (or all the correct keys), it's possible some data would be lost. In this case, it sounds like the hackers intended to go for a second bite.

This is the example, though, that should make you think long and hard about paying the ransom, even if it's relatively small.

Jeff [1:27 PM]

[ Wednesday, April 27, 2016 ]

 


FAQ: WTF? Sorry, @HHSOCR, this FAQ is a thousand times wrong.  NOTHING in HIPAA prevents a covered entity from allowing a media company from accessing PHI, as long as the use or disclosure in connection with that access is permitted by HIPAA.  And nothing at all prohibits a covered entity (or a media company working on its behalf) from disclosing truly de-identified PHI (which, by definition, IS NOT PHI!!).

You can argue about whether it's truly de-identified; that's a fair argument.  But there is no such blanket prohibition in HIPAA to support the statements in the FAQ.

Of course, you could draft a regulation to just that.  But that requires actually following the law and the Administrative Procedures Act, publishing a proposed regulation, soliciting, receiving, and considering public comment, and publishing a final regulation.  Sure, it's more work than firing off an FAQ.  But it's the law.  It's the way law is made.

Executive fiat is anathema to the American concept of government.  Stop it.

Jeff [3:15 PM]

[ Friday, April 22, 2016 ]

 

WOW!  Lots (and I mean lots, or I'm just lucky) of physicians, dentists, hospitals, vendors, and others seem to be getting notices from OCR today indicating that they are on the audit list for the Phase II audits.  Is today "match day" or is this just a huge coincidence?

Jeff [6:01 PM]

[ Thursday, April 21, 2016 ]

 

Raleigh Orthopaedic Update: @PogoWasRight was on the case back in 2013 when it originally happened.  Sure enough, the BA was crooked and instead of converting the films to digital, dissolved the films for their silver content.  Don't know if there was any improper disclosure, though -- if the vendor simply melted the films down, there would be no further disclosure.  Still a stinging result for the practice -- they were victimized by a scam artist and lost all their x-rays, and then had a big HIPAA fine on top of it all.  It's not clear to me that having a BAA would've prevented the incident at all.

Raleigh Orthopaedic: Anyone know any more about this than what OCR is saying?  Their press release only says that they failed to have a BAA in place.  It does not say that the business associate stole the data, improperly disclosed it, or anything.  No indication of any harm at all, just failure to sign the BA?  Seems extreme to fine someone $750,000 for that. . . .

Jeff [1:55 PM]

 

Ransomware: Are hospitals upping their defenses?  I hope so.

Jeff [10:09 AM]

[ Wednesday, April 20, 2016 ]

 

According to Report on Patient Privacy, 64% of healthcare companies have cyberinsurance.  But most breaches cost less than the deductible.  Well, that's what insurance is for, folks: not the daily costs, but the big one.  

Jeff [8:24 AM]

 

Raleigh Orthopaedic Clinic: Lack of a BAA results in a $750,000 fine.

Hat tip: the inestimable Dissent Doe (@PogoWasRight)

Jeff [8:10 AM]

[ Tuesday, April 19, 2016 ]

 

US-CERT Ransomware Alert:  The United States Computer Emergency Readiness Team at the US Department of Homeland Security has issued an Alert about ransomware.  Best takeaways seem to be things I've been saying all along: backups (good, fresh, tested, and remote); patching; virus protection; access restriction; phishing protection (training to not click on links).  One thing I've been preaching that they don't touch: restricting internet-facing computers and reducing open ports.

I'll admit to two additional tips I haven't been harping on that are very worthwhile.  The first is application whitelisting.  This is a program where only approved applications may run on the network or on connected servers and computers.  This can prevent a lot of potential problems, not just ransomware.  When a bad program infects your system and tries to start encrypting files, the program won't be on the whitelist, so the operating system won't let it run.  Of course, we can anticipate that hackers will adapt their encryption programs to run within commonly whitelisted programs, or write them to mirror such programs so they can appear to be whitelisted, but it will certainly prevent some, and is a good response in the here and now.

