The Wayback Machine - https://web.archive.org/web/20201113065426/https://hipaablog.blogspot.com/

HIPAA Blog

[ Monday, November 09, 2020 ]

 

 Recent HIPAA news and notes: I should've posted this 2 months ago; left myself a note but lost it.  Well, now I've rediscovered it.

REcently the US Cybersecurity and Infrastructure Security Agency joined with its counterparts from Austrilia, New Zealand, Canada and the UK to issue a Joint Cybersecurity Advisory.  The JSA highlights some technical approaches entities with sensitive data might take to prevent hackers and others from targeting them with malicious activity.  You might find it useful.  


Jeff [3:48 PM]

[ Tuesday, October 20, 2020 ]

 

 Ransomware update: exfiltration is becoming common: I just read a very interesting article from the Crypsis Group on recent ransomware activity. I'm no techie, so the discussion of TTP's (Techniques, Tactics and Procedures) was a little much for me, but the underlying takeaway was pretty disturbing: about a quarter of all ransomware attacks now also include data exfiltration.  That dramatically increases the reputational harm that's possible; being unable to serve your customers because your data is locked up is embarrasing, but having your customers' data distributed "in the wild" is much worse.  But it also virtually ensures that reporting would be required if PHI is part of the data.

I've long held, despite OCR's original guidance (later softened), that a ransomware event that does not involve exfiltration of data is very unlikely to require reporting: the corollary would be that a person who changes the locks on your doors without disturbing the contents of your house isn't a thief, so a person who encrypts your data but doesn't look at or take it doesn't count as a "breach" under HIPAA.  Most early ransomware variants did not exfiltrate data; the threat actors just wanted to hold your data hostage, not actually see or acquire it.  Sure, that does result in a loss of "availability," which is a Security Rule issue, but it's not an "unintentional access, acquisition or use" for purposes of HIPAA's definition of breach (nor should it be).  Your confidence level of lack of exfiltration must be virtually absolute, though; a tie goes to the runner, so if there was a reasonable possibility of exfiltration, you'd need to treat it as a breach. (And I don't need to remind you, this is not legal advice -- if you have questions about an incident you suffered, hire good HIPAA counsel).

However, if exfiltration is going to be common, it's going to be hard not to report a ransomware attack. 


Jeff [11:18 AM]

[ Monday, October 19, 2020 ]

 

Defino and Dissent: If you follow me on Twitter these days, you know I'm not too happy with the sorry performance of the vast majority of American media.  I'm not alone: the American public actually trusts Donald Trump to provide honest information about Covid more than they trust the media to honestly report on it. That is shocking, and ultimately very troubling for our democracy.

But even though the media at large is full of "idiots," that doesn't mean there aren't some exceptions that prove the rule. Two of my favorite people in the "media" side of data privacy reporting are Theresa Defino, reporter for Report on Patient Privacy, and the mysterious "Dissent Doe," who can be found moderating and populating the website www.databreaches.net (subtitle: "The Office of Inadequate Security")and posting on Twitter under the handle, @PogoWasRight.   

Dissent achieved true HIPAA fame when she was recently named in an OCR settlement agreement -- of course, it was one involving the notorious hacker group The Dark Overlord, so it was a pretty interesting situation all around. 

Anyway, Theresa had the opportunity to write up a profile of Dissent, which you can see here.  Although I don't always agree with them, these are two good people in the HIPAA space.


Jeff [5:52 PM]

[ Thursday, October 15, 2020 ]

 

Did the pandemic cause the healthcare industry to improve cybersecurity?  Apparently, many cybersecurity professionals in the healthcare industry think so.  

Jeff [7:43 AM]

[ Monday, October 12, 2020 ]

 

More OCR fines for failure to provide access: As I noted earlier, OCR has been on a tear lately, fining covered entities for failing to grant patients access to their PHI.  Last week, they announced their eighth access-related settlement this year, with Phoenix-based Dignity Health's St. Joseph Hospital paying a $160,000 fine.

