[ Wednesday, April 25, 2018 ]
Jeff [7:45 PM]
[ Wednesday, April 18, 2018 ]
Jeff [10:59 AM]
Jeff [10:56 AM]
Of course, I see this
and wonder if it's a HIPAA violation. Well, that and a couple of jokes that pretty much write themselves.
[ Thursday, April 12, 2018 ]
Insiders Cause Most Health Industry Breaches:
Jeff [3:05 PM]
Not really surprising, but most data breaches in the health industry are cause by insiders
. That's not surprising, given the highly labor-intensive nature of healthcare, the presence of so many low-wage employees (who might be more likely to either intentionally (theft) or unintentionally (accident) cause a breach), and the fact that sensitive identifiable data is involved in every aspect of the business.
I don't agree with the headline's premise, that healthcare is worse than anyone else at preventing insider actions; that assumes that the number of healthcare data breaches is comparatively high compared with other industries. Rather, I think the number of breaches is comparatively low, but it's just that the percentage of the (lower number of) breaches attributable to insiders appears high due to the low denominator.
[ Tuesday, April 10, 2018 ]
Old dogs, new tricks?
Jeff [10:55 AM]
OK, not exactly, but I did actually learn something new about HIPAA today. It confirmed my understanding in the area (which coincidentally I was discussing with someone within the last few days), but I wasn't aware that there was such an explicit outlining of the matter by HHS already.
Someone asked me what their HIPAA obligations are, as a covered entity, to investigate their business associates' HIPAA compliance activities. Lots of larger CEs have extensive requirements they pass down to their BAs, forcing them to answer questionnaires, provide documentation, and agree to inspections or reviews, so that the CE can determine whether the BA is adequately protecting PHI. This is a good thing in theory, but can be a monstrous pain in the neck for the BA, especially if it's a small shop with a more, shall we say, informal HIPAA compliance plan ("Shhh.").
As I told my interlocutor, the HIPAA regs themselves do not require any sort of active engagement by the CE over its BAs, only the entering into of a BAA and the downstreaming of the specified obligations in 164.504(e). Most BAAs contain more than is required, and those that contain active monitoring of the BA certainly do. While it seems to be becoming an industry trend, and may be a "best practice" for a larger CE, it's certainly not a requirement.
As an aside, I would note that a BA should be very careful about agreeing to provide the CE with a copy of its risk assessment: once an organization has determined what it's greatest weaknesses are, it's not a good idea to show that to anyone outside the organization. If the outside entity does not keep that information secure, it's like giving potential hackers a road map to the best way into your data. I passed this advice along as well.
Anyway, Lexology today led me to this article
by Adam Green's crew at Davis Wright Tremaine. It turns out, there is specific language
in the December 2000 Privacy Final Rule that removed a more active monitoring requirement in the proposed regs from 1999 (the regs I famously read on the beach in Destin, Florida in June of 2000). The 2000 Final Rule says, "In the final rule, we reduce the extent to which a covered entity must monitor the actions of its business associate
and we make it easier for covered entities to identify the circumstances that will require them to take actions to correct a business associate’s material violation of the contract. . . . [T]his standard relieves the covered entity of the need to actively monitor its business associates
. . . ."
As the article also notes, OCR officials indicated a year ago at a HIPAA Summit that they do expect CEs to conduct a certain level of due diligence with respect to their BAs. While this "guidance" is helpful, and I would always encourage CEs to exceed the requirements of HIPAA where it's reasonable to do so, it is still just that: guidance. As with the OCR "ransomware = breach" guidance, it is not the law and it is not a regulation, and should not be enforced as such. The Administrative Procedures Act exists for a reason, and if HHS wants to draft binding regulations, there's a way to do so, and HHS should follow the rules.
[ Thursday, April 05, 2018 ]
State Data Breach Notification Laws:
Jeff [2:47 PM]
Well, in late March South Dakota made it 49
, and effective June 1, Alabama will be the 50th
state with a data breach notification law. There's still talk about a national law, but personally, I think this is something we should let the states handle on their own.
Remember, if you have an incident that might be a HIPAA breach, you also need to consult state law; an incident could be either a HIPAA breach or a state breach, or both, or neither. The analysis is similar, but not the same.
UPDATE: Shoulda given a hat tip to Ron Holtsford in Alabama for the heads up; I missed them both in the flurry that was the end of March.