The second tip, which I've seen elsewhere, is to prohibit (or at least limit) the running of macros.  You know I'm not a "1's and 0's" guy so I'm not sure how this works, but many viruses can hide in macros, so that a PDF or Word document can be the carrier of the virus.  While may people know not to click on links to unknown websites or open .zip or .exe files, many think that Word and PDF files must be harmless.  However, any file with a macro might be a virus carrier.

Finally, I could complain about how slow US-CERT is ("when seconds matter, help is only minutes away"), since we've been fighting ransomware like a wildfire for months.  But at least they have responded, and I've got to admit that I got something out of it (app whitelisting) that I'll use in the future.

Jeff [10:26 AM]

[ Monday, April 18, 2016 ]

 

Cloud computing and HIPAA: can you be HIPAA compliant it you use the cloud?  Of course you can.  You can also violate HIPAA by using the Cloud.  It's a tool; how you use it determines whether you're complying with your objectives.  

Jeff [5:33 PM]

[ Friday, April 15, 2016 ]

 

More Ransomware: Five thoughts that you can tease out of recent articles like this one for dealing with cybersecurity threats:

  1. Old Software.  If possible, stop using old outdated software.  Sometimes you can't help it, because it's the only software that works for what you do, you can't afford to move to a new platform, etc., but if you can update your software, do so.  If you're using Windows XP, you deserve what you get (sorry, but that's the cold hard truth).
  2. Patches.  Whether you're using new or old software, keep your patches updated.  All software has vulnerabilities, since the developers can't think of every possible weakness; that's why Zero Day exploits exist.  Having a vulnerability isn't bad unless it's exploited, and most vulnerabilities won't be exploited on any given day.  But over an unlimited number of days, every vulnerability will be, so you've got to limit the days the vulnerability is open.  Bad patch management is a consistent feature of every ransomware incident I've been involved in.
  3. Connectivity.  Limit connectivity whenever possible.  You can't run your business if your systems can't talk to each other and to the outside world.  The safest website in the world is one nobody can access; it's also the most worthless.  So you need some connectivity; you need some internet-facing computers.  But the more "doors" you have to the outside world, the more you need to protect, and the more that can be exploited.  If you don't think you'll need that door, lock it.  If you're sure you won't need it, brick it over (sort of like the concept of epoxying USB ports to keep employees from plugging in infected flash drives).
  4. Backups.  Have good, usable backups.  This means two things.  First, you need to be generating backup copies of your important data as often as you can, or at least have the ability to recreate any changes made since the last backup.  This may require re-keying data, so consider that when calculating recovery time.  Also, consider retaining older versions of backups, to account for the possibility that the backup you've just made contains compromised data; for example, if an encryption program is already running and you don't know it, you could make a backup copy of encrypted data, which you could then save over the last good version of your data.  Storage is cheap, so if you're doing daily backups, you should also keep a version from the prior week's end, a copy from the prior month's end, etc.  Secondly, make sure those backups are virtually inaccessible.  Again, in recent ransomware cases I'm aware of, the programs look for data files with names like .bac, .bak, or that include the word backup in them.  They will encrypt your backups if they can get to them, so make sure they can't.  If you have the data backed up, even if your files get encrypted, you can recover without paying any ransom by wiping your system clean and re-installing the backup data.
  5. Training.  As Morgan Wright said at your presentation yesterday, training is like bathing, it's not a one-and-done proposition.  But balance it: don't let "alarm fatigue" inflitrate your training efforts and reduce their effectiveness, but train often enough that your staff knows what the problems are, what the current threat vectors are, and what they should be on the lookout for.  

Something to think about. 

Jeff [11:41 AM]

[ Thursday, April 14, 2016 ]

 

Ransomware: Most hospitals have been hit in some way or another.