In addition to laying down rules on when PHI can be used or disclosed, and rules on how PHI must be secured, HIPAA also grants individuals 6 specific rights with respect to covered entities.  While the right to receive a Notice of Privacy Practices is really the most important (it's the disclosure of the rules of the road that the covered entity will abide by), the second most important is probably access.  With a few carefully-carved exceptions, patients have the right to access their PHI if it's held by a covered entity.  The covered entity may have the right to own and control its own business records, but the information contained in those records also belongs to the patient.  Covered entities who jealously guard the information and "block" it from being obtained when needed might also have issues under the recent data-blocking rules.  More to come on that front. . . . 


UPDATE: Number 9: NY Spine Medicine pays $100,000 fine for failure to provide a patient with timely access to her medical records.  These are substantial fines for doing what are pretty stupid things.  

UPDATED again to fix the link


Jeff [9:31 AM]

[ Thursday, October 08, 2020 ]

 

 Why are people asking if HIPAA protects President Trump?  Because the country is overrun by idiots and members of the press (but I repeat myself) who think laws should give protection to people they don't like.  


Jeff [10:54 AM]

[ Wednesday, October 07, 2020 ]

 

 There was much talk about this earlier in the pandemic, but it's clear that HIPAA allows covered entities to notify 911 operators and other first responder entities of the identity of covid pateints, so that the responders can protect themselves and others.  OCR even issued guidance regarding the matter.  States responded differently, some with greater disclosures and others (Tennessee for example) with more restrictions.  Louisiana was one of the more freely-disclosing states, but apparently they have recently stopped the flow of information.  

Of course, there's a legimate question about whether sharing that information is really necessary: it could help protect both the first responder and anyone else the infected individual came into contact with (imagine an infected patient being put in a crowded jail instead of isolation, since the police didn't know they had Covid), but comes at the potential cost to individual liberty of an invasion of privacy.  

Of course, that's the same argument about masks.  In both cases, it should be a balancing act, but certain people are guns-out in favor of protecting liberty in one instance and equally guns-out in favor of government overrunning individual liberty in the other.

If you're adamantly pro-mask and adamantly anti-sharing-data-with-first-responders, you should at least recognize the inherent inconsistency.  



Jeff [9:58 AM]

[ Friday, October 02, 2020 ]

 

 Apparently all of USH's 250 hospitals were affected by the big malware attack.


Jeff [3:34 PM]

[ Monday, September 28, 2020 ]

 

 CHSPSC is Community Health System's management service organization, which provides business management, IT, and HIM services to hospitals and physician practices.  That makes them a Business Associate.  They got hacked by an APT from a hacker group in 2014, and the hackers got access to and absconded with PHI on over 6 million patients.  The FBI reported it to CHSPSC in April, but they didn't get the hack fully shut down until August. Guess what? No risk analysis, no info systems activity review, insufficient access controls (the hackers got admin access, so this one isn't necessarily fair, but the lack of activity auditing woulda cured this), and insufficient security incident procedures.  Fine: $2,300,000.  

UPDATE: As is usually the case these days, reportable data breaches under HIPAA are also state-law data breaches, subject to fines from state attorneys general.  Such is the fate of Community Health System and its management company, CHSPSC.  Fine to the state AGs: $5 million.


Jeff [11:16 AM]

[ Sunday, September 27, 2020 ]

 

 Permera, the biggest insurer in Alaska and Hawaii, suffered a phishing attack that managed to install advanced persistent threat malware, resulting in the breach of PHI of over 10 million people, including social security numbers, bank account numbers, and health informtion.  Being a victim isn't a HIPAA problem, unless you become a victim by your own fault.  Here, Permera had not conducted an enterprise-wide risk analysis, and had no risk managment plan.  Those are the facts that account for the size of the fine, not the fact that hackers got in (although, if they had a risk analysis and risk managment plan, they might've limited the damage from the hack, or even prevented it.


