[ Friday, November 30, 2018 ]
This is important, and in my (personal, non-legal) opinion an important piece of news relative to one of the biggest issues affecting HIPAA covered entities.
The FBI has gotten specific about one of the current strains of ransomware that is plaguing the healthcare industry. Of specific importance to note in the HIPAA arena is the fact that this variant apparently simply encrypts the data it finds, and does not extract, view, or send out the data. That's very important to a ransomware victim, since despite what OCR's guidance has been to date, if there's no viewing or outside transmission of the data, there is not a "breach" as defined in the Breach Notification Rule (45 CFR 164, part D).
To be a "breach," there must be acquisition, access, use, or disclosure. In this type of ransomware, the bad actor inserts virus software onto the computer system of the actor, but the bad actor does not access the data. Any access only happens within the victim's computer system, by the software that is now part of that computer system. If the virus then send out some of that data that includes PHI to a third party, THEN you'd have acquisition by the third party, access by the third party, and disclosure to the third party, all of which WOULD be a breach. Likewise, if the virus opens up a door that allows outside third parties to enter the system, and third parties do enter the system, you'd have access and disclosure, which would likely lead to acquisition and use. However, if the virus does not exfilitrate or allow outside access, then you do not have acquisition, access, use or disclosure.
This is an important distinction.
This is also not legal advice.
Jeff [12:20 PM]
[ Tuesday, November 27, 2018 ]
A patient had a complaint about Allergy Associates of Hartford (CT); he took his complaint to the local TV news station. The reporter called the practice to ask for a response, and the doctor in question spoke with the reporter (despite the fact that his privacy officer told him to say "no comment" or not respond at all). That conversation with the reporter disclosed patient PHI in a manner not permitted by HIPAA.
And now, OCR has fined the practice $125,000.
It's not fair: the patient told the reporter all of his information already, it's in the public domain, he put it in the public record, he publicized it, he started it. Yes, all that's true.
But it doesn't matter. The covered entity has the obligation not to use or disclose PHI unless the use or disclosure is permitted by HIPAA. The fact that the information is already public knowledge doesn't matter, even if the patient himself put it out there.
That doesn't mean the provider can't respond to the reporter at all. At the least, the practice should let the reporter know that it can't respond with respect to any specific patient due to the prohibitions of HIPAA (and can't even acknowledge that the patient is a patient), unless the patient specifically authorizes the disclosure. Additionally, the practice can give general information about the practice that doesn't disclose anything about any individual patient. For example, if the patient falsely complains that it took 20 office visits in 2 months to fix the issue, the practice can state that it researched its records for the last 5 years and did not locate any patient with 20 visits scheduled in a 2-month period (since that doesn't provide any information on any particular patient, it's not PHI). But you can't say "this patient didn't have 20 visits" because that is PHI.
The playing field is tilted against providers when it comes to patient complaints. But don't make it worse by responding in a way that violates HIPAA.
UPDATES (other law firms picking up the thread):
Holland & Knight:
Eddie Williams III
Drinker Biddle:
Sumaya Noush
Mercy Medical Center-North Iowa in Mason City has
notified about 2000 patients of a potential data breach. Looks like an employee behaving badly. . . .
[ Tuesday, November 20, 2018 ]
Ohio has decided to issue a standardized form to authorize of the release of PHI. The Texas AG did the same thing a few years ago (as a result of what was then called HB 300). The Ohio regulation is specifically intended to comply both with HIPAA and with the more restrictive "Part 2" rules applicable to federally-supported substance abuse treatment facilities. The form can be found
here; hat tip to
Dinsmore & Shohl for the article.
[ Monday, November 19, 2018 ]
Which is worse, theft and improper disclosures of PHI, or hackers? Most HIPAA data breaches are the result of either theft (often done by employees) or simple improper disclosures, such as sending data to the wrong location. While we should all be vigilent against hackers, as far as the number of breaches, they are way fewer.
However, on the other hand, when a hacker hits, he (or she) usually gets a lot more records than your average thief or other recipient of an improper disclosure.
So, quantity of breaches, or quantity of files?
Jeff [3:57 PM]
[ Wednesday, November 14, 2018 ]
- SUNY Upstate in Syracuse notifies a couple thousand patients of an "employee behaving badly." Definitely a lot of that going around.
- The healthcare.gov breach continues in "investigation" mode. Really, folks, how hard can this be? I wouldn't expect OIG to give my clients as much slack as CMS gives CMS. It's 90,000 people, so it's big, but it's been a month. You know it came from broker accounts. Seems like a pretty easy threat vector to hone in on, but I'm no techie.
Jeff [3:32 PM]
http://www.blogger.com/template-edit.g?blogID=3380636
Blogger: HIPAA Blog - Edit your Template
