August 2019 Healthcare Data Breaches Reported at a Rate of 1.5 incidents per day

According to HIPAA Journal’s monthly healthcare data breach update posted on September 23, 2019, “In August, healthcare data breaches continued to be reported at a rate of more than 1.5 per day, which is around twice the monthly average in 2018 (29.5 breaches per month). This is the second successive month when breaches have been reported at such an elevated level. While the number of breaches has not changed much since last month (49 compared to 50), there has been a substantial reduction in the number of exposed records.” Hacking and IT incidents were the number 1 cause of incidents, followed by unauthorized uses and disclosures.

Business Associate Agreements: Is BAA Compliance on Your 2019 Work Plan?

The HIPAA Privacy Rule requires Covered Entities enter into written contracts with Business Associates. A Business Associate Agreement (BAA) outlines the expectations of the Covered Entity with respect to how the Business Associate will protect the privacy of protected health information (PHI). The HITECH Act and the Omnibus Final Rule expanded the liability of Covered Entities for breaches by Business Associates. Furthermore, per §13410 of the HITECH Act, a Business Associate is now directly liable for uses and disclosures of PHI that are not in accordance with its BAAs or HIPAA’s rules. According to data available at the U.S. Department of Health and Human Services Office for Civil Rights Breach Portal, Business Associates were responsible for forty-four (44) of the 280 incidents reported in CY2018 for breaches impacting 500 or more individuals.[1]

The absence of a HIPAA compliant BAA with any eligible vendor places a Covered Entity at risk for being found out of compliance with 45 CFR 164.504(e). To emphasize the importance of compliance, the HHS Office of Civil Rights (OCR) released the phase two (2) audit protocol in 2016 and subsequently updated in July 2018.[2] The updated protocol focuses on Covered Entity and Business Associate compliance with select requirements, including the presence of compliant agreements.

Examples of penalties imposed by the HHS OCR as the result of absent or deficient BAAs include[3]:

  • April 20, 2017: Center for Children’s Digestive Health (CCDH) fined $31,000 for being unable to produce a valid BAA prior to October 12, 2015 for a vendor CCDH had exchanged PHI with since 2003.

  • December 4, 2018: Advanced Care Hospitalists PL (ACH) settles with OCR and pays $500,000 over allegations of sharing PHI with an unknown vendor without a BAA.

  • February 7, 2019: Cottage Health pays $3 million to settle multiple allegations regarding lack of compliance with HIPAA Rules, including failing to obtain a written BAA with a vendor maintaining ePHI on its behalf.

Business Associate Agreements are often an after thought during the contracting process because the primary focus is on the terms and conditions, as well as operational aspects of the contract and getting the project implemented. Complicating the matter with respect to managing compliance with HIPAA BAA requirements is legacy agreements that may have not been updated with HITECH provisions, incomplete execution of agreements, lack of a central repository, and inconsistent breach notification expectations. The trend in OCR enforcement actions as highlighted above is reason enough for Covered Entities and Business Associates alike to prioritize BAA related clean-up projects.

[1] https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

[2] https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html

[3] https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html

2018: A Record Year for Healthcare and Consumer Data Breaches

Hackers stole nearly 447 million consumer records containing personally identifiable information (PII) last year. According to Weisbaum (2019, February 4), “Data breaches are now a normal, everyday occurrence”. One cause cited for the seemingly daily reports of data breaches is the use of Facebook logon credentials increasingly used as a token to access multiple platforms.

2018 was also a record year for both number of patients impacted by healthcare data breaches, as well as the dollar value of fines imposed by the HHS Office of Civil Rights (OCR). In 2018, OCR HIPAA-related fines and settlements totaled $28,683,400. According to OCR data, with the exception of 2015, since 2009, the number of healthcare data breaches has steadily increased each year.

One step closer to aligning 42 CFR Part 2 with HIPAA

The Overdose Prevention and Patient Safety Act was passed by the U.S. House of Representatives and is on it's way to consideration by the U.S. Senate. Among other provisions,  H.R. 6082 allows the health records of substance abuse disorder patients to be disclosed without specific written consent from patients for the purposes of treatment, payment, and healthcare operations (TPO).  Currently, the only exception to the specific consent requirement of Part 2 is a bona fide medical emergency. If passed by the Senate and signed into law, the one sticking point for most medical providers who are either Part 2 programs or lawful holders of Part 2 protected information will be unstuck because of the alignment with the HIPAA Privacy Rule. 