Jeff [11:17 AM]

[ Thursday, September 24, 2020 ]

 

 I should've noted this Monday when I found out, but news came out this week of a big fine for a HIPAA breach.  Athens Orthopedic first heard from a journalist from www.databreaches.net (that journalist would be my friend, the inestimable Dissent Doe, also known as @PogoWasRight on Twitter) that a notorious hacker group, that goes by the handle TheDarkOverlord or TDO, had access to their patient records and was pulling out data and selling it.  TDO promptly followed up with a ransomware demand.  

So why the big fine?  Athens Orthopedic had not done a risk analysis and had no HIPAA policies and procedures in place.  Would a risk analysis and cybersecurity plan have kept TDO out?  We'll never know for sure, but it might have, and that's enough.  

How's your cybersecurity?  Go grab a copy of your last risk analysis.  Is it over a year old?  Might want to consider an update.  What do you mean you can't find it?  You're sure you did one but just can't locate it?  That won't fly with OCR.  Got an extra million bucks for a fine?  


Jeff [8:23 AM]

 

 A couple of news items from earlier this week point out how cybersecurity and ransomware are particularly problematic for the healthcare industry:

Less than half of all large health systems meet national cybersecurity standards.

Two-thirds of all healthcare data breaches are caused by hackers.  


Jeff [7:49 AM]

[ Thursday, September 17, 2020 ]

 

 Blackbaud is (was?) one of the nation's largest service vendors to charitable institutions, helping them manage their donor lists and fundraising efforts.  They were subject to a ransomware attack that might've hit the mother lode of data, mainly on donors to these charities, but also to some of the beneficiaries and/or customers of the charities.  Obviously, some non-profit healthcare institutions were likely to get caught up in the mess, and the dominoes are starting to fall: Minnesota Children's (160,000 donors/patients) and Allina Health (200,000) have reported that they are victims


Jeff [12:12 PM]

[ Wednesday, September 16, 2020 ]

 

 ONC has announced updates to the Security Risk Assessment framework that OCR encourages HIPAA covered entities to use in conducting their risk assessments.  Remember, conducting a risk assessment is a required Security Rule safeguard; since you gotta do it, you might as well do it right.  I highly recommend poking around in the tool, even if you aren't actually doing an assessment, because it makes you think about your own data security.  Very useful help, especially from a bureaucracy.  


Jeff [1:05 PM]

 

 Yesterday OCR announced 5 new settlements involving covered entities that failed or refused to provide patients with access to their PHI, as required by HIPAA.  

In addition to restrictions on uses and disclosures of PHI, HIPAA also grants individuals 6 rights with regard to their PHI.  While the capstone is the right to receive a Notice of Privacy Practices (an explicit recitation of the "rule of the road" that the covered entity must comply with), the second-most important is the right of individuals to access their own PHI.  

In my opinion, the OCR statement is good in a number of ways; first, it gives some specifics of how the various entities failed, several of which had multiple opportunities to fix the problem without paying a fine but failed to take effective action.  Secondly, the fines are reasonable, given the crimes.  Too often, OCR hits only a few offenders and levies astronomical fines, in the apparent hope that others will learn by example; I think they would do better with more, but lower dollar, fines.


Jeff [1:00 PM]

[ Monday, September 14, 2020 ]

 

 I don't particularly agree either with the premise or conclusion of this WSJ article (probably paywall protected).  HIPAA works very well for what it does.  It's not a all-health-information-gets-privacy law, because that's unworkable and unreasonable.  People exchange health information all the time.  A common greeting is, "how are you," which is a question about your health.  If I see you walk with a limp or with an arm in a sling, or even just looking pale, your appearance has conveyed health information to me.  Some information about you that's not directly related to healthcare can contain bits of health information (what you buy at the grocery store or order at a restaurant says something about your health).


Sensibly, and consistent with American jurisprudential practice, HIPAA only tried to govern the specific area where privacy of health information is and should be protected -- within the healthcare system.  Is this new regulatory scheme going to try to govern every exchange of health information?


Jeff [11:52 AM]

[ Tuesday, September 08, 2020 ]

 

OK, there's no excuse, but I haven't blogged much and I've got a lot of items stacked up in the queue.  One of those is discussing OCR's summer cybersecurity newsletter.

