Protected Health Information

Subscribe to Protected Health Information
Digital
No slowdown expected in HIPAA enforcement.

Roger Severino, director of the Department of Health and Human Services’ Office of Civil Rights, told HIMSS18 conference attendees this week that he plans no slowdown in HIPAA enforcement.

“I come from the Department of Justice Office for Civil Rights; I bring that mindset to OCR. We’re still looking for big, juicy egregious cases” for enforcement, Severino said, according to this report in Data Breach Today. That doesn’t mean smaller companies should assume they are off the radar, he added.

He said 2017 was OCR’s second biggest year for HIPAA settlements with $19.4 million collected, second only to 2016 in which OCR collected nearly $25 million.

53515281_S
Voice assistants may pose hidden risks for physician practices.

Physicians have their hands full on the best of days. It’s not difficult to imagine why using a voice assistant such as Amazon’s Alexa or Apple’s Siri might be attractive.

In fact, a recent survey showed nearly one in four physicians uses the assistants for work-related purposes, such as researching prescription drug dosing. It’s likely many are unaware of the information security dangers they pose.

In an interview with SCG Health Blog, Fox Rothschild attorneys Elizabeth Litten and Michael Kline explain that the labor-saving devices pose a bevy of data privacy and security risks, and offer doctors six helpful tips for protecting their practices.

Elizabeth Litten (Fox Rothschild Partner and HIPAA Privacy & Security Officer) and Mark McCreary (Fox Rothschild Partner and Chief Privacy Officer) will be presenting at the New Jersey Chapter of the Healthcare Financial Management Association on August 30, 2017, from 12:00-1:00 pm eastern time.  The presentation is titled: “Can’t Touch That: Best Practices for Health Care Workforce Training on Data Security and Information Privacy.”

This webinar is a comprehensive review of information privacy and data security training, with an emphasis on imparting practical know-how and a fluency with the terminology involving phishing, ransomware, malware and other common threats. We will cover best practices for sensitizing health care industry workers to these threats as part of their ongoing HIPAA compliance efforts and, more generally, for training workers in any business on the proper handling of sensitive data. We will cover the adoption of policies and a training regimen for the entire workforce, as well as tailored training for those in positions responsible for implementing security policies.

More information and a registration link can be found here.

Eric Bixler has posted on the Fox Rothschild Physician Law Blog an excellent summary of the changes coming to Medicare cards as a result of the Medicare Access and CHIP Reauthorization Act of 2015.  Briefly, Centers for Medicare and Medicaid Services (“CMS”) must remove Social Security Numbers (“SSNs”) from all Medicare cards. Therefore, starting April 1, 2018, CMS will begin mailing new cards with a randomly assigned Medicare Beneficiary Identifier (“MBI”) to replace the existing use of SSNs.  You can read the entire blog post here.

The SSN removal initiative represents a major step in the right direction for preventing identity theft of particularly vulnerable populations.  Medicare provides health insurance for Americans aged 65 and older, and in some cases to younger individuals with select disabilities.  Americans are told to avoid carrying their social security card to protect their identity in the event their wallet or purse is stolen, yet many Medicare beneficiaries still carry their Medicare card, which contains their SSN.  CMS stated that people age 65 or older are increasingly the victims of identity theft, as incidents among seniors increased to 2.6 million from 2.1 million between 2012 and 2014.  Yet the change took over a decade of formal CMS research and discussions with other government agencies to materialize, in part due to CMS’ estimates of the prohibitive costs associated with the undertaking.  In 2013, CMS estimated that the costs of two separate SSN removal approaches were approximately $255 million and $317 million, including the cost of efforts to develop, test and implement modifications that would have to be made to the agency’s IT systems – see United States Government Accountability Office report, dated September 2013)

We previously blogged (here and here) about the theft of 7,000 student SSNs at Purdue University and a hack that put 75,000 SSNs at risk at the University of Wisconsin.  In addition, the Fox Rothschild HIPAA & Health Information Technology Blog discussed (here) the nearly $7 million fine imposed on a health plan for including Medicare health insurance claim numbers in plain sight on mailings addressed to individuals.