Business Associate Agreements: Don't Set it and Forget it!

There is more to HIPAA compliance than privacy and security safeguards. An oft overlooked requirement is the Business Associate Agreement (BAA), and even when covered entities do have a BAA in place with a vendor, there is inconsistent follow-up regarding reviewing and if necessary, updating those agreements concurrent to contract renewals.

According to a HIPAA News report posted June 1, 2018 regarding multiple breaches at Dignity Health, one incident involved a vendor with an outdated BAA. Per the author, " The contractor in question had been used for ten years and a valid business associate agreement had been in place earlier; however, that document has no longer valid and data continued to be shared with the contractor due to a clerical mistake." Clerical errors happen; however, policies and procedures are often not in place. BAA audits is a  good item for compliance professionals to consider for when formulating annual work plans and the Dignity case is a good, public example of the 'why'.

Complying with HIPAA alone won't cut it - Covered entities need to keep up with changes in state laws

For healthcare organizations operating in multiple states, the complexity of compliance with privacy and security rules goes beyond understanding HIPAA. Add Colorado to the list of states with new laws defining special requirements for reporting breaches to the attorney general and definitions of personal information that include biometric data. While HIPAA allows for up to 60 days to provide notice to an individual regarding a breach, and also up to 60 days to report breaches of >500 individuals to the Office of Civil Rights (OCR), the new Colorado law requires notice to the individual within 30 days. Colorado is the most recent state to join the club of states with more stringent reporting rules than HIPAA requires, including most recently Alabama which enacted a 45 day time frame.

According to Cofense, 91% of cyber attacks begin with a phishing email

Domain-based Message Authentication, Reporting and Conformance (DMARC) is a standard healthcare organizations can implement to reduce their susceptibility to cyber attacks by reducing vulnerabilities associated with spoofing. Spoofing occurs when a hacker attempts to impersonate the legitimate domain by making an email appear to come from within the organization. Despite training regarding phishing, staff still may be fooled by emails that look like they come from a legitimate domain. DMARC can be set-up to monitor email traffic and send alerts (most permissive setting) or in the most aggressive setting, block incoming emails.

Per HIPAA News (2018, May 26) "For the study, Valimail reviewed the domains of 928 healthcare companies around the globe with annual revenues over $300 million, including hospitals, medical equipment suppliers, pharmacies, physicians and health practitioners. Just 121 of those firms (13%) have adopted DMARC to secure their domains and stop email spoofing."

HIPAA Covered Entities Should Start Saving for a Rainy Day (aka Big Breach)

A provision of the HITECH Act of 2009 that has yet to be implemented is establishing a mechanism for the victims of a HIPAA related breach to share in any settlement or monetary penalties assessed. The Office of Civil Rights (OCR) plans to issue notice of proposed rule making in November 2018 in an effort to satisfy this HITECH requirement. In the meantime, HIPAA covered entities may want to consider revisiting their internal efforts to comply with the Privacy and Security rules to mitigate future risk as well as consider planning for a reserve commensurate with the potential exposure if a major breach were to occur.

The HIPAA Privacy Rule 15th Anniversary - Blast from the Past & Hybrid Entities

In April 2003, sports drama ‘42’ was a hit at the box office, hip hop hit ‘In da Club’ by 50 Cent topped the Billboard charts, and the Human Genome Project was completed with 99% of the human genome sequenced to an accuracy of 99.99%. The date also marked the end of years of preparation for healthcare providers and most payers to comply with the HIPAA Privacy Rule.

Fifteenth anniversaries are traditionally symbolized with roses, rubies, or crystal. Throughout the month of April, VantagePoint is highlighting the 15th anniversary of the compliance date for the HIPAA Privacy Rule with special informational posts regarding HIPAA compliance and some of the lesser known (or understood) provisions.

An example of provisions that cause confusion include how HIPAA works for entities that have healthcare and non-healthcare related components. An example of an organization type that often experiences confusion regarding compliance with HIPAA is a college or university that offers on-site health services for students.  The Family Educational Rights and Privacy Act of 1974 (FERPA) applies to the health records maintained on students at the campus health clinics of postsecondary schools.  Entities subject to FERPA classify records as either education or treatment records, both of which are excluded from coverage under the HIPAA Privacy Rule (with some exceptions) even if the school is a HIPAA covered entity.  A school becomes a hybrid entity, subject to HIPAA, by segregating healthcare related activities into a separate component of operations.