But since I've been remiss, let me point out an article by Jackson Lewis on OCR's tips for conducting an IT asset inventory.  If you've played around in HIPAA security for awhile, you might think this is a required element under the Security Rule, but it's not specifically (maintenance records of IT equipment must be kept, which implies an inventory (how do you know what you've fixed, and whether a fix is due, if you don't know what you have?).  However, most security rule exercises use an asset inventory and a storage location analysis to help guide the analysis.

Jeff [8:59 AM]

[ Thursday, September 03, 2020 ]

 

Do you have questions about the HIPAA impact of the use of mobile health apps?  Can you/should you use one?  Which ones to choose?  Is the app provider your business associate?  How does the use of an app implicate your obligations to provide access, amendment, an accounting of disclosures?

Well, OCR is actually going to help you out (a little) with a page dedicated to healthcare apps.  They can't answer all your questions (some are just "it depends" or "you need to investigate and decide for yourself"), but there is a lot of good information that will help guide you as you consider new technologies and solutions.


Jeff [1:51 PM]

 

 Interestingly, as this article by Sidley points out, through the first 3 quarters of 2020, it appears that OCR has only issued 3 major settlements involving HIPAA, all of which involve Security Rule issues.  All involved breaches: one stolen laptop, one hacked email (phishing,I'm sure), and one settlement that could've been avoided if the provider had simply accepted the help OCR offered (see the Children's Medical Center of Dallas settlement of a few years ago for a similar example of failing to grab the proffered lifeline).

Why so few?  You'd have to ask OCR, but I think the pandemic is the primary cause.  First, the pandemic and the response to it have required creative solutions, and OCR is likely trying to tread lightly and grnt lots of leeway to those who are trying to do good but instead fail.  Also, due to the pandemic and preparations such as ventilator rationing strategies and other potential overflow triaging, OCR's current focus has been on the "civil rights" side of its mission -- making sure those rationing and triaging strategies don't violate the civil rights of certain vulnerable populations.  Regardless, barring egregious circumstances, I think OCR will continue to eschew the whip hand, and offer a helping hand instead.


Jeff [1:17 PM]

[ Thursday, August 27, 2020 ]

 

Interesting article highlighting recent actions by several large radiology organizations.  Recent technological advances have made optical character recognition (OCR) (*uh, not that OCR) more pervasive. This is the technology that allows you to search a PDF for a particular word.  OCR wasn't originally smart enough to use on images (the program would spend too much time trying find words in someone's face that it would bog down before it got to "Hello, my name is Bob" on the name tag), but it's gotten better apparently.  

Due to the high unlikelihood that anyone would try to scan images for text, radiologists and others haven't been as careful with where they store and transmit medical images as they are with medical documents.  Now that OCR is available at scale, and can be operated through a search engine, the tiny patient name or other identifier in the corner of an x-ray might be much more easily discoverable. 


Jeff [10:58 AM]

[ Tuesday, July 21, 2020 ]

 

Alabama's Sarrell Dental Center suffered a ransomware attack that affected the records of almost 400,000 patients.  Some patients sued in a putative class action, but a federal judge has dismissed the suit, noting that actual damages haven't been shown since the records were not copied, downloaded or removed. 

As my UTD students know, f you can't show damages, you can't bring a negligence claim.  

Jeff [1:05 PM]

[ Sunday, July 19, 2020 ]

 

Part 2 News: In addition to HIPAA (45 CFR parts 160 and 164), federally supported substance abuse treatment centers must also comply with 42 CFR part 2.  The original purpose of the rule is to prevent substance abusers from refusing treatment out of fear that their treatment records could be used to prosecute them for drug crimes.

Basically, Part 2 is a super-strict PHI non-disclosure rule: with very limited exceptions ("break-the-glass" emergencies, some research, and program audits, basically), entities covered by Part 2 can't release patient records except with patient consent, even if the release is for treatment, payment, or healthcare operations.  Additionally, the rules on the required form of patient authorization are strict.  One particular aspect is that the authorization must indicate with specificity who the recipient is to be; it can't be a blanket release ("to any of my providers"), but must be specific ("to Dr. Smith").