Virtua (NJ) Breach:
Jeff [2:42 PM]
a bad server setup by a transcription company business associate resulted in a $400,000 state fine for a New Jersey medical group
[ Tuesday, March 20, 2018 ]
Which will leave South Dakota: Alabama
Jeff [1:35 PM]
is about to be the 49th state with a data breach reporting statute.
[ Thursday, March 08, 2018 ]
Not slowing down:
Jeff [4:56 PM]
The seeming slowdown of OCR prosecutions of HIPAA breaches is just that: seeming. At least that's what OCR is saying
Jeff [4:54 PM]
the NY insurer conducted a mailing that exposed beneficiaries' social security numbers, and were fined $575,000. Not by OCR, but by the NY Attorney General. EmblemHealth has not been punished by OCR (at least not yet). What to make of this? Kirk Nahra has some thoughts.
[ Tuesday, March 06, 2018 ]
Forecast for HIPAA Enforcement in 2018:
Jeff [10:10 AM]
a little bit of navel-gazing
by David P. Saunders of Jenner & Block. I don't disagree, but however you slice it, the sample size is just too small. One thing that won't change -- the size of the fines: they'll still stay huge, at least for entities that can afford them (that's my prediction, for what it's worth).
[ Friday, March 02, 2018 ]
Aetna HIV Mailing Case (and the missing BAA):
Jeff [1:15 PM]
I was just reviewing the complaint
in the countersuit filed by the mail service vendor, KCC, against Aetna (in preparation for my HIPAA breach presentation at the UT Health Law Conference in Houston April 6-8 [y'all come; tell me you read this, and I'll buy you a drink!]), and found something interesting on page 15. As you may recall, Aetna hired KCC to send a mailing to a bunch of HIV patients, and the letters went out in "window" envelopes, so that some of the print on the content of the letters (presumably the patient name and address) shows through the celophane window. However, the mailing was poorly configured because instead of simply the patient name and address showing, information relating to the patient's HIV status also showed through. Well, it looks like Aetna did NOT
have a BAA in place with KCC.
That could be huge.
[ Monday, February 26, 2018 ]
Good: Hospital terminates snooping employees
Jeff [8:03 AM]
. The best way to keep employees from snooping and otherwise violating HIPAA is to make an object lesson out of those who get caught. Insidious little transgressions tend not to be repeated if it's known that you'll get fired for it.
[ Wednesday, February 14, 2018 ]
Jeff [1:10 PM]
a bankrupt company
can still be stuck with a HIPAA fine, as Filefax found out.
[ Thursday, February 08, 2018 ]
Aetna HIV mailings:
Jeff [1:13 PM]
When the sh*t hits the fan, it splatters everywhere
. Aetna agreed to about $20 million in fines and damages, sued its claims administrator KCC, who in turn counterclaimed against Aetna, claiming that Aetna's attorneys, Gibson Dunn & Crutcher, bear responsibility too.
[ Friday, February 02, 2018 ]
HIPAA and Law Enforcement:
Jeff [11:07 AM]
I recently recorded a webinar
on the impact of HIPAA on police efforts to obtain medical information. HIPAA doesn't prevent the administration of justice or prohibit the police from doing their job, but it does set out parameters and rules. It's wise for both the law enforcement community and the medical community to be aware of those rules.
If you click on the link
to register, I think you get a 50% discount.
[ Thursday, February 01, 2018 ]
Jeff [1:44 PM]
The dialysis provider had a bad year in 2012: 5 different data breaches from lost or stolen computers and hard drives. What links 5 separate breaches? Bad risk analysis, naturally. The result? A $3.5 million fine
. And think, barely 500 individuals were affected. Could've been a lot worse
[ Tuesday, January 30, 2018 ]
Jeff [10:07 PM]
So, after a weekend of DissentDoe and me talking about how a ransomware attack should not be automatically considered a reportable breach, OCR releases a Cyber Extortion Newsletter
, and doesn't repeat that ransomware is presumably a breach. Maybe they've been listening. . . .
[ Monday, January 29, 2018 ]
Jeff [2:15 PM]
[ Friday, January 26, 2018 ]
Allscripts Ransomware Update:
Jeff [12:57 PM]
Now, a class action lawsuit
has been filed. This class action might actually hold water -- Allscripts' 1,500 customers apparently did suffer delays and business interruptions, for which actual damages might be fairly easily provable. In most breach class action cases, most members of the "class" can't show any actual monetary damages: if nobody steals your identity or ruins your credit, even though they might have tried or had the ability to do so, you've got no damages. It's hard to maintain a class action if you can't show damages across the whole class of plaintiffs.
