HIPAA Blog

[ Monday, August 14, 2017 ]

 

Women's Health Care (PA): A large Philadelphia-area ob/gyn practice has notified 300,000 patients of a potential data breach.  Not much news on what happened, but it was apparently a hack that penetrated the group's computer system; they don't know for sure if information was actually viewed or extracted, but the information subject to potential breach did include social security numbers (bur apparently not much medical information).  The report mentions backups, which makes me think this was probably a ransomware incident.  The breach started in January 2017 but wasn't discovered until May 2017, but notifications didn't go out until July 2017 (interestingly, in March the group merged with a NJ group to become the largest ob/gyn group in the country, now known as Axia Women's Health.

Jeff [10:24 AM]

[ Wednesday, July 26, 2017 ]

 

Wall of Shame: OCR is updating its large data breach reporting website.

Jeff [2:07 PM]

[ Thursday, July 20, 2017 ]

 

Peachtree Neurological (Atlanta): Peachtree Neurological was hit with ransomware recently.  Fortunately, (i) they were able to restore their systems without paying the ransom, and (ii) there was no evidence that the ransomware exfiltrated any data, thus likely giving them a good reason to determine that the ransomware incident did not constitute a reportable breach (yes, OCR, I'm talking to you).

However, in the course of investigating and responding to the ransomware attack, Peachtree uncovered a more unfortunate fact: some hacker had been camped out in their data for over a year.  It does not look like they are able to tell what was accessed or if anything untoward was done, or if the hacker just had access and never did anything.  But while the ransomware might not be reportable, this one pretty much definitely is.  

Jeff [10:36 AM]

 

Petya: More on the ransomware virus that disproportionately hit healthcare entities.  

Jeff [10:25 AM]

[ Thursday, July 13, 2017 ]

 

University of Iowa: Seems like a pretty minor breach, but some names, admission dates, and medical records were available online.  

Jeff [12:29 PM]

[ Wednesday, July 12, 2017 ]

 

Employee Snooping Draws Criminal Charges (St. Charles Health System, Oregon): A nursing assistant looked at about 2,500 patients records; no identity theft or fraud, apparently just idle curiosity.  However, she's being charged with misdemeanor computer crimes.  Sounds about right -- nice to make a point of how she's dealt with, but not punishing her unnecessarily harshly.

Jeff [6:16 PM]

[ Friday, June 30, 2017 ]

 

Petya Cyberattack: A rural West Virginia hospital is one of the headline victims of the most recent ransomware iteration, known as Petya (which follows closely on the heels of WannaCry, which had a built-in escape hatch that prevented it from causing too much damage).  How do you protect yourself:

Don't pick up the virus.  Easier said than done, but you can go a long way just through education of your staff.  Almost all of these ransomware attacks come via phishing emails.  Don't click, and teach your staff not to click.

Be prepared in case you get hit.  If you do pick up the virus (and even the best-protected businesses could be a victim), there's still hope, as long as you're prepared in advance.  That means you should do the following ASAP:

  1. Have good, constant, regular and redundant backups.  If you're hit by ransomware and all your data is encrypted, but you can pull an exact second copy of the same data off the shelf, all the cyberattack will cost you is time and a little frustration.  But make sure your backups are structured so that you don't end up deleting a good backup and making a backup of your already-encrypted data.
  2. Practice patch management.  Some viruses are "zero-day" viruses, and you might be unlucky to get hit through a vulnerability that hasn't been patched yet.  That is extremely, extremely unlikely, but if it happens, you should still be OK if you've done good backups.  Most likely, there is a patch available for whatever vector the next ransomware wave exploits, and if you install patches regularly and aggressively, you'll likely avoid being a victim.
  3. Map your network.  If you get hit, you'll need to find out where it came in so you know where to start the cleanup.  But before you get hit, mapping might uncover some breaches in your defenses that you can fix now, and that, in and of itself, might prevent you from being victimized.
Be careful out there, and be prepared.  

Jeff [10:03 AM]

[ Monday, June 26, 2017 ]

 

Anthem Breach: Remember the 2015 Anthem breach?  The one with up to 80 million individuals' information compromised?  The one where we think the Chinese were involved, and they got the IT folks to give up their credentials and got sysadmin privileges, so encryption wouldn't have even mattered?  Yeah, that one.

Well, Anthem has agreed to settle the lawsuit for $115 million.  Of course, that's a private lawsuit, rather than regulatory action, so there could be some additional payments by Anthem, but this is likely the biggest part.  

Jeff [1:22 PM]

[ Wednesday, June 14, 2017 ]

 

Wall of Shame: Apparently OCR is considering some changes to the website listing of all large breaches, based on concerns expressed by a congressman (who also happens to be a doctor) that the listing is too punitive to entities that did no wrong but had to report anyway.

Jeff [2:24 PM]

 

St. Luke's-Roosevelt's Faxing Problem: An NYC hospital has been fined $387,000 for two misdirected faxes.  That's a big fine.  Why?

Three reasons: One, all fines are big these days.  OCR still feels it needs to make an impression, and if you've done wrong and get caught, you're going to pay in a big way.  Two, the PHI that was disclosed, and whom it was disclosed to, were pretty egregious: it was HIV and STD information (and mental health status), and it was faxed to the patients' employer in one case, and to the organization the patient volunteered for in the other.  Three, it happened twice.  The case that generated the complaint was the second time a fax had been misdirected, and St. Luke's didn't fix the issue the first time around.

Doing a risk analysis is the thing everyone must do.  If you never have a problem, good; just keep re-analyzing on a regular basis, and maybe you'll continue to be so fortunate.  But if you do have a problem, treat is seriously and fix it.  Give it the attention it needs.  Deal with it.  Not even OCR expects you to be perfect, and they know mistakes will happen even to the most prepared entity.  But you don't get more than one bite at the apple.

Jeff [11:36 AM]

[ Monday, June 12, 2017 ]

 

Hospital Cybersecurity in Critical Condition: So says a report by HHS' Health Care Industry Cybersecurity Task Force.  Not particularly surprising.

Jeff [7:32 AM]

[ Tuesday, May 30, 2017 ]

 

Molina, AZ Health Dept Breaches: Molina Healthcare, a big player on the insurance exchanges established by the ACA, has reacted to word from Brian Krebs, cybersecurity expert, that their patient portal has some problems.