HHS has been discussing whether to change the rule somewhat, to address new coordinated care requirements.  With the advent of medical homes, ACOs, and other patient-centered healthcare delivery structures, specifically identifying the recipient of the records is hard.  HHS has decided to relax that part of the Part 2 rule, to allow for a type of recipient, rather than the specific recipient, to be named in the authorization. 

The final HHS rule on the change was released last week.  

Jeff [10:08 AM]

[ Friday, July 17, 2020 ]

 

I haven't been able to read the whole story here (it leads to a Westlaw paid page), but it looks like Aetna wants the plaintiff's firms that caused their big breach (discussed here; it was a really bad one involving HIV information) by using window envelopes.  This interesting, because this was not Aetna's lawyers, but rather the firms pursuing a class action lawsuit against Aetna.  Thus, Aetna has no BAA with them.  Also, these law firms are not covered entities, and since they represented the individual plaintiffs, they would not be business associates; thus the firms are not subject to HIPAA for their culpability in the breach.  Interesting. . . .

Jeff [10:43 AM]

[ Monday, July 06, 2020 ]

 

HIPAA Changes Coming?  According to Becker's Health IT, HHS is considering new HIPAA rulemaking, impacting two areas.  First, the agency is considering a specific revision to expand the ability to share data for care coordination and case management, presumably to assist ACOs and other integrated (but independent) care providers.  Personally, I think the HIPAA Privacy Rule as currently drafted allows sufficient data-sharing, but HHS might be reacting to industry concerns and hypersensitivity, which is understandable.  The second area is finally determining how OCR should share funds received from fines and penalties with affected individuals.  This was an element included in the HITECH Act, but given that OCR gets funding from those penalties, it's not surprising that they've dragged their feet so far in getting this done.

UPDATE: Here is the draft of the proposed regs  on sharing of fines (note, I haven't read them yet), courtesy of @BobCoffield.

UPDATE 2: Also from @BobCoffield, here's the proposed regs on care coordination (haven't read these yet either).

UPDATE 3: Doesn't look like either of the reg sets are fully baked.  The sharing of fees one references back to the 2011 Notice of Proposed Rule Making, and the possibility of a second NPRM in April 2021.  The case management/care coordination one harkens back to 2018, and indicates a NPRM expected June 2020.  But in both cases, no new regulations are out just yet.  

Jeff [7:30 AM]

[ Monday, June 15, 2020 ]

 

Today's news brings a couple of actions in recent data breaches.


Jeff [10:33 AM]

[ Friday, June 12, 2020 ]

 

Can a provider contact patients who have tested positive for Covid-19 and encourage them to donate blood and/or plasma?  The answer is yes, so long as it does not meet the definition of marketing (or if it does, meets an exception).  OCR has just issued guidance specifically on this issue.

How do you do this?  A quick guide would be to follow the following steps:


The OCR guidance is here, and the press release is here.



Jeff [12:37 PM]

[ Friday, June 05, 2020 ]

 

Reporting Covid information to first responders: We are starting to see different jurisdictions issue different rules for sharing Covid-19 patient information with first responders.  A few days ago Tennessee announced that it would stop sharing, while yesterday Oklahoma announced that, having stopped, was going to resume sharing.  

If you want to know what's happening in Bakersfield, California (and what I think about it), check this out.  

Jeff [3:04 PM]

[ Friday, May 15, 2020 ]

 

Question:

Hello Mr. Drummond,

I've just read the COSMOS April Privacy Brief by Theresa Defino that cites comments from you regarding the press release issued March 24 on the OIG guidance allowing CEs to share lists of people exposed to or treated for covid with first responder dispatches.  Do you know how the recipients of this list will know when to take someone off the list, e.g. the person has been successfully treated for or otherwise cleared from covid?