Former California State Contractor Sued Over Breach Of HIV Patient Privacy

According to Kaiser Health News, "A security breach by a private company that contracted with California’s public health department inadvertently allowed unauthorized access to the HIV status of 93 people, according to a lawsuit filed this week in San Francisco County Superior Court."

NJ medical group fined $418K for HIPAA business associate error

Virtua Medical Group, comprised of more than 50 medical practices across New Jersey, agreed to a fine of more that $418,000 by the state attorney general. An investigation found that the records of about 1,600 patients were exposed. What makes this situation unique, however, is that the server in question was operated by a third-party business associate - in this case a transcription vendor. 

The Virtua breach occurred in January 2016 when transcription services vendor Best Medical Transcription updated the software associated with a File Transfer Protocol (FTP) website which inadvertently reconfigured the server to allow access without a password so patient records were searchable via Google. Even after Best Medical fixed the misconfiguration shortly after it was discovered, cached indexes of the records remained accessible on Google.
But the company never notified Virtua. Instead, the medical practice found out about the breach after a patient’s mother called to report she found portions of her daughter’s medical record online. Two weeks later, Virtua notified law enforcement and individually removed each patient’s information from Google’s cache.
Still, state prosecutors alleged that, among other violations, the provider was delayed in responding to the breach and failed to maintain a written log of when the FTP site was accessed. In addition to paying the fine, Virtua is required to hire a third-party professional to analyze the group’s security risks.

No fine for Best Medical? Business Associates are expected to adhere to the same standards as Covered Entities, though it appears in this case they got off easy. Is it an anomaly? If anything, it is a clear signal to Covered Entities that they must be properly vetting their Business Associates to ensure that they are working with organizations who understand and can comply with HIPAA requirements. 

April 2018 Marks 15 Years of Compliance with the HIPAA Privacy Rule

April 2018 marks the 15th anniversary of the requirement for most HIPAA covered entities to comply with the Privacy Rule.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the HHS Secretary to establish and publicize standards for the electronic exchange, privacy, and security of health information. April 14, 2003 marked the official compliance date for the HIPAA Privacy Rule. By that date, all HIPAA covered entities (except small health plans) were required to implement standards to protect and guard against the misuse of individually identifiable health information.

Fifteenth anniversaries are traditionally symbolized with roses, rubies, or crystal. Throughout the month of April, VantagePoint is highlighting the 15th anniversary of the compliance date for the HIPAA Privacy Rule with special informational posts regarding HIPAA compliance and some of the lesser known (or understood) provisions.

An example of a lesser known provision are the temporary waivers of certain HIPAA Privacy Rule requirements during a declared disaster event. In 2017, the HHS Secretary issued three separate temporary waivers of select HIPAA Privacy Rule requirements in the areas impacted by hurricanes Harvey, Irma, and Maria. During a national or public health emergency, the HHS Secretary may waive certain provisions of the Privacy Rule under the Project Bioshield Act of 2004, as well as section 1135(b)(7) of the Social Security Act.  The waivers apply to hospitals that have implemented a disaster protocol and expire 72 hours afterwards. Common Privacy Rule waivers in these situations include the patient right to request privacy restrictions or confidential communications, distribution of the Notice of Privacy Practices, and opt-out of the facility directory. During a disaster, hospitals need to divert resources to the response and away from administrative concerns, so these waivers are a big relief operationally.

Verizon Report: Insider breaches prove troublesome for healthcare

Verizon has released their yearly Protect Health Information Data Breach Report. The results show that the healthcare sector is unique from other industries in that insider threats were more common than external ones, comprising about 58% of healthcare breaches. But why?