Additionally, the Arizona Department of Health Services has reported a possible breach due to some lost mail. 

Jeff [11:57 AM]

[ Monday, May 15, 2017 ]

 

Memorial Hermann: Memorial Hermann in Houston had a patient who used a fake ID to get services; the staff called the cops, who arrested the patient.  Apparently, the patient was an illegal immigrant (undocumented alien, if you wish, but being an undocumented alien is against the law, hence the word "illegal").  If I recall correctly, Memorial Hermann got hammered in the press for "reporting" this illegal alien who was only trying to get healthcare (actually, steal healthcare by using someone else's ID, but let's not quibble).  Memorial Hermann responded to the bad press by issuing its own press release, which (again, if I'm remembering correctly) actually was pretty apologetic about calling the cops on someone who was actually committing a crime.

However, Memorial Hermann put the patient's name in the press release.  In fact, they put it in the title of the press release.  Sure, they were responding to news reports that had already identified the patient, so disclosing the patient's name didn't increase the stakes any.  But, that's still a HIPAA no-no.  And they have been fined, big-time: $2,400,000.  As the HHS release notes, providing the name to the police was A-OK.

Lesson here: don't name patients if you don't have to.  Be extremely careful in responding to bad news or bad reviews -- you can make general pronouncements, but you can't identify individuals.


Jeff [12:04 PM]

[ Monday, May 01, 2017 ]

 

Connecticut Case on Patient-Physician Confidentiality: Interesting case, but probably not specifically HIPAA-relevant.  HIPAA allows disclosure of PHI under non-judicial subpoenas, as long as "reasonable assurances" are received.  It's unclear whether they were in this case, but it's also unclear if there's any HIPAA component to the case at all at this point, given that this is the second trip to the Supreme Court for these litigants.

I do, however, take exception to the comment that "HIPAA is irrelevant."  HIPAA may be many things, but it never is irrelevant.

Jeff [12:14 PM]

[ Wednesday, April 26, 2017 ]

 

Maine Psychiatric Center: Sorry, I've been busy recently and haven't had the chance to blog about this; still don't, really, but need to get something out there.  Thanks to @DissentDoe for taking the lead on this (if you're on Twitter, read me and don't read her, you're missing out).

When it comes to HIPAA data breaches and the "what's the worst thing that can happen" standard, this is probably it: hackers attacked and sold on the dark web the personal information of 4,000 patients at Behavioral Health Center in Maine.

If you deal with PHI, you're legally and morally obligated to protect that data, no matter how trivial.  Particularly sensitive data doesn't get stricter treatment under the law, but it should under any moral decision-making process.

Please do a risk analysis.  That's the lesson from the last few weeks of breaches and settlements.  Do it.

Jeff [10:00 AM]

[ Tuesday, April 25, 2017 ]

 

"First Ever HIPAA Settlement with a Wireless Health Service!"  Feh.  This is just an unencrypted laptop theft by someone without a good Risk Analysis story to tell.

CardioNet provides remote monitoring of patients with severe arrhythmia.  An employee had her laptop stolen from her car.  It had PHI of about 1400 patients on it, and was not encrypted.  Fail.

CardioNet had done some form of risk analysis, and had some risk management policies and procedures drafted up, but never finalized them.  Also, they couldn't produce final policies and procedures for any safeguards.  Fail again.

Net result: $2.5 million.  That's real money, folks.

That being said, "wireless" is a red herring.  They could've been a brick and mortar business and still lost an unencrypted laptop.  Being a wireless company is just coincidence.

Jeff [2:24 PM]

[ Friday, April 21, 2017 ]

 

It's Hard to Violate HIPAA When You're Not Covered By It: A New York trial court has ruled that the New York Organ Donor Network can't refuse to hand over records to a whistleblower because of HIPAA.  A disgruntled ex-employee, who claims he was fired for whistleblowing, is seeking records from the Donor Network, which sought to avoid discovery of the records due to HIPAA.  The trial judge denied their motion for failing to identify a federal or state regulation that would prohibit disclosure.  The Donor Network is not a HIPAA covered entity nor it is a business associate; therefore, structurally, it is not subject to HIPAA, and can't use HIPAA to refuse to disclose data that is discoverable in litigation.  Nor did the court accept the Donor Network's argument that even though it's not a HIPAA-covered entity, the information is sensitive and should not be revealed.

Jeff [1:32 PM]

 

A Small Fine: OCR announced one of their smallest HIPAA fines yesterday.  Center for Children's Digestive Health, in suburban Chicago, agreed to pay a $31,000 fine for failing to have a BAA in place with its document management and destruction company, FileFax.  The press release indicated that the investigation started with an "investigation of a business associate," which is presumably FileFax.

Given the timing (the CCDH investigation started August 2015), it's likely that the entire matter started in February 2015, when someone went dumpster-diving to collect paper to sell to a recycler.  The paper included a lot of medical records from Suburban Lung Associates, another Chicagoland healthcare provider.  The recycler let the Illinois AG know, who started an investigation of Suburban Lung, which led to the provider's document management vendor, FileFax.  Presumably, OCR was notified and commenced an investigation of FileFax, which led them to discover CCDH as another FileFax customer with no BAA, despite the fact that CCDH had used FileFax since the beginning of the HIPAA era.

I suspect that no PHI from CCDH was known to be improperly disclosed by FileFax, so there's a "no harm" element here that kept the fine down.  I also suspect that CCDH has good HIPAA policies and procedures, cooperated fully with OCR, and quickly resolved any outstanding HIPAA violations.  This could also be an indication that OCR is interested in some "commodity" style enforcement actions: instead of rare but huge fines for egregious breaches, OCR may be looking to increase the number of settlements while reducing the dollar amounts, to encourage resolution of existing cases and increase compliance by making the possibility of a fine more likely, even though the dollar amount would be lower.  $30,000 still stings for a small business.



Jeff [1:25 PM]

[ Thursday, April 13, 2017 ]

 

Metro Community (Colorado): A federally-qualified health center falls victim to a phishing attack.  The attack is not their fault, and they respond appropriately.  All good, right?

Wrong.  Even though they did nothing wrong here, they had never done an initial risk analysis.  They did a risk analysis after the phishing attack; apparently, even if they had done it before the attack, they still likely wouldn't have been able to prevent the attack.  But . . .