Answer:

The HIPAA rules and OCR’s guidance don’t address that at all (they also don’t require the disclosures to be made, just note that they are generally allowed in the current environment).  Thus, any removal or revisions to the list would likely come from the initial source of the list, whether it’s the governmental agency that compiles the overall list, usually a county health department in a large state or a state health department in a smaller or less populous state, but could be a hospital or health system that is the primary medical provider for a particular jurisdiction.

You make a good point, but it’s one that should be directed at the entities providing the lists or the dispatchers and first responders receiving and using the list – how do you know not to keep treating people who have recovered as if they were still sick?

As I noted in my comments to Theresa, it would be better if the list were kept by the covered entity (and available 24/7/365) and the dispatchers simply contacted the list creator and asked each time they were dispatched to deal with a particular person or a particular residential address.  That might not be practical.


Jeff [5:03 PM]

[ Tuesday, May 12, 2020 ]

 

In the right circumstances, yes.  The Faegere Drinker health law group has a good explainer here, but the key elements are:


  • Patient gives consent. At the time of service, health care providers can obtain written consent from the patient authorizing the release of COVID-19 testing results directly to his or her employer. Unlike other treatment situations, a health care provider may even condition the performance of an employee test on the employee’s provision of an authorization (i.e., the provider may refuse to perform the exam unless the patient executes a valid authorization). See 45 CFR § 164.508(b)(4)(iii).
  • Testing falls under HIPAA’s workplace medical surveillance exception. Health care providers may disclose health screening results directly to an individual’s employer when the service was provided at the employer’s request, and the employer needs the information to comply with legal obligations related to workplace health monitoring. The health care provider must provide the individual with written notice that the information will be disclosed to his employer at the time of the service and must limit the disclosure to the findings regarding the medical surveillance at issue. See 45 CFR 164.512(b)(1)(v).
  • Testing paid for by employer. If the employer subsidizes COVID-19 testing for its employees, the employer may be entitled to information regarding the specific employees the provider tested and when the testing was conducted. However, this would not entitle the employer to the results of the testing.

Jeff [2:10 PM]

 

I've been quoted several times by the media about the recent OCR guidance on allowing covered entities to provide Covid-19 infection information to first responders.  There was an article this morning about the state of Tennessee, and its efforts to notify law enforcement agencies of the identity of Covid-19 patients.

Given OCR's recent guidance, I would say that the governors program (providing names of all Covid-19 patients to police agencies that enter into a memorandum of understanding with the state) is likely permitted under HIPAA (I'm assuming the MoU requires some level of privacy protection, and the program is otherwise reasonable).

As I've stated elsewhere, I think a blanket sharing of PHI with first responders is too loose a standard.  In my opinion, if the whole list of individuals is shared, it should only be shared with dispatchers, who should use the information to inform first responders who are about to contact the infected individual.  I would prefer that the state health department, which keeps the list of reported positive tests, initiate a hotline for first responders (preferrably dispatchers, but possibly even officers themselves if necessary); that way, the information is filtered by a smaller universe of recipients.  That's not a cure in and of itself, but in my opinion it's more reasonable, and therefore the preferable option.

UPDATE: I said I was quoted several times, but in case you want a more fulsome explanation of how I think you should proceed, check out this article by the inestimable Theresa Defino.

Update 2: If I was a Knoxville cop, I'd be wondering if the mayor has my back.  How about, instead of taking good information away from your force, setting up a system within your force to make sure the information is only used for good?  It's one thing to say, "the state shouldn't be distributing the data the way it is because someone may misuse it," but this is basically saying "don't give it to us because WE will misuse it."

Jeff [1:26 PM]

 

I keep getting this question: during the course of the pandemic, hasn't OCR revised HIPAA to allow a lot of different uses and disclosures that were not permitted before?

The answer is No. 

What has OCR done?  Well . . . 

So, basically there have been 7 different announcements (addressing 6 topics) from HHS/OCR about HIPAA since the pandemic began.  [There was actually one earlier but it was very limited in scope (waiver of penalties against hospitals that don’t get NoPP’s out in time and other niceties because they are in emergency mode operations, but the relief is only good for 72 hours.  That one’s pretty useless and pretty much forgotten.]