In one of the best examples we have ever seen that it pays to be HIPAA compliant (and can cost A LOT when you are not), the U.S. Department of Health and Human Services, Office for Civil Rights, issued the following press release about the above settlement.  This is worth a quick read and some soul searching if your company has not been meeting its HIPAA requirements.

FOR IMMEDIATE RELEASE
April 24, 2017
Contact: HHS Press Office
202-690-6343
media@hhs.gov

$2.5 million settlement shows that not understanding HIPAA requirements creates risk

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement based on the impermissible disclosure of unsecured electronic protected health information (ePHI). CardioNet has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.5 million and implementing a corrective action plan. This settlement is the first involving a wireless health services provider, as CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.

In January 2012, CardioNet reported to the HHS Office for Civil Rights (OCR) that a workforce member’s laptop was stolen from a parked vehicle outside of the employee’s home. The laptop contained the ePHI of 1,391 individuals. OCR’s investigation into the impermissible disclosure revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft. Additionally, CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented. Further, the Pennsylvania –based organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.

“Mobile devices in the health care sector remain particularly vulnerable to theft and loss,” said Roger Severino, OCR Director. “Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”

The Resolution Agreement and Corrective Action Plan may be found on the OCR website at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/cardionet

HHS has gathered tips and information to help protect and secure health information when using mobile devices:  https://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security

To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at http://www.hhs.gov/hipaa/index.html

In its ongoing guidance* initiatives, the Office for Civil Rights (OCR) has continued to interpret key obligations within the HIPAA Privacy and Security Rules (45 C.F.R. Part 160, 162, and 164) (HIPAA Rules). Most recently, the OCR has added FAQ details about cloud service providers (CSPs) as business associates (Cloud Guidance) under HIPAA Rules. It should be noted that all CSPs, despite varying levels of functionality and service, are viewed equally in the Cloud Guidance.

OCR first addressed whether a CSP is a business associate if it stores encrypted Protect Health Information (PHI) with access to the encryption key.

CSPs Are Business Associates Despite Encryption Practices

OCR made clear that when a CSP handles electronic PHI (ePHI) – transmits, creates, maintains or receives ePHI – the CSP enters into the status of a “Business Associate” per HIPAA Rules despite handling encrypted data without an encryption key. Even though a CSP cannot view the ePHI, the fact that it handles and/or maintains that data makes it a Business Associate. OCR reasons that encryption limits viewing of ePHI but cannot protect it from malicious software corruption or assure its access at all times – two requirements that must be fulfilled under the HIPAA Security Rule.

However, OCR added that CSPs dealing with encrypted ePHI without an encryption key does meet Security Rule obligations for both a Covered Entity and CSP because of the safeguard measures of the Covered Entity. OCR explained:

[I]f a customer implements its own reasonable and appropriate user authentication controls and agrees that the CSP providing no-view services need not implement additional procedures to authenticate (verify the identity of) a person or entity seeking access to ePHI, these Security Rule access control responsibilities would be met for both parties by the action of the customer.

Notably, a CSP will not be held responsible for compliance shortfalls that arise from its Covered Entity/Business Associate customers. Relevant compliance responsibility agreements that protect the CSP will also remain valid. OCR added additional interpretations about Privacy Rule requirement of CSPs performing “no-view services.” A CSP may not disclose or use PHI unless the Business Associate Agreement (BAA) and Privacy Rule permit those actions. A CSP is not authorized to restrict its Business Associate or Covered Entity customer gaining access to its ePHI.

PHI Storage and Retention Does Not Make a CSP a ‘Mere Conduit’

OCR, in another FAQ, goes on to clarify that a CSP is not a “mere conduit,” a designation that would provide exemptions from HIPAA Rules for Business Associations.** A conduit exception is only made for very specific cases – a CSP is a conduit if it its services are limited to transmission only and does not involve any data storage beyond the functions needed to properly execute its transmission services. By these standards, a CSP is a Business Associate if it uses both transmission and data retention services.