HIPAA required them to do a risk analysis.  That requirement has been in place since 2005.  Even though the lack of a risk analysis wasn't the cause of the breach, the breach revealed the lack of a risk analysis.

And that's a $400,000 fine.  OCR even mentions that the fine takes into account the financial situation of Metro Community, which primarily provides care to the poor and underserved in Denver, which means that the fine would likely have been 7 figures otherwise.

Moral of the story: DO A RISK ANALYSIS.  Seriously.  It's highly likely that I would not know the name of Metro Community today if they had done a risk analysis a year or two ago.

Jeff [2:42 PM]

[ Monday, April 10, 2017 ]

 

Doctors and Bad Yelp Reviews: Well, Yelp isn't the only one.  There are quite a few social media sites that allow customers to post reviews of businesses.  What happens when a reviewer posts a bad review?  What can the business do?

In some cases, the business can sue the reviewer, particularly if the business can prove that the review is false.  In fact, that just happened in respect to a couple of jewelers in Massachusetts, where a jewelry store worker wrote a bogus bad review of a rival jeweler.

But it's a lot more difficult for a business owner to fight a bad review if the business is a HIPAA covered entity.  While a patient is free to discuss his PHI whenever, wherever, and however he wants, the doctor can't use or disclose any PHI in response; the fact that the patient put the information out there first doesn't change that.

So what can a provider do?  Here's a good article with a few good tips.

I'd also add that you can respond directly on the rating site, but need to do so in a way that does not disclose PHI.  For example, if a patient complained (falsely) that she was not allowed to sit in on her 12-year-old's exam, the practice could respond as follows: "While HIPAA prohibits me from discussing any patient specifically, I can say that it is the policy of this practice that we do not provide medical exams to patients under the age of 16 without the parent being in the room.  I have reviewed the medical records from all visits to the practice by patients under 16 during the past six months and have not identified any patients under 16 who were seen without a parent in the exam room."  This does not disclose any PHI, but does allow the practice to make a general defense of itself.

Jeff [4:33 PM]

[ Friday, April 07, 2017 ]

 

Has Health IT's Rapid Growth Rendered HIPAA Obsolete?  Of course not.  HIPAA is, at its root, conceptual; no new healthcare delivery systems, and certainly no change in technology,  can surplant the basic concepts of HIPAA: health data is only worthwhile if it is used, but it is also private and deserves privacy and security; health data should not be used or disclosed except for proper purposes; even though proper uses and disclosures are permitted, individuals retain all other rights in their own health data; and parties that rightfully have access to or possession of health data have certain responsibilities to establish structural safeguards to prevent improper uses and disclosures.

Specific uses, specific rights, and specific safeguards may change, but those fundamentals remain, and the beauty of HIPAA is that its current structure, with scalability and technological and operational neutrality baked in, need not change to accommodate those changes. 

Jeff [12:52 PM]

 

A question from the audience:

Q: At our group therapy counseling sessions, we have the clients sign in on a sign in sheet that is passed around once group therapy starts. No one but the clients in group, the therapist, and the billing department sees the sign in sheet. We are required by the state agency we serve to have a sign in sheet, and since we bill insurance, we need to be able to provide documentation for insurance purposes (proving the patient attending the group therapy session, in case we get audited). The sign in sheet asks for client's initials, DOB, and time in and out of group, and has to be signed by the person so it is authentic and can't be said it is forged. A client in group, who is a lawyer, stated this was a breach of HIPAA.  Is it?

A:  It’s group therapy; doesn’t person A know the name (or initials) of person B and person C, without seeing it on the sign-in sheet?  Don’t they know when the person came into the room and left the room?  I guess person A now knows the age person B, and what their signature looks like, but the real PHI here is the fact that persons B and C are getting therapy, and person A already knew that, since it's group therapy!

Sign-in sheets and waiting rooms are always places where PHI can be inadvertently disclosed.  Some person’s presence in a waiting room gives you some implicit information about their health condition, which means that every waiting room in the world is a potential HIPAA violation.  So what’s the answer?  No waiting rooms?  Make the waiting room so dark nobody can see who else is in there?  Hand out Halloween masks to everyone when they come in so nobody can recognize anyone else?  Obviously, that’s silly.  And it’s even sillier when the patients in the waiting room then go into a group healthcare session together, where they get to know even more PHI about each other.

Instead, a covered entity medical provider should do what it can to minimize disclosures in the waiting room, while recognizing that some amount of disclosure is naturally going to occur.  Sign-in sheet should not have any information that’s not necessary, like addresses, social security numbers, or diagnosis/medical complaint information.  When calling patients from the waiting room, staff should use the minimum information (say “Mr. Prescott?” when calling the patient in, not “Dak Prescott, quarterback for the Dallas Cowboys, we’re ready to give you your treatment for your embarrassing STD”).  But none of that would make much of a difference when a group of folks in the waiting room all come in together to get their healthcare services as a group, where all the same information (and much more) is going to be shared anyway.

Given that, it sounds like you are keeping the sign-in sheets to the minimum information.  However, if you want to be overly sensitive, you could have each group therapy member sign a separate sign-in sheet with the same information (initials, DOB, in/out time, signature), so that nobody sees anyone else’s PHI.  But I don’t think that’s really necessary, if the information is going to be shared in person anyway.

Jeff [11:24 AM]

[ Monday, March 20, 2017 ]

 

Well, this is embarrassing: Cybersecurity contractor hit by W2 phishing scam.  

Jeff [3:04 PM]

[ Thursday, February 23, 2017 ]

 

Interesting Question: HIPAA lawyer Adam Greene was interviewed at HIMSS, and noted that HHS is close to publishing the regulations implementing the HITECH revisions that allow affected individuals to get a share of the fines levied by OCR.  As you should know, there's no private cause of action for a HIPAA violation, so unless a victim of a data breach can prove damages in a regular tort claim lawsuit (which is usually hard to do in a data breach case), there's no financial recovery for them.  Only OCR can get money for a HIPAA breach, by fining the breaching entity.

HITECH included a provision, ostensibly to tweak up enforcement actions, that would allow affected individuals to share in the fines levied by OCR.