Jeff [3:13 PM]

[ Tuesday, April 12, 2016 ]

 

Florida Department of Health Breach: The medical information of over 1000 patients at seven Department of Health clinics in Palm Beach County were compromised, but it's unclear how.  Since it was the FBI that notified the Department of Health, it's entirely possible that they don't yet know what happened or how the data got out there.  

Jeff [10:25 AM]

[ Friday, April 08, 2016 ]

 

OCR's Second Round of Audits: what might they look like?  A look at the Audit Protocols should give you a pretty good idea of the specific questions they're going to ask.  Be forewarned, there are a lot of questions.

Jeff [5:20 PM]

[ Thursday, April 07, 2016 ]

 

mHealth: for app developers, there's always a question of whether your app is a medical device that needs FDA approval, whether it's subject to HIPAA, or whether other laws apply.  The FTC has set up this handy tool to help you figure out what land mines you need to avoid.

Of course, try not to cross the "creepy" line.

Jeff [1:54 PM]

 

Ransomware: more hospitals getting hit, in Indiana and more in California.  It is hitting critical mass, some say.

Jeff [1:46 PM]

 

MedStar: More on the MedStar hack (pardon me, I'm still catching up).

Jeff [1:25 PM]

 

NY Med Lawsuit: These are conflicting headlines, one noting the suit being thrown out (as against ABC) and the other noting that the suit can go on (against the doctor and hospital).  Ultimately, it's a question of whether the doctor and hospital released individually identifiable health information when a segment of a reality show included a dying patient who was never identified and whose face was blurred out.  The family of the deceased patient never signed a consent.  But they were also the ones that connected the dots and figured out it was their family member who was the dying patient, and by bringing the suit, effectively publicized the patient's information.  Tough call.

Jeff [12:00 PM]

[ Friday, April 01, 2016 ]

 

Non-HIPAA entities dealing with PHI: Interesting article in the NY Times on entities that deal in health information but aren't covered by HIPAA.  It illustrates a couple of things: (i) health data comes from all over, and if it comes from a non-HIPAA-covered-entity source (directly or through a business associate), it's not subject to HIPAA.  (ii) There are lots of entities that get data that is health related but comes from some non-healthcare source (your Fitbit, your grocery store, your gym) that really should not be subject to HIPAA restrictions.  (iii) There are lots of ways that data can be used, amalgamated, analyzed, etc., and no regulatory scheme is going to secure all of them.  

Jeff [5:35 PM]

[ Tuesday, March 29, 2016 ]

 

Ransomware? We don't know yet, but the FBI is investigating some sort of cyberattack on MedStar Health, which has frozen some data systems and caused the facilities to revert to paper records.

Jeff [10:20 AM]

[ Monday, March 28, 2016 ]

 

Ransomeware: Must a provider report a ransomware hack as a HIPAA breach?  That's a question that's making the rounds with some of my friends in the privacy space, and there certainly is some disagreement on the matter.  Personally, I'd say every breach must be treated on its own facts, a breach risk analysis must be done, and the various factors considered.   But I believe it is absolutely possible to determine that there is no more than a low risk of compromise (remember, that's really an undefined and undefinable term in this context) if there was not exfiltration of the data.

Apparently Rep. Ted Lieu of California agrees, because he's proposing legislation to require provider to give notice to patients if they've been subject to a ransomware attack.  If it were required to be reported, there'd be no need to change the law, right?

Jeff [2:02 PM]

[ Thursday, March 24, 2016 ]

 

Phase 2 Audits will impact BAAs: that's Modern Healthcare's take.  Maybe; in my experience BAAs are generally in pretty good shape.  Obviously, there is a broad and wide diversity of BAAs, from the super-simple "just the facts" recitation of the regulatory requirements to the "show me your safeguards" agreements, where the covered entity gets deep into its vendors' operational minutia.  But for the most part, except for cases where there's no BAA at all, generally the BAAs that are out there are sufficient.