Business Associate Status Extends to Downstream CSPs

CSPs worried that in cases where a BAA is not formed, they may not be aware of services provided to a Business Associate or a downstream subcontractor. OCR states that if a CSP provides services that make it a Business Associate, the CSP assumes Business Associate liabilities. Although, per OCR, when a CSP lacks “actual or constructive knowledge that a covered entity or another business associate is using its services to create, receive, maintain, or transmit ePHI,” the CSP should address all HIPAA compliance shortcomings within 30 days of noticing this circumstance. Acting within that timeframe affords the CSP a liability waiver of sorts, and the OCR may extend the timing by an additional 30 days based on the specific issues of noncompliance. If it is shown that the CSP willfully neglected investigating the potential for this circumstance, it will not afforded similar corrective opportunities. A CSP should record all attempts and achievements to comply with HIPAA Rules if it find itself in noncompliance, or remove or protect the ePHI in question.

ePHI Audits, Offshoring, and Maintenance and Cloud Security

Audit Requirements: OCR affirms that HIPAA Rules obligate Covered Entities and Business Associates to document and possess security assurances from contractors and vendor as BAAs. Auditing those entities is not required.

Offshoring: Concerns arise when CSPs store or retain data in servers beyond the U.S., which affects security and HIPAA enforcement. Notably, OCR points that offshoring is neither prohibited nor addressed in HIPAA Rules, but data storage beyond U.S. borders obligates the CSP and all contracting parties to acknowledge the added vulnerabilities in their risk management plans and analyses as part of their HIPAA Security Rule.

ePHI Maintenance: A CSP does not have to maintain ePHI beyond the services it agreed to provide. The OCR mentions that the HIPAA Privacy Rule requires a BAA that addresses whether a CSP must return or eliminate ePHI at the expiration of the BAA. If the return or removal of data is not possible, the CSP is obligated to secure, conceal and protect the data in a way that adequately addresses the reason it cannot return or destroy the data.

Important Notes

  • CSPs typically utilize Service Level Agreements (SLA) that contain language which affects HIPAA compliance. SLAs address service performance details regarding system availability/reliability, data back-up and recovery and data return/termination requirements. OCR advised that BAAs and SLAs should be in line with each other and executable under HIPAA Rules. Further, SLAs cannot restrict a Covered Entity from gaining access to its own PHI, and SLA conditions that violate HIPAA Rules will form noncompliance issues for the Covered Entity.
  • A CSP must have security reporting policies for its Covered Entity and Business Associate customers that comply with the Security Rule and the Breach Notification Rule.
  • OCR will not make any kind of recommendation for technology and products that offer HIPAA-compliant cloud services.
  • Mobile devices may be used the same way as non-cloud means by Covered Entities and Business associates to access CSP-stored ePHI. The BAA addressing ePHI access via mobile device should require the CSP to have satisfactory physical and technical safeguards that maintain all necessary data protection and security.

*See, OCR Guidance on Ransomware, July 11, 2016 and OCR Guidance for Long Term Care Facilities May 2016.

**See OCR’s analysis of the “conduit” exemption at 78 Fed. Reg. 5565, 5571 (January 25, 2013).

Ransomware attacks are becoming more common. In a typical attack, cyber criminals use a type of malware that effectively takes a computer system hostage by blocking access to the system until a ransom demand is paid. One of the latest victims, Hollywood Presbyterian Medical Center in Los Angeles, made headlines when it opted to pay ransom to end a 10-day lock of its computer system, including electronic medical records system.

Malware and Ransomware conceptSome ransomware programs display an official-looking legal warning on the victim’s screen, purporting to notify the user that they committed a crime and demanding a payment to avoid legal prosecution or jail. These attacks are especially worrisome for hospitals that use electronic medical records because it effectively paralyzes the entire system. During the lockout period, HPMC was forced to create paper records and use fax machines to transmit information. Some emergency patients were sent to other hospitals.

Hospitals are especially vulnerable to these attacks. Medical systems often rely on outdated software and some medical devices – such as MRI machines, fetal monitors, and IV pumps – have embedded software that uses older programs with unpatched bugs vulnerable to cyberattacks.