Will the fact that an individual can get part of a HIPAA fine mean that data breach class actions will be easier to bring?  Adam asks, "if [a person] is considered a harmed individual under HIPAA, should we consider them harmed for other purposes, too?"  Many lawyers have tried bringing class action lawsuits for data breaches, but generally they fail because it's too hard to prove that the victims are actually damaged: someone might use your data, or they might not; if they do, the credit card company might not hold you liable, so you have no damages; and until you can show actual damages, you don't have "standing" to pursue your own legal action, much less a class action on behalf of all of the victims of the same breach.  This inability to prove harm prevents the class action from holding.

I don't think Adam's point will come to fruition.  Getting to share in the fine doesn't mean you are harmed, necessarily, or at least not in the way of actual monetary damages.  Whistleblowers get a piece of the recovery in a Qui Tam case for Medicare fraud, for example, even though they couldn't be plaintiffs directly since they aren't directly harmed by Medicare fraud.  I think HIPAA breach victims who get a share of the fine will be more like Qui Tam whistleblowers, and less like "harmed" individuals with standing to bring a class action.  But we will see. . . .

. . . . whenever the regulation is actually published.  THAT will get a blog post out of me.

Jeff [1:46 PM]

[ Wednesday, February 22, 2017 ]

 

2 Healthcare Data Breaches up 40%, Affect 25% of Consumers: According to the Identity Theft Research Center, Healthcare represents one third of all data breaches, and the number of reported breaches has risen from 780 in 2015 to 1093 last year.  Hacking, physical theft of data, and employee error have been leading causes, but expect phishing to be the next big winner.

 Meanwhile, an Accenture survey shows that healthcare consumers have a one in four chance of having their health information stolen and becoming a victim of identity theft.  Only a third of victims were notified by the healthcare entity that suffered the breach (hospitals lead the list, followed by urgent care centers, pharmacies, physician offices and insurers); half of victims found out themselves by looking at their credit reports, and the remainder were notified by a governmental agency.

Jeff [12:20 PM]

[ Friday, February 17, 2017 ]

 

Another Day, Another Monster Fine: This time it's Memorial Healthcare System (Florida), with a $5.5 million fine for not following access controls and allowing terminated employees to continue accessing medical records after being terminated.  They had policies and procedures to terminate access, but dropped the ball with that employee, who kept accessing records for a year (I suspect the former employee was stealing identities, too).  To compound matters, they didn't audit access; if they had, they might've caught the former employee before too many records were accessed.

This is a big fine.  These days, they all are.  Time to get serious.

Jeff [12:46 PM]

[ Tuesday, February 14, 2017 ]

 

On the News: Some dude talking about HIPAA and misdirected faxes.

Jeff [2:47 PM]

[ Thursday, February 09, 2017 ]

 

Interesting case, wrong conclusion: University of Pittsburg Medical Center suffered a data breach where 62,000 employees' SSNs and tax data were breached, but a Pennsylvania court has determined that as an employer, it has no duty to its employees to protect data.  The article compares it to the Children's Medical Center of Dallas breach, but that's a different kettle of fish: the Children's breach involved patient data, not employees.

Jeff [4:33 PM]

[ Wednesday, February 01, 2017 ]

 

Children's Medical Center of Dallas fined $3.2 Million: Well, this is the first I've heard of this, which is awfully close to home.

Apparently, a lost unencrypted Blackberry in 2009 and a stolen unencrypted laptop in 2013 exposed a failure to implement and follow risk management plans, including the failure to secure and encrypt mobile devices.  Big entities with somewhat obvious problems will result in big fines.  

Jeff [4:31 PM]

[ Friday, January 27, 2017 ]

 

Medical Identity Theft: an Illinois paramedic apparently altered patient records to falsely show that Fentanyl and Morphine were dispensed to patients during an ambulance run, so that he could steal the drugs for himself.  As Kirk Nahra points out in the article, insiders are still one of the biggest threats to an organization.

Jeff [2:37 PM]

[ Sunday, January 22, 2017 ]

 

What's wrong with this picture? Someone stole a USB "pen drive" from MAPFRE Life Insurance Company of Puerto Rico.  The storage device had PHI on it, including names, DOB, and SSN of 2200 people.  No risk analysis, no risk management plan, and no encryption plan.  OCR levied a fine for these HIPAA violations of $2.2 million (which is supposedly "low" because of the tenuous financial condition of the entity).

So, what's wrong?  You should be asking, Hmmm, how come OCR is fining a life insurance company?  That's what I thought, since life insurance companies are not "covered entities" under HIPAA.  Well, there is an explanation: MAPFRE also offers personal and group health insurance plans, thus making it a covered entity.  Mystery solved.  

Jeff [11:33 PM]

[ Monday, January 16, 2017 ]

 

New Year, Recurring Tasks: It's a new year, so that should get you thinking about two things: reporting any "small" breaches of unsecured PHI that occurred during 2016 (you have until the end of February to do so, using the HHS on-line reporting tool) and planning your next HIPAA risk assessment.  You do that annually, don't you?  Of course you do, maybe not at the beginning of the year, but now's a good time to start planning it.

While you're mapping out your risk analysis and getting your ducks in a row, you might want to consider a slightly larger scope to your risk assessment: don't just look for PHI issues, but look for all data concerns.  In that regard, you might want to consider using both the OCR tools as well as the NIST tools.  In fact, here's a good article making that exact point.  

Jeff [3:22 PM]

[ Wednesday, January 11, 2017 ]

 

OCR Announces First Fine for Failing to Provide Timely Notice: As you know, HIPAA requires Covered Entities to notify affected individuals if there is a breach of their unsecured PHI.  Specifically, 45 CFR 165.404(b) requires each affected individual to be notified of the breach "without unreasonable delay and in no case later than 60 calendar days after discovery of a breach."

Presence Health, an integrated healthcare provider in Illinois, discovered that paper surgery scheduling records had gone missing; the surgery schedules contained PHI of 836 individual patients.  The records were noted to be missing on October 22, 2013.  However, notice was not provided to OCR until January 31, 2014 (101 days after the breach was discovered), and individual patients weren't notified until February 3 (104 days after discovery), and the media was not notified until February 5 (106 days after discovery).  Obviously, this caused Presence to miss the "in no case later than 60 days" notification requirement.  Presence blamed the tardiness on miscommunication between workforce members.