And for what it's worth, I'm not a big fan of the second type of agreement.  Covered entities can't turn a blind eye to whether they can trust a vendor, but safeguards are scalable, and it's not the covered entity's position to make a determination about what safeguards are appropriate for a BA.  Additionally, if it takes on that obligation and either doesn't look closely or doesn't see an insufficient safeguard, the covered entity could be liable for the breach caused by that insufficiency.

Jeff [9:49 AM]

[ Wednesday, March 23, 2016 ]

 

Ransomware: The FTC is now on the case. If the healthcare industry has not taken the Hollywood Presbyterian and other hacks as a serious wake-up call, one of the next victims might not only have to deal with the costs related to the breach itself, but may well end up having to defend itself from an FTC action.  

Jeff [4:14 PM]

 

Phase 2 Audits: 8 steps to get ready.  Even if you're not targeted, these are all good ideas.

Jeff [1:42 PM]

 

More Ransomware: Methodist Hospital in Kentucky is the latest to be hit.  

Jeff [10:58 AM]

 

Threat Awareness: While you're checking and rechecking your perimeter to keep CryptoLocker pirates out, don't forget: Cyber threats are often insiders.  

Jeff [8:47 AM]

 

Ransomware: Two more LA hospitals hit by ransomware hacks.  

Jeff [8:39 AM]

[ Monday, March 21, 2016 ]

 

HIPAA Audits, Round 2: according to an email I received from HHS, OCR has actually started the Phase II audits.  Apparently they have sent emails to targets seeking contact information, and are starting the information-gathering process.  The odds of getting picked are very slim, but you'll really wish you did a better job with your risk analysis and other HIPAA tasks if you do.

If anyone got picked and wants to share, please email me.  I'd love to know how it's going, and to pass along information (anonymously, of course) if you'll let me.



Jeff [8:01 PM]

[ Thursday, March 17, 2016 ]

 

Feinstein Institute Breach Nets $3.9 Million Fine: The hit just keep on coming.  A laptop containing PHI on 13,000 patients is stolen from an employee's car.  Encrypted, no fine; but it's unencrypted, so $3,900,000 to OCR's coffers.  Insufficient policies governing who could take laptops out, too.  

Jeff [9:59 PM]

 

Accretive Follow-Up: North Memorial Fined $1,550,000.  What happens when your business associate has a bad HIPAA boo-boo?  If you've done what you should have done, then usually you'll be fine, but if you haven't, you can get fined, and big.

North Memorial Health Care paid Accretive to assist it with its revenue cycle management.  Mainly, Accretive was known as being pretty aggressive in working very closely with hospital clients to get payments, mainly focusing on the patients' responsibility rather than the insurer, to the point of trying to work out payment plans while the patients were still in the hospital or ER.  While there really should be no problem with a provider of healthcare services, or any other services for that matter (surely hospitals and doctors don't have to work for free, do they?), trying aggressively to get those payments can look bad, and that put Accretive, and some of their clients, into the crosshairs of some state attorneys general.

Matters were made geometrically worse when an Accretive staffer had an unencrypted laptop stolen.

North Memorial was an Accretive client.  Normally, North Memorial would not necessarily be fined for its business associate's bad behavior, but the problem here is that Accretive's breach caused North Memorial to come under OCR scrutiny, and unrelated issues (well, unrelated to the actual breach incident/stolen laptop) came to light.  Specifically, North Memorial didn't have a BAA with Accretive, which is a pretty obvious HIPAA failure.  But worse, North Memorial did not have a risk assessment.  That is a catastrophic HIPAA failure.

Net Result: $1,550,000 fine.  That's serious money, folks.  

Jeff [2:57 PM]

[ Wednesday, March 16, 2016 ]

 

Top 5 Healthcare Cybersecurity Issues, and examples of each.