Ultimately, HPMC made a ransom payment of 40 bitcoins, currently worth about $17,000. The hospital’s executives concluded that paying off the criminals was the most cost-effective way to resume normal operations. When it publicly disclosed the attack, HPMC also declared that none of its patient records were breached.

Law enforcement officials and cybersecurity experts are encouraging victims of ransomware attacks to resist paying. The rationale is that every capitulating victim helps to create a culture of acquiescence that encourages more attacks and escalating ransom demands.

The vast majority of ransomware incidents can be traced to phishing attacks – a link sent by email that is inadvertently clicked on by someone. Thus cybersecurity training and efforts to increase awareness is the most effective and cost-efficient means of defending your business.

But while prevention is key, it’s also vitally important to be proactive and create a breach response plan for mitigating the effects of any attack in the future.

Last week we posted about A Brief Primer on the NIST Cybersecurity Framework.  Our partner and HIPAA/HITECH expert Elizabeth Litten took the NIST Cybersecurity Framework and created a blog post for the HIPAA, HITECH and Health Information Technology Blog on how How the NIST Cybersecurity Framework Can Help With HIPAA Compliance: 3 Tips, which can be read here.  For those facing any HIPAA-related issues, it is a worthwhile read.

A small single-site compounding pharmacy in Colorado has reached a $125,000 settlement with the Department of Health and Human Services’ (DHHS) Office of Civil Rights (OCR) to address deficiencies in its HIPAA compliance program.

Under the resolution agreement, the $125,000 cost of which does not include time, expenses and legal fees associated with the investigation, Cornell Prescription Pharmacy will also adopt a corrective action plan.

It’s a stark reminder that no matter what the size of the company, taking proactive measures to protect patient information and making sure employees are trained on those measures reduces costs and limits exposure to regulatory enforcement and increasing state litigation around data breaches.

What happened

Cornell’s troubles started in January 2012 after a Denver TV news reporter found the records of 1,610 people in an unlocked, open, publically accessible container outside its offices. The intact records had not been shredded, and identities had not been stripped. Federal authorities launched an investigation of potential HIPAA violations.

That investigation led OCR to identify additional HIPAA violations, including a failure to implement HIPAA policies and procedures and to properly train its workforce.

Cornell’s settlement requires it to develop and implement written HIPAA policies and procedures, submit them to DHHS within 30 days, and implement them within 30 days of the agency’s approval. It must also get all of its employees to certify in writing that they have read, understand and will follow the new policies. The company must report back to DHHS on the status of implementation within 60 days of the policies’ approval, and annually for at least two years.

The settlement, combined with a similar $100,000 settlement reached recently with Phoenix Cardiac Surgery, demonstrates that size does not matter to OCR when it comes to HIPAA enforcement.

“Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public,” said OCR Director Jocelyn Samuels.

Questions about HIPAA compliance or securing protected health information? Contact a member of Fox Rothschild’s Privacy & Data Security or Health Law practices.

The Federal Trade Commission recently announced that it settled charges against a health billing company and its former CEO that they misled consumers who had signed up for their online billing portal by failing to inform them that the company would seek detailed medical information from pharmacies, medical labs and insurance companies.

The Atlanta-based medical billing provider operated a website where consumers could pay their medical bills, but in 2012, the company developed a separate service, Patient Health Report, that would provide consumers with comprehensive online medical records.  In order to populate the medical records, the company altered its registration process for the billing portal to include permission for the company to contact healthcare providers to obtain the consumer’s medical information, such as prescriptions, procedures, medical diagnoses, lab tests and more.

The company obtained a consumer’s “consent” through four authorizations presented in small windows on the webpage that displayed only six lines of the extensive text at a time and could be accepted by clicking one box to agree to all four authorizations at once.  According to the complaint, consumers registering for the billing service would have reasonably believed that the authorizations related only to billing.

The settlement requires the company to destroy any information collected relating to the Patient Health Report service.

This case is a good reminder for companies in the healthcare industry looking to offer new online products involving consumer health information that care must always be taken to ensure that consumers understand what the product offers and what information will be collected.