The damages in the Allscripts case might, though, be "consequential," rather than direct. If so, then the Allscripts customer contract might contain a liability limitation that would keep those damages from being recoverable. But that's all just guesswork on my part.
[ Friday, January 19, 2018 ]
Jeff [12:33 PM]
This time a bigger target (Allscripts)
, but apparently not a big impact. Presumably that's because Allscripts was prepared for it.
Take this as a reminder: if you haven't prepared for a ransomware attack, be prepared to be asked why if it happens and you suffer a HIPAA breach. At this point, the possibility of a ransomware attack should be part of your risk analysis.
[ Wednesday, January 17, 2018 ]
Your 2018 Privacy and Security "To Do" List:
Jeff [4:57 PM]
This is a great little checklist
from Kirk Nahra at Wiley Rein. There will be few if any businesses that will have to address each item on this list, but virtually every business will have to deal with at least one of them. And pay particular attention to the passages in italics, which are most important and nearly universal.
Jeff [1:42 PM]
[ Monday, January 15, 2018 ]
Ransomware in Indiana: Hancock Regional Hospital
Jeff [2:27 PM]
in Indiana was hit by encryption ransomware. No word yet on how they are recovering, or what the ransom amount was (the didn't pay, so presumably they were able to recover from backups). More here
UPDATE: Apparently, they did pay: $55,000
Jeff [2:23 PM]
Oklahoma State's Center for Health Sciences in Tulsa got hacked,
resulting in about 280,000 names and a limited amount of other information. Not likely a big risk to those involved.
[ Friday, January 12, 2018 ]
Coplin Health (West Virginia): Another stolen laptop, another breach notification
Jeff [1:34 PM]
to 43,000 patients. They don't even know if the laptop had any PHI on it (it might not have). And it was password protected, reducing the likelihood of harm even further. BUT, it was not encrypted. Hence the report and the bad publicity.
Jeff [10:45 AM]
The CT Supreme Court has established, for the first time in the state, a physician's common law obligation to protect the confidentiality of patient records
. Most states have either a common law right to confidentiality or a statutory one, but a lower court noted that neither had been established in Connecticut until now.
The case involves a HIPAA violation, and a patient's lawsuit against an Ob/Gyn practice for disclosing the patient's records to a probate court pursuant to a subpoena. HIPAA does allow disclosures of PHI under subpoena in certain circumstances, and it's not entirely clear here whether all of the HIPAA requirements were met; however, the plaintiff's claims for a HIPAA violation were immediately tossed out because there is no private cause of action for a HIPAA breach. In other words, even if a medical practice blatantly breaches HIPAA and discloses the patient's data, the patient cannot sue the medical practice for the HIPAA breach.
The patient can potentially sue the medical practice under some other grounds, specifically for failure to comply with state statutory or common law privacy obligations. In this case, the lower court correctly noted that there is no established privacy obligation in Connecticut; the supreme court, however, reset the table.
No, this isn't exactly right
. Connecticut citizens cannot sue for HIPAA breaches. They can sue for breach of confidentiality of medical records. There is overlap between those two things, but they are not contiguous or equal.
[ Wednesday, January 10, 2018 ]
Florida Medicaid Agency Data Breach:
Jeff [4:19 PM]
apparently someone at the Florida Medicaid
agency, the Florida Agency for Health Care Administration, got phished, and data for 30,000 Floridians was exposed.
New Privacy Officer at ONC: After a week or so of news highlighting how long the job has been vacant and whether it's even relevant any more, HHS' Office of the National Coordinator for Health IT has announced Kathryn Marchesini as their new Chief Privacy Officer.
Jeff [2:21 PM]
Costs of Producing Medical Records:
Jeff [1:04 PM]
A medical record document production company
has sued HHS to challenge its rules on the ability of a healthcare provider to charge patients for copies of their medical records. It will be interesting to see how this plays out.
Charles River Medical Associates (Massachusetts):
Jeff [9:11 AM]
This radiology group lost a hard drive
containing the bone density scan PHI of almost 10,000 people. Where'd it go? Who knows. Will the data fall into the wrong hands (and if it did, would it harm anyone)? Unlikely. Will CRMA get fined? Maybe (especially if, "upon further review," it becomes clear that the group didn't have good HIPAA policies and procedures and didn't do a good risk analysis). Would we even know about this if the drive was encrypted? Nope.