OCR noted that each of these tardy reminders is a separate HIPAA violation, and each day beyond the regulatory deadline is a separate violation.  That's at least 131 violations, perhaps more if you count each individual who didn't get a notification as a separate violation.  That's a potential maximum penalty of almost $200 million.  Fortunately, OCR only fined Presence $475,000.

This should be a reminder to covered entities that they are not just obligated to provide notice, they are obligated to provide timely notice.  But what does that mean, really?

Let's unpack a few things from the requirement.  First, you have the question of whether a particular incident is a breach; next, when is it discovered; and finally, who should be reporting it (and how does that impact the question of when it is discovered).  Be aware that the incident is "discovered" for the entity when it's known to a workforce member of the entity or the entity's "agent."

A reportable breach is an unauthorized access, acquisition, use or disclosure of unsecured PHI; however, the definition of breach gives 3 specific exceptions and one general exception (the "low risk of compromise" exception).  That's a whole other blog post, but suffice it to say, you often won't know right off the bat whether you have a "breach" or something that might, upon further investigation, prove to be either a breach or a non-breach.  So, given that, when does the clock start?

I'd say it depends on the incident.  If it's clear that the incident will meet the definition of a breach when the investigation is over, then it's a breach.  If an employee's car is burgled and a laptop containing unencrypted PHI was stolen, you should consider that the covered entity "discovered" the "breach" when the employee discovered the burglary.  On the other hand, suppose you discover a security incident where the IT department discovers some malware that is capable of exporting data, including PHI.  However, you don't have any reason to believe that data has been exported yet.  It takes the IT department (and maybe a forensic vendor) a week to determine that yes, in fact, PHI was exported.  I would argue that the "breach" is "discovered" when the exfiltration is found.  However, keep in mind that the presumption goes to the breach, so (i) your confidence must be very high that the incident will not turn out to be a breach and (ii) your investigation must be swift and thorough.

And, it's useful to point out here that if the IT department discovers the exfiltration, that's the discovery point (because the IT department is full of "workforce members" of the entity; if it's a vendor that discovers it, but the vendor doesn't notify the entity for a few days, the discovery point will be when the vendor discovers if the vendor is considered the "agent" of the entity under federal common law, but will be the date the vendor notifies the entity if the vendor is not its"agent."

That should raise a question in your mind regarding business associates.  As noted above, the reporting obligation falls on covered entities (CEs), and specifically does not fall on business associates (BAs).  However, what if the breach is caused by the BA, or more importantly, what if the BA is the one to discover the breach?  If the BA causes the breach, your BAA should handle how the BA notifies the CE.  (NOTE: if your BAA allows the BA 60 days to notify you, how will you be able to meet the 60-day requirement?)  If the BA discovers the breach, your BAA should also require the BA to notify the CE.  If the BA is an "agent" of the CE, then the CE is imputed to have discovered the breach at the exact time the BA discovered it; if the BA is not considered an agent, then the CE will have "discovered" the breach when the BA informed it, and that's when the clock starts ticking.

This can cause obvious problems.  If the BA takes 3 months to discover the breach and another 3 months investigating it, AND the BA is your agent, then you better be prepared to throw yourself on the mercy of OCR (whatever that is).  And if the BA notifies you that it has determined there was a breach but doesn't know yet whether your patients are involved, you have some issues to consider; if you think all your patients are likely involved, you should consider a preemptive notice to them.  If the BA gives you the names of 100 affected individuals this week and 100 more next week, consider sending notice in waves.  If your BA blows it, it could definitely be you that gets stuck with a monster fine.

This is why your BAAs should be specific on your BA's breach reporting requirements and should pass along the consequences for failure to investigate or notify to the bad-acting BA (i.e., indemnification).  And why you need to be comfortable that your BA isn't an idiot. 

Jeff [6:10 PM]

[ Wednesday, January 04, 2017 ]

 

Non-HIPAA Post: My students all know this, but the pre-existing condition exclusion will not work unless there is a mandate.

Jeff [3:12 PM]

[ Monday, December 26, 2016 ]

 

Section 1557 of the ACA: Notice of Non-Discrimination. I'm going through old emails, and had kept this one, knowing I should make a blog post on it.  This goes on the list of things too many HIPAA covered entities fail to do (like good risk analyses, policies and procedures, etc.).  

This is actually old news, but part of the ACA requires all HIPAA covered entities to notify patients (providers), beneficiaries (health plans), and the general public (everyone) that they don't discriminate.  This specifically requires every covered entity to post a notice that it does not discriminate, in 15 languages.  That's right, 15 languages.  In the overall US, those are Spanish, Chinese, Vietnamese, Korean, Tagalog, Russian, Arabic, French Creole, French, Portuguese, Polish, Japanese, Italian, German, and Persian (Farsi).  BUT, that's not the list; you have to translate into hte 15 most common languages IN YOUR OWN STATE!  Here's a little help for you, courtesy of the AOA.  The AOA webpage also provides a template for filing in a tagline poster, as well as a few states that have already done theirs.  If you've done your own poster, consider sharing it with the AOA. 


The good news is that HHS has provided the form of notice for you.  The bad news is that they are ridiculously disorganized.  If you haven't already done so, go here, and print out all of the notices of nondiscrimination and statements of nondiscrimination, in each language, and stuff them in a drawer somewhere in case someone asks.  Than print out this language, and post it somewhere.  But you also have to put up a poster.  Some companies offer to sell posters for you; I can't say whether they are right or not.

This is of a piece with so much dumb stuff HHS does.  How relevant is this, really?  Doing a risk analysis is important; how important is it to put up a poster in languages nobody speaks?  I'm guessing that for the vast majority of covered entities, there will NEVER be a person who sees that poster that speaks at least 12 of those languages.   

This is stupidity.  This is make-work.  This is pure virtue-signalling. This, in and of itself, is reason for repealing the entirety of the Affordable Care Act.  

I rest my case.