Jeff [1:27 PM]

 

Ransomware, Eh?  Canadian hospital hit with ransomware, but damage limited to 4 computers.  Apparently full backups available, so no major problems caused.  Were they lucky, have they had good cyber hygiene (backups, disconnectivity, etc.) in place, or did they harden their systems following the Hollywood-Presbyterian fiasco?  Inquiring minds want to know; let me know if you know.

Jeff [1:15 PM]

[ Tuesday, March 15, 2016 ]

 

Wellness Programs: When do employer wellness programs run into HIPAA issues?  It depends on how the program is set up and where it gets its information.  

Jeff [2:40 PM]

 

Lawyers and HIPAA: if you're an attorney trying to figure out what your own responsibilities are regarding HIPAA (especially your clients are covered entities, or your adversaries are), here's a good presentation on your obligations.  The speaker knows his stuff.  Good looking, too.

Jeff [9:19 AM]

 

Off Topic: Texas Hospitals and Concealed or Open Weapons:   This isn't a HIPAA issue, but here's a good article on the Texas open-carry and concealed-carry laws, and how hospitals can prohibit visitors and employees from bringing weapons onto their grounds if they so wish.

Jeff [8:58 AM]

[ Friday, March 11, 2016 ]

 

Mobile Health Apps: Lawmakers on both sides of the aisle are unhappy with HHS' slow response to explain how HIPAA impacts mobile health apps, from Fitbit-type wearables to AirStrip-type medical information communication tools.   

Jeff [1:35 PM]

[ Thursday, March 10, 2016 ]

 

Data Breaches in Healthcare: one in three is a big number.  

Jeff [11:40 PM]

[ Tuesday, March 08, 2016 ]

 

Is the Wall of Shame obsolete?  Some say so.  I disagree.  I know privacy officers whose concerns increase dramatically when the number of individuals involved in an incident approaches 500.  Much of that is because an immediate report to OCR (as opposed to an annual report) will automatically bring an OCR investigation.  But they're also afraid of being posted on the Wall.  Also, many of us look at the Wall to see if an entity has a posting, for example during due diligence.  Does the wall not cause increased privacy  diligence?  Maybe, but that's because (i) virtually all HIPAA-covered entities already are very diligent by nature where privacy is concerned, and (ii) it is the other HIPAA punishments OCR can dish out that cause the diligence.  What the wall does instead is allow the outside world to know a little about what OCR already knows -- who the big players are, what types of breaches are prevalent, etc.

Jeff [8:30 AM]

[ Monday, March 07, 2016 ]

 

More Part 2: If you are a Part 2 provider, you may want to update your consent form based on the new rules; at least that part of the new rules is likely to survive any comments.

The big change in Part 2 doesn't revise the current requirement that no disclosure can be made without specific patient authorization; rather, it allows the consent form to generally describe other providers to whom the information may be disclosed, presumably to allow integrated providers to share the information for treatment and other legitimate purposes.  However, the patient may be able to obtain a list of all disclosures to those individuals and entities who received the information pursuant to the general description of the recipient.

Jeff [10:37 AM]

 

Part 2 Changes Coming: If you're reading a HIPAA blog, you know about 45 CFR, especially Parts 160 and 164.  But if you're in the substance abuse field, you probably also know about "Part 2."

"Part 2" refers to 42 (not 45) CFR Part 2.  Those are special privacy rules applicable to federally-supported substance abuse treatment centers.  If you were at my PESI presentations in Houston or San Antonio last Thursday and Friday, you would have heard about the Part 2 rules and how, since they are more strict than HIPAA, they are not preempted by HIPAA.  Basically, Part 2 is a strict prohibition on releasing substance abuse treatment records, even more strict than HIPAA: virtually no releases are allowed without a specific authorization from the patient.

This strictness can sometimes be too much, apparently.  It also doesn't reflect the interconnectedness of health care services these days.  So HHS is proposing that Part 2 be amended to allow transfers of substance abuse record data among participants in an integrated care model.

The proposed rules are here; you can comment by clicking the box in the upper left corner.

Jeff [10:16 AM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template