Folks, encrypt data at risk. Is it required? No. Then why should you do it? To save yourself a report and a fine, not to mention better protecting your patients' data. Aren't you here to serve them?
Am I asking too many questions?
[ Thursday, January 04, 2018 ]
EHR News: eClinicalWorks sued again:
Jeff [2:12 PM]
Another class action lawsuit
has been filed against EMR provider eClinicalWorks. This suit claims that eClinicalWork's EMR system fails to meet the requirements for "meaningful use." CMS pays providers such as medical practices and hospitals financial benefits if they adopt and implement electronic medical records and other technology in such a manner that the provider becomes a "meaningful user" of electronic medical record technology. The providers must attest to CMS that they have done the things necessary to meet the "meaningful use" standards. In this case, the providers claim that eClinicalWorks does not provide all of the necessary services to meet the "meaningful use" standard. eClinicalWorks paid a $155 million fine last year when the Department of Justice sued directly for its EMR shortcomings.
The earlier class action lawsuit claims that eClinicalWorks' EMR failed to accurately portray a patient's medical record, and the patient died because of the EMR's failure.
[ Wednesday, January 03, 2018 ]
SSM Employee Acting Badly:
Jeff [1:52 PM]
A customer service employee
at SSM Health accessed about 29,000 patient records, apparently looking for St. Louis-area patients who had narcotic prescriptions. Presumably, he's use those patient's data to get drugs him/herself, either for personal use or for resale. Clever, really. But obviously illegal.
[ Tuesday, January 02, 2018 ]
21st Century Oncology:
Jeff [10:57 AM]
An oncology practice with offices in 17 states and 7 Latin American countries has paid $2.3 million for HIPAA violations
. The FBI found their patient files on the dark web; apparently someone was able to access their SQL database remotely and extracted data on 2,213,597 patients, including social security numbers. Not sure if the breach was the cause, but 21st Century Oncology filed for bankruptcy back in May.
What's the actual HIPAA breach? Lack of a good risk assessment, failure to implement proper safeguards, no regular review of audit logs, and failure to have appropriate BAAs. The first and last are by far the most common causes of HIPAA breaches, and the 2nd and 3rd could have been prevented in the first had been done reasonably well.
When was your last serious risk assessment?
[ Friday, December 22, 2017 ]
Chilton (NJ) Medical Center:
Jeff [4:58 PM]
Employee steals hard drive
and sells it on the internet. 4,600 people impacted.
Banner (Arizona) Breach:
Jeff [4:56 PM]
You may recall a year and a half ago, Banner Health's Arizona facilities suffered a mostly-non-HIPAA data breach: specifically, hackers got into Banner's point-of-sale payment card processing system at its snack bars and cafeterias. The hackers eventually got into some Banner servers containing PHI. But it was really more a Home Depot type breach than an Anthem type breach.
A class action lawsuit was filed against Anthem, based on a handful of causes of action, including breach of contract by Banner for failing to provide protections of employee data as described in Banner's employee handbook. The class action judge has just thrown out several of those claims
, including the employee handbook claims. But she has let the class action continue of unjust enrichment (Banner didn't spend as much on data security as it should have, and that savings unjustly enriched Banner at the expense of the victims of the hack), negligence (Banner had a duty to protect the data, failed at that duty, and caused damages), and violation of Arizona's Consumer Fraud Act.
The judge did find that at least 2 plaintiffs did suffer damages that "would not have happened but-for" Banner's inadequate data security." However, the class-action plaintiffs are not out of the woods yet. Will all the class participants have similar damages? Are they all similarly situated? Is the heightened risk of identity theft actual harm, if the identity theft never occurs? I would guess we will have to have the Supreme Court determine that.
Some Good Breach News:
Jeff [3:35 PM]
The number of data breaches in the healthcare sector continued to rise in 2017 over prior years, but the number of records impacted fell
. Thus, fewer overall individuals were impacted, and fewer of the massive breaches we've seen in prior years.
[ Wednesday, December 13, 2017 ]
Jeff [7:22 AM]
The city had some sort of program providing services to citizens with HIV, and after the program terminated, the city shared information on 200 HIV patients with the University of Southern Maine to help determine if there were gaps in the way it provided the services, or if it could have operated the program better.