The text of the regulation:

§92.8   Notice requirement. (a) Each covered entity shall take appropriate initial and continuing steps to notify beneficiaries, enrollees, applicants, and members of the public of the following: 

(1) The covered entity does not discriminate on the basis of race, color, national origin, sex, age, or disability in its health programs and activities; 
(2) The covered entity provides appropriate auxiliary aids and services, including qualified interpreters for individuals with disabilities and information in alternate formats, free of charge and in a timely manner, when such aids and services are necessary to ensure an equal opportunity to participate to individuals with disabilities; 
(3) The covered entity provides language assistance services, including translated documents and oral interpretation, free of charge and in a timely manner, when such services are necessary to provide meaningful access to individuals with limited English proficiency; 
(4) How to obtain the aids and services in paragraphs (a)(2) and (3) of this section;
(5) An identification of, and contact information for, the responsible employee designated pursuant to §92.7(a), if applicable; 
(6) The availability of the grievance procedure and how to file a grievance, pursuant to §92.7(b), if applicable; and 
(7) How to file a discrimination complaint with OCR in the Department. 

(b) Within 90 days of the effective date of this part, each covered entity shall: 
(1) As described in paragraph (f)(1) of this section, post a notice that conveys the information in paragraphs (a)(1) through (7) of this section; and 
(2) As described in paragraph (g)(1) of this section, if applicable, post a nondiscrimination statement that conveys the information in paragraph (a)(1) of this section. 

(c) For use by covered entities, the Director shall make available, electronically and in any other manner that the Director determines appropriate, the content of a sample notice that conveys the information in paragraphs (a)(1) through (7) of this section, and the content of a sample nondiscrimination statement that conveys the information in paragraph (a)(1) of this section, in English and in the languages triggered by the obligation in paragraph (d)(1) of this section. 

(d) Within 90 days of the effective date of this part, each covered entity shall: 
(1) As described in paragraph (f)(1) of this section, post taglines in at least the top 15 languages spoken by individuals with limited English proficiency of the relevant State or States; and 
(2) As described in paragraph (g)(2) of this section, if applicable, post taglines in at least the top two languages spoken by individuals with limited English proficiency of the relevant State or States. 

(e) For use by covered entities, the Director shall make available, electronically and in any other manner that the Director determines appropriate, taglines in the languages triggered by the obligation in paragraph (d)(1) of this section. 

(f)(1) Each covered entity shall post the notice required by paragraph (a) of this section and the taglines required by paragraph (d)(1) of this section in a conspicuously-visible font size: 
(i) In significant publications and significant communications targeted to beneficiaries, enrollees, applicants, and members of the public, except for significant publications and significant communications that are small-sized, such as postcards and tri-fold brochures; 
(ii) In conspicuous physical locations where the entity interacts with the public; and
(iii) In a conspicuous location on the covered entity's Web site accessible from the home page of the covered entity's Web site. 
(2) A covered entity may also post the notice and taglines in additional publications and communications. 

(g) Each covered entity shall post, in a conspicuously-visible font size, in significant publications and significant communications that are small-sized, such as postcards and tri-fold brochures: 
(1) The nondiscrimination statement required by paragraph (b)(2) of this section; and
(2) The taglines required by paragraph (d)(2) of this section. 

(h) A covered entity may combine the content of the notice required in paragraph (a) of this section with the content of other notices if the combined notice clearly informs individuals of their civil rights under Section 1557 and this part.



Jeff [12:53 PM]

[ Thursday, December 22, 2016 ]

 

Community Health Plan of Washington Breach: Not much information here, but what appears to be a Medicaid managed care plan suffered some sort of data breach that potentially exposed information about approximately 400,000 people.

UPDATE: Here's a little more information, via Justin Shafer (@JShafer817 on Twitter)*.  Although you never know with Justin, I suspect he might have found an unprotected FTP server with CHPW's patient data on it.  That could be what got the entity to investigate, and to provide the breach notice.


*Trigger Warning.  

Jeff [10:46 AM]

[ Monday, December 12, 2016 ]

 

New Guidance from OCR: Last week the Office for Civil Rights issued some additional guidance on disclosures that are permitted under HIPAA for "public health activities."  Covered entities don't need patient authorization to use and disclose PHI for public health activities such as reporting communicable diseases or tracking adverse events relating to FDA-approved drugs and devices.  The CDC's blog is here, and there's more here from IAPP.  

Jeff [2:20 PM]

[ Monday, December 05, 2016 ]

 

Glendale (CA) Adventist snooping case: A per diem nurse apparently went snooping in 528 patient files.  

Jeff [12:37 PM]

[ Thursday, December 01, 2016 ]

 

Phishing: You might've heard of this earlier, but someone is using OCR's Phase II audits as a pretext for sending what OCR is calling "a phishing email."  I haven't seen an actual email (if someone has one, send it my way), but I'm not sure it's exactly phishing so much as spam.

Apparently the email says you may be included in OCR's HIPAA Privacy, Security, and Breach Rules Audit Program, but the link takes you to a cybersecurity company's website, where they apparently hawk their cybersecurity wares (maybe they do phish testing?).

Hat tip to Ron Holstford of Central Alabama Radiation Oncology for giving me the first heads up on this.  And sorry I've been so blogless these days -- it's been an insanely busy year, which is good.

Jeff [10:45 AM]

[ Tuesday, November 29, 2016 ]

 

What does the Trump Administration mean for healthcare?  Here's one perspective.

Jeff [4:28 PM]

[ Thursday, November 17, 2016 ]

 

California data breach notification law undergoes changes: I don't think this is ultimately as big a deal as I initially thought, but Governor Jerry Brown has signed into law a revision to the California data breach notification law, requiring notification where encrypted data is part of the breach.  Under existing law, if the data is encrypted, no breach notification is required.  Under the new law, if the data is encrypted and lost, and the encryption key is believed to be acquired as well, then reporting is required.  That makes sense, and I would have thought that it would have been the case prior to the law change.  I would have certainly advised California clients to report a breach of encrypted data if the encryption key was compromised as well.  Presumably, if encrypted data is lost but the encryption key remains in safe hands, then no notification is required.

Jeff [3:45 PM]

[ Monday, November 14, 2016 ]

 

Idaho State University: Update: My apologies, this appeared in a newsfeed of mine last week, and while I was surprised I hadn't seen it otherwise, I figured out I might have missed it.  Turns out it's not current news, and I did, in fact, report on it back in 2013 when it happened.

Thanks to Dissent Doe for pointing that out.

Today's earlier post: A contractor failed to reactivate a firewall after doing some work on a server, potentially exposing PHI of 17,000 patients.  ISU apparently had a BAA with the contractor, but the OCR investigation determined that they hadn't done a risk assessment recently enough.  Fine?  $400,000.  I'm guessing the contractor paid it (probably out of insurance), but that detail is harder to find.  More here.

