HIPAA Blog

[ Monday, April 30, 2018 ]

 

About Virtua: As you may know (I posted on it at the beginning of the month), a large NJ physician practice paid a $400,000 fine as a result of a transcription company's use of an unsecured FTP server (NOT discovered by Justin Shafer, though).  Edward McKinney, CISO of Floyd Medical Center in Rome, Georgia alerted me about Virtua, and wondered: is this the beginning of Covered Entities being held liable for the sins of their Business Associates?

Maybe.  First, keep in mind this is a state AG action, not an OIG action, so the effect on HIPAA enforcement is a little more tenuous.  But also, it's pretty easy to read the AG's statements as directly damning Virtua for not minding its own privacy and security matters (insufficient risk analysis, insufficient security training), not for it's inability to sniff out the vendor's shortcomings. 

We could be entering an era where the sins of the vendors are visited upon the covered entities, especially if the covered entity failed to properly vet the vendor (like a negligent credentialing claim).  But I'm not ready to make that leap -- I think there's sufficient direct blame here that you don't need to pin it on indirect blame.  A covered entity with great risk analysis and training might still be guilty of hiring a bad vendor due to the fact that it didn't kick the tires hard enough, and there's a conceptual HIPAA violation in that scenario.  But I really think, unless the vetting was unconscionably bad, you'll not see that as a violation.  Rather, you still much more likely to see a failure to do sufficient first-party risk analysis (as well as missing policies and procedures).

Jeff [3:11 PM]

[ Friday, April 27, 2018 ]

 

A handful of new breaches: including the Metroplex's own Texas Health Physician Group, which apparently suffered an email system intrusion of some sort.  

Jeff [2:01 PM]

[ Wednesday, April 25, 2018 ]

 

Oops.  

Jeff [7:45 PM]

[ Wednesday, April 18, 2018 ]

 

Dallas Morning News: Speaking of HIPAA geeks, who has 2 thumbs and got quoted in the Dallas Morning News earlier this week?  This guy!

Jeff [10:59 AM]

 

Azar's guts: Of course, I see this and wonder if it's a HIPAA violation.  Well, that and a couple of jokes that pretty much write themselves.  

Jeff [10:56 AM]

[ Thursday, April 12, 2018 ]

 

Insiders Cause Most Health Industry Breaches: Not really surprising, but most data breaches in the health industry are cause by insiders.  That's not surprising, given the highly labor-intensive nature of healthcare, the presence of so many low-wage employees (who might be more likely to either intentionally (theft) or unintentionally (accident) cause a breach), and the fact that sensitive identifiable data is involved in every aspect of the business.  

I don't agree with the headline's premise, that healthcare is worse than anyone else at preventing insider actions; that assumes that the number of healthcare data breaches is comparatively high compared with other industries.  Rather, I think the number of breaches is comparatively low, but it's just that the percentage of the (lower number of) breaches attributable to insiders appears high due to the low denominator.

Jeff [3:05 PM]

[ Tuesday, April 10, 2018 ]

 

Old dogs, new tricks?  OK, not exactly, but I did actually learn something new about HIPAA today.  It confirmed my understanding in the area (which coincidentally I was discussing with someone within the last few days), but I wasn't aware that there was such an explicit outlining of the matter by HHS already.

Someone asked me what their HIPAA obligations are, as a covered entity, to investigate their business associates' HIPAA compliance activities.  Lots of larger CEs have extensive requirements they pass down to their BAs, forcing them to answer questionnaires, provide documentation, and agree to inspections or reviews, so that the CE can determine whether the BA is adequately protecting PHI.  This is a good thing in theory, but can be a monstrous pain in the neck for the BA, especially if it's a small shop with a more, shall we say, informal HIPAA compliance plan ("Shhh."). 

As I told my interlocutor, the HIPAA regs themselves do not require any sort of active engagement by the CE over its BAs, only the entering into of a BAA and the downstreaming of the specified obligations in 164.504(e).  Most BAAs contain more than is required, and those that contain active monitoring of the BA certainly do.  While it seems to be becoming an industry trend, and may be a "best practice" for a larger CE, it's certainly not a requirement.

As an aside, I would note that a BA should be very careful about agreeing to provide the CE with a copy of its risk assessment: once an organization has determined what it's greatest weaknesses are, it's not a good idea to show that to anyone outside the organization.  If the outside entity does not keep that information secure, it's like giving potential hackers a road map to the best way into your data.  I passed this advice along as well.

Anyway, Lexology today led me to this article by Adam Green's crew at Davis Wright Tremaine.  It turns out, there is specific language in the December 2000 Privacy Final Rule that removed a more active monitoring requirement in the proposed regs from 1999 (the regs I famously read on the beach in Destin, Florida in June of 2000).  The 2000 Final Rule says, "In the final rule, we reduce the extent to which a covered entity must monitor the actions of its business associate and we make it easier for covered entities to identify the circumstances that will require them to take actions to correct a business associate’s material violation of the contract. . . .  [T]his standard relieves the covered entity of the need to actively monitor its business associates. . . ."

As the article also notes, OCR officials indicated a year ago at a HIPAA Summit that they do expect CEs to conduct a certain level of due diligence with respect to their BAs.  While this "guidance" is helpful, and I would always encourage CEs to exceed the requirements of HIPAA where it's reasonable to do so, it is still just that: guidance.  As with the OCR "ransomware = breach" guidance, it is not the law and it is not a regulation, and should not be enforced as such.  The Administrative Procedures Act exists for a reason, and if HHS wants to draft binding regulations, there's a way to do so, and HHS should follow the rules.

Jeff [10:55 AM]

[ Thursday, April 05, 2018 ]

 

State Data Breach Notification Laws: Well, in late March South Dakota made it 49, and effective June 1, Alabama will be the 50th state with a data breach notification law.  There's still talk about a national law, but personally, I think this is something we should let the states handle on their own.

Remember, if you have an incident that might be a HIPAA breach, you also need to consult state law; an incident could be either a HIPAA breach or a state breach, or both, or neither.  The analysis is similar, but not the same.

UPDATE: Shoulda given a hat tip to Ron Holtsford in Alabama for the heads up; I missed them both in the flurry that was the end of March.

Jeff [2:47 PM]

 

Virtua (NJ) Breach: a bad server setup by a transcription company business associate resulted in a $400,000 state fine for a New Jersey medical group.  

Jeff [2:42 PM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template