From a standpoint of internal actors, the access that healthcare workers have to personal information of patients affords a convenient means to commit fraud of various types (for example tax return fraud or opening lines of credit). Insiders are also frequently prone to curiosity, and the accessing of patient data outside of their job responsibilities is reflected in the 94 instances where fun is the motive behind the data breach. For example, the admission of a family member, acquaintance or well-known personality into a hospital can present a temptation for employees who have technical access to that patient’s health record but no direct role in providing care or services to that patient. Any unwarranted access into that patient’s record simply to appease their curiosity would be (and is) considered a breach. Lastly, convenience as a motive comes into the picture when insiders do something that will make it easier for them to get their work done, but as a consequence also puts data at risk. An example would be violating data handling policies by storing sensitive data on unapproved hardware. 

So how can the healthcare industry stop these insiders from exposing protected data? While technical safeguards will certainly help, it is really up to the people inside an organization to do their part. Proper training and awareness of HIPAA and data security best practices are essential to ensuring patients' data remains secure. 

NY Attorney General: Record number of data breaches in 2017

New York Attorney General Eric Schneiderman said Thursday that there were a record number of data breaches in his state during the year 2017. In his report titled “Information Exposed: 2017 Data Breaches in New York State,” Schneiderman reveals that 1,583 breaches were reported to his office in 2017, impacting the data of 9.2 million New Yorkers. 

Indicating that current laws are inadequate, Schneiderman's office also introduced new legislation with stricter reporting requirements for any organization doing business with New York residents: 

However, current law does not require most companies to maintain reasonable data security, except if the company collects social security numbers. Companies also are not required to report breaches of certain critical data types, including username-and-password combinations, and biometric data like the fingerprint you use to unlock an iPhone.
To address these inadequacies in the law, my office introduced the Stop Hacks and Improve Electronic Data security, or SHIELD Act, which would require companies to adopt administrative, technical, and physical safeguards for sensitive data. These standards would apply to any business that holds sensitive data of New Yorkers, whether they do business in New York or not.
The standards are tailored to the sensitivity of the data retained and the size and complexity of the business. The SHIELD Act also expands the types of data that trigger reporting requirements in the event of exposure to include username-and-password combinations, biometric data, and HIPAA-covered health data.
My office is also preparing new legislation that would require companies like Facebook to notify my office, and in turn consumers, as soon as they learn that their users’ personal data has been misused. 

With an increasing number of states across the nation introducing their own information and data security regulations, where does this leave HIPAA? It is crucial for healthcare entities to understand the requirements of each regulation but following one does not mean the other can be ignored. 

HIPAA Privacy implications in the wake of Facebook/Cambridge Analytica?

Much has already been discussed about the controversy surrounding Facebook and Cambridge Analytica and their usage of customers' data. In all the mayhem and confusion surrounding the massive privacy debacle, is there a lesson to be learned for the healthcare industry? 

According to HHS, "the HIPAA Privacy Rule gives individuals a fundamental new right to be informed of the privacy practices of their health plans and of most of their health care providers, as well as to be informed of their privacy rights with respect to their personal health information" (45 CFR 164.520). The Privacy Rule also maintains:

Each covered entity, with certain exceptions, must provide a notice of its privacy practices. The Privacy Rule requires that the notice contain certain elements. The notice must describe the ways in which the covered entity may use and disclose protected health information...state the covered entity’s duties to protect privacy, provide a notice of privacy practices, and abide by the terms of the current notice...describe individuals’ rights, including the right to complain to HHS and to the covered entity if they believe their privacy rights have been violated...include a point of contact for further information and for making complaints to the covered entity. Covered entities must act in accordance with their notices. The Rule also contains specific distribution requirements for direct treatment providers, all other health care providers, and health plans.

Luckily, HHS provides a model Notice that can be used by Covered Entities to fulfill these requirements. However, simply having the Notice is not enough. Simply having a patient sign that she has received your Notice of Privacy Practices is not enough to maintain compliance. Each patient must be provided with a copy. 

The words of the late Steve Jobs are both timely and relevant to any privacy discussion:

Privacy means people know what they’re signing up for. In plain English, and repeatedly. That’s what it means. I’m an optimist. I believe people are smart. And some people want to share more data than other people do. Ask them. Ask them every time. Make them tell you to stop asking them if they’re tired of you asking them. Let them know precisely what you’re going to do with their data.

So often in the healthcare world, compliance regulations are seen as a barrier to quality care. But ultimately, isn't healthcare about protecting the patient? Don't let your patients' right to privacy be a barrier to providing them with the care that they deserve - and that includes notifying them about their rights!