Jeff [10:16 AM]

[ Wednesday, November 09, 2016 ]

 

Off-Topic:

A friend emailed from Florida asking what I thought about the election.  Here's my hot take.

Surprised but not surprised.  Do you read Scott Adams?  He writes the Dilbert cartoon.  He’s been saying all along that Trump would win just because Trump is a master of persuasion.  Read his post from yesterday on confirmation bias and you’ll see what he’s up to.  If you have time, it would be very interesting to go back and read what he wrote back at the beginning. I said early that there’s no way Trump can win.  I knew he’d have popularity as a protest vote, an “I’m mad as hell and I’m not going to take it anymore” vote.  People in early primaries would vent their spleens and he’d poll well, drawing a couple second place finishes as the herd got thinned.  Then folks would get serious, realize that burning down the house is not the way to get rid of the cockroach infestation, no matter how bad it might be.  He’d start losing, make a noisy exit, and build on the free publicity for his next reality TV show.  But as it progressed, and he stayed in, and kept winning, and took the lead, I threw my hands up and said whatever I’ve thought all along has been wrong all along: I know in my brain that it’s impossible for Trump to win, so he’s going to win.  I can’t explain it; nobody can; it’s like the EM Drive: it violates the laws of physics, but it’s real and it works. 

I kept that as my mantra from the latter parts of the primary season throughout the entire election season until about a week ago, when I finally faced reality and said there’s no way.  I can’t deny the ultimate truth: despite being the worst, most crooked, lamest, least likeable presidential candidate in history (Nixon and LBJ may have been a little less likeable, but she leads so far in all other categories that she’s cumulatively way out in front of them), Hillary was still going to beat the least prepared, most ridiculous candidate on a non-fringe party ticket in at least my lifetime.  Ultimately, the Democrat machine would beat the MAGA crowd: the Philly transit strike was ended, mail-in ballots in Colorado and Nevada were stacking up in some of the greatest voter fraud efforts ever, and the press was relentlessly encouraging the flyover rubes to stay home in droves.  It was gonna be relatively close, but the Never-Trumpers would outweigh the hold-your-nose, vote-for-the-orangutan-its-important voters, and Hillary and all her baggage would end up in the White House, where she could use the levers of government to prevent her criminal enterprises from taking her down.  There would be an exceedingly strong push to impeach her, and the House might eventually even do so, but the Senate Dems, having already sold their souls, would have no problem finding that being caught red-handed committing a felony (not just a felony, but a felony involving the loss of State Secrets, death of diplomats and HumInt assets, and the sale of government favors to Arab dictators) isn’t enough to impeach, as long as the target is someone on your team.

Maybe I needed to return to my certainty for it to happen; maybe, like Charley Brown and the football, it’s only once I truly believe my eyes that I get to learn that I was wrong again.  But sure enough, as soon as I stopped believing Trump would actually win despite the facts in front of my face, he won despite the facts in front of my face.

Amazing.

If Trump had lost, the next candidate would be much worse than Trump.  Keep in mind how we got here.  In response to government overreach (specifically the Stimulus Bill, doubled-down on by Obamacare) the Tea Party rose as an absolutely true grass-roots political movement.  No leader, no spokesman, no organizer.  It was respectful and polite, it cleaned up after its rallies, and it gave voice to a lot of people who really (and legitimately, and rightly) felt that government was not only not listening to them, but was actively and arrogantly going in the opposite direction.  And what was the response to the Tea Party?  They were vilified as racists and fascists, not only by the Democrats and the press (he said, repeating himself), but by the Republican establishment (GOPe) itself.  And despite the Tea Party delivering huge Republican victories in 2010 and 2012, the GOPe marginalized them and worked against them, continuing to work for larger government (or at least not fighting against it, such as by passing continuing resolutions that continued the growth of the State).  The Democrats in particular, but also the mainstream media, the entertainment industry, even the GOPe, dismissed them as ignorant fly-over rubes.  Being resented by your superiors is one thing, but being resented by those you consider incompetent, being told that you and all your friends are racists and fascists, at some point you fight back.  The Tea Party was the polite, “ahem, excuse me” movement; Trump is the “hey, I’m talking here!” movement.  Unless the political class took the moment to acknowledge the gulf and actively reach out to the disaffected, the next movement would have been a punch.  And there is NO WAY IN HELL that they were going to reach out.  The smug, arrogant, narcissism on the Left would not have been conciliatory, but would’ve been as condescending as ever (they’d have to be, that’s the only way you can defend against the absolute truth that Hillary is a felon and if you’re a Clinton or Obama, the laws are for the little people), and the third wave would have been a bad tsunami for our country.  If you think Obama’s “I won” attitude was off-putting, wait until you get to hear it from someone with much less charm than Obama, like Hillary. 

Our betters in the Democratic party, academia, the media, and the entertainment industry should learn a lesson from this, but they won’t. They are entirely bought into their perception that the only way you could be opposed to Hillary is if you are a racist or sexist (or both).  Here’s the Slate homepage on the day after the election:




If you voted for Trump, you are a white supremacist, misogynist, anti-democratic, anti-gay, anti-semitic hater.  That’s just one page.  Do you think the people who voted for Trump, faced with this attack/accusation, will look deep into their souls, and look at their Trump-voting peers, acknowledge their guilt and change their ways?  Or will they say, “no, I’m not, and I know I’m not, and I know my friends aren’t, . . . ” and no longer listen to said Democrats, academia, media, and press?  My youngest looked at the front page of today’s paper and said, “We should keep this, it’s a historic day and this might be valuable in the future.”  I agreed, not so much because of Trump, but because it might be the signal of the end of newspapers themselves: the press’ self-beclowning becomes suicide.  This is a shameful day for the media, although obviously they (at least those at Slate) don’t see it this way.  Unless they figure that out, and figure out why they don’t know the country they think they have the pulse of, they will be done.  They have no factual authority any more, and they have squandered their moral authority, and there are too many other ways/places to get information.  You can only tell your target audience that they are stupid, racist, fascists rubes for so long before they go away. . . .

Ever heard of the Gell-Mann Amnesia effect?  Once you begin to realize that the media is lying about you, you begin to realize that the rest of what it’s saying may be lies as well.  Less power to the media.