The city claims the data sharing did not violate HIPAA because it was for research purposes,
and it may be right, but probably only if USM had an independent review board determine that the university program had enough protections in place that patient authorization was not required.
Nevertheless, the city has apologized. Perhaps not illegal, but perhaps not a good idea either.
[ Monday, December 11, 2017 ]
Jeff [5:43 PM]
[ Thursday, December 07, 2017 ]
Henry Ford Hospital Breach:
Jeff [12:58 PM]
Someone apparently phished the email credentials
of multiple employees. No word yet on what was accessed or if any of it was used inappropriately.
An Unintended Consequence of Data Breach Reporting? Patients are more and more reluctant to share PHI with their own providers
Jeff [10:37 AM]
I've said many times that privacy exists on a continuum, particularly in regards to health information. On one end, you have perfect privacy, but that means no one (not your doctor, not your spouse, not your friends) has access to your health information. Obviously, the privacy is perfect, but you won't get healthcare unless you can do it yourself. At the other end is zero privacy: everyone knows every medical fact about everyone else. Here, you'd get great healthcare, since you could compare everyone's treatment experience to determine what would be best for you. And think of how far medical science could go with all that data.
At one end, great privacy and lousy healthcare; at the other, great healthcare but lousy privacy. I don't know about you, but I don't want to be at either end; I want to find the happy medium.
That's something healthcare regulators need to think about. Forcing the publicization of inconsequential breaches instills a false sense of risk and danger that is often more dangerous than the risk of harm from the breach itself.
[ Tuesday, December 05, 2017 ]
New from OCR: Five steps
Jeff [3:33 PM]
to prevent insider data breaches.
[ Tuesday, November 28, 2017 ]
Jeff [11:16 AM]
I'm not technologically knowledgeable to know if this is a big deal or not, but if you use OpenEMR, you should definitely have your IT staff take a look at whether this alleged vulnerability
might affect you.
[ Sunday, November 26, 2017 ]
Are Changes Coming to the Wall of Shame?
Jeff [11:24 AM]
HHS is considering
shortening the listing period, and might make other changes. The website is a required element of the HITECH Act, so they can't delete it entirely. But they could (and probably will) make some changes. In addition to shorter listings, perhaps only including listings where the reporting entity was at fault, or at least allow the entity to defend itself, would be useful improvements.
[ Wednesday, November 22, 2017 ]
Jeff [11:15 AM]
Thanksgiving is a good time to think about cybersecurity. Some great tips here
[ Thursday, November 02, 2017 ]
CyberThreat Information Sharing
Jeff [2:32 PM]
: HHS is publicly urging
healthcare industry participants to actively share cybersecurity threat information. Basically, they're urging healthcare players to utilize the benefits provided by CISA (the Cybersecurity Information Sharing Act of 2015) to allow threat information to be publicized across the industry, so players can respond and protect themselves and others. Not a bad idea at all.
[ Thursday, October 26, 2017 ]
Medical Device Cybersecurity:
Jeff [1:30 PM]
I tend to prefer an industry-driven approach
, like the House bill, over a top-down approach like the Senate bill.
[ Thursday, October 12, 2017 ]
Cloud-Based Blood Testing Information Breached: An Amazon cloud data repository
Jeff [12:04 PM]
for blood testing data managed by Patient Home Monitoring was not configured correctly, and a tech security company came across it. 300,000 PDFs accounting for about 150,000 people. Oops.
Using the cloud is OK, but only if you do it right. Be careful . . . .
[ Wednesday, September 27, 2017 ]
Jeff [12:45 PM]
Don't forget to vote for me for best "niche" legal blog. You can go vote here
Jeff [12:36 PM]
I'm not surprised, actually: This is a frightening headline: 73 Percent of Medical Professionals Share Passwords for EHR Access. If you're a medical resident, you used the attending's login information with the attending's consent.
So, it happens. A lot. But not a lot of bad comes out of it, since most (maybe virtually all) medical professionals do the right thing: access only what you need, access only for legitimate purposes, etc.
Still, even residents should have their own login information. You can't audit access if you have password sharing. And if something does go wrong, it could go very, very wrong, and it would be awfully difficult to fix post-facto.
Maybe it's really time for two-factor authentication in many more places.
Blogger: HIPAA Blog - Edit your Template