So, Trump-administration-wise, what do I think will happen?  Ultimately, I don’t think it will be too bad.  First, unlike Hillary, if Trump tries to do something stupid, the Republicans in Congress will stop him.  Keep in mind, he’s not a Republican; he contributed to Hillary’s campaign against Obama in 2008, and has always aligned with Democrat (statist) policies until he decided to run for President.  He does not have that many genuine Republican ideas (enforcing existing immigration laws is not the same thing as building a wall), and his trade policies are closer to Bernie Sanders than Ted Cruz.  But if he goes too far, the Republicans in Congress will keep him in check.  That would not have been true of the Democrats; like they did in 2009, they would have taken legislation to the last inch they could get, and would support any bad idea Clinton came up with (hey, they might get the Vince Foster treatment if they didn’t; you don’t want a naked Rahm Emanuel coming after you).  That actually was sufficient reason to hold your nose and vote for Trump, especially if the Democrats were going to win the Senate.  As I noted on Twitter a few days ago:



Secondly, Trump has not expressed much in the way of policy specifics.  There’s too much out there to bite off all at once, or perhaps even at all, for one iconoclast.  I suspect whatever policies he does come up with won’t be bold or far-reaching.  Sure, he said he’ll Build The Wall, but Obama said he’d close Gitmo.  How’d that work out?  And Obama really, really, really wanted/wants to close Gitmo.  I don’t think Trump really cares about the Wall, it was only red meat to his audience.  The other stuff he’s likely to do will be a ratcheting back of the regulatory machine, which is actually an absolute must to regenerate legitimate and deep-reaching economic recovery.  I don’t think he’ll even “repeal” Obamacare, although it will be substantially dismantled (more “amend and restate” than “repeal and replace”).  But in fact, nobody knows.  We are in entirely unknown territory now.

Trade may be an area where he really does something, but like with the Wall, I think his rhetoric was “boob bait for Bubbas” and what he actually does will be much less dramatic.  Also, remember that while he was pontificating about the Wall (“just got 10 feet higher,” “I’ll make Mexico pay for it”), he still went and had a completely civil meeting with the President of Mexico.  He seems to know when to say outrageous things and when not to.  That being said, he’ll have to do something splashy regarding trade.  Maybe that will work out (probably not).




Jeff [1:23 PM]

[ Tuesday, November 08, 2016 ]

 

Off Topic:
This is a post for HMGT-6330.  The additional links are:
Private Insurance numbers
Paying the Penalty
Insurers leaving
Who is affected
CO-OP info
CO-OP troubles
Overall Obamacare Troubles




Jeff [3:02 PM]

[ Thursday, November 03, 2016 ]

 

Hmm, I'd expect a better level of understanding from the National Coordinator for Health Information Technology.  Or maybe it's just the reporting that's bad, and something is lost in the translation.  At the Brainstorm Health conference yesterday, Dr. Vindell Washington, head of ONCHIT, said that patient data belongs to the patient (true), and that the providers who hold the data do not own it (hmm, not true).

You know the Cubs won the World Series, right?  That's data, and you have it, and you own it.  I also know the Cubs won, so I also have and own that data.  If you stayed up late enough, you'd have seen that the MVP, Ben Zobrist, got a Chevy Camaro.  That's also data, and you and I and Ben all have and own that.  The car itself?  Only Ben owns that; you and I don't.  That's the thing about data -- it's an asset capable of being owned, but it's not a zero-sum game, and the fact that one person owns it doesn't prevent others from owning it as well.

The medical RECORD (the actual specific paper or digital representation of the data), on the other hand, is a different story.  Dr. Washington noted that 20 states say that the medical provider owns the data; I don't think that's true.  I believe those 20 states' laws refer to ownership of the record, not ownership of the data.  And that does make sense; while both the patient and provider may own the data, and while the patient has a right to get a copy of the data from the provider, the provider actually is the owner of the specific copy of the data that is the medical record.  Additionally, if the patient owns the data and the provider does not also own it, presumably the patient could require the provider to delete its copy of the data.  That would not be a good idea, for reasons that you and I (and even Ben Zobrist) can figure out.

The lesson is, don't confuse the concepts of "data" and "records."  They mean the same thing in many situations, but not always.

The article also states, ""Contrary to what some people may believe, patients have the right to ask their health care providers for access to their personal data."  I guess it may be true that "some" people believe that patients DON'T have that right, but I'd suspect it's a precious few who are so ill-informed.  OF COURSE people have the right to "ask . . . for access"; you also have the right to ask your provider to fix you a sandwich, or to marry you, but don't expect him/her to agree.   But more importantly, assuming your provider is covered by HIPAA which 99.99% are, your provider is OBLIGATED to actually give you that access.  Not necessarily for free, as Dr. Washington implies, but at a cost not to exceed the cost of producing the data.  But your provider doesn't have to give you the only copy, or delete his/her copy after giving you access. 

Jeff [10:45 AM]

[ Friday, October 21, 2016 ]

 

(OT) Candy Corn Beer.  I blame Steve Badger.

Jeff [10:37 PM]

[ Wednesday, October 19, 2016 ]

 

Interesting (Yet Entirely Wrong) Article: A doctor writing for Slate shows that he doesn't know how HIPAA works (see the first comment - all the way at the bottom of the comments).  But hey, at least he spelled it right. . . .

Jeff [1:50 PM]

[ Tuesday, October 18, 2016 ]

 

Speaking of Risk Assessments, OCR and ONC have revised their HIPAA Risk Assessment Tool.  

Jeff [1:53 PM]

 

Yelp: Doctors' hands are tied when patients complain.

Jeff [1:49 PM]

 

Another Day, Another big HIPAA settlement: $2,140,500 paid by St. Joseph Hospital of Irvine, California.  The hospital installed a new server for its "meaningful use" process, but didn't remove the default settings that made the server generally accessible over the internet.  They hired consultants and did some risk analysis, but none of it was system-wide; I'm not sure that a system-wide review would've fixed the problem, but if we've learned anything lately, the fact that the error didn't cause damage doesn't mean you don't have to pay for it.

Good, solid, system-wide risk analysis, reaching across your entire enterprise (geographically, lines of service, operationally, administratively, whatever) is mandatory, and (if you get caught, even by an unrelated issue) failure to do so will probably bring a fine.

Jeff [12:59 PM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template