Anyway, the announcements were:

  1.        Enforcement discretion for providers who use Skype/FaceTime during the pandemic

  2.       Guidance (FAQs) about the Skype/FaceTime enforcement discretion rules

  3.        Guidance to help first responders get PHI about infected individuals

  4.        Bulletin on existing Civil Rights Laws and HIPAA flexibilities

  5.        Enforcement discretion to allow BAs to directly disclose PHI to public health authorities

  6.        Enforcement discretion for community-based testing sites during the pandemic

  7.        Guidance on restrictions on providers granting media access to their facilities



The first 2 deal with providers being able to use non-public-facing apps to conduct remote audio-video patient treatment encounters. #3 clarifies how HIPAA allows covered entities to disclose PHI to first responders, and the data-sensitive ways to do so.  #4 makes clear that covered entities and others can’t discriminate in the provision of healthcare based on Covid-19 status.  #5 allows business associates to disclose PHI to public health authorities and health oversight agencies (covered entities can do so, but the pathway for doing so is less clear for business associates) and #6 states that OCR will not punish covered entities that run testing sites if those sites are not as data-protective as a regular office setting.  #7 is designed to remind covered entities of the several prior HIPAA enforcement actions against hospitals that allowed reality-TV film crews onto their premises; the pandemic is newsworthy, and video of crowded hospital hallways is compelling, but patients who might be identified in the video still have privacy rights.


Note that none of these are revisions to HIPAA, new regulations, or anything of the sort.  They are either enforcement discretion or guidance; the "guidance" is just explaining the rules, and the "enforcement discretion" is just saying that OCR will grant covered entities the benefit of the doubt if they act in good faith in a way that might have been questionable (but not necessarily illegal) in “ordinary” times.  For example, in ordinary times a healthcare clinic would not run a testing center in its parking lot, where the general public can see who is in the car and read license plate numbers, due to privacy concerns; however, it would not be a violation of HIPAA if doing so were otherwise reasonable, such as in an extreme situation, in a restricted-access area, or where other privacy protections could be put in place.  

None of this changes a single word of HIPAA.  Rather, all of these pronouncements are instances of OCR pointing out the flexibility and reasonableness of HIPAA, and how it allows for different levels of protection when circumstances change; what is not reasonable in ordinary times may be reasonable during a pandemic.  Because there may be confusion, and covered entities may put such a great (and unreasonable) emphasis on privacy that effective patient care is compromised, OCR is attempting to put minds at ease and allow less-protective actions in extraordinary conditions.


OCR would not call these actions a relaxation of standards or a change in the rules.  Rather, what OCR has offered is a clarification that the same standards as before apply (i.e., reasonableness), but that the current pandemic conditions present a different set of conditions, such that actions and operations that would be unreasonable in ordinary circumstances might be reasonable during these extraordinary circumstances.  HIPAA has not changed; it is exactly the same, and in fact was designed to remain the same in changing circumstances.  When the circumstances change, the definition of reasonable changes. 


Jeff [1:04 PM]

[ Wednesday, April 22, 2020 ]

 

New article on Zoom and HIPAA.  Fairly accurate but a little alarmist.  And once again, encryption is NOT REQUIRED to be HIPAA compliant; you should always consider encryption in every situation involving data in motion or at rest, but it's merely an addressable standard, not a required one.  

Jeff [8:33 AM]

[ Monday, April 20, 2020 ]

 

Actually, these are good ideas for everyone.  #3 is probably the most important -- the rest end up being part of your plan.

Jeff [2:55 PM]

[ Friday, April 03, 2020 ]

 

More OCR flexibility.  Again, it's enforcement discretion, which means there's no change in the law or regulations, but OCR is granting business associates the same flexibility that covered entities have to disclose for public health and health oversight activities.  Covered entities may disclose PHI without patient authorization to state epidemiology agencies for public health purposes, pursuant to 45 CFR 164.512(b)(1)(i); however, the regs don't give the same authority to business associates.

Instead, the business associate must abide by the terms of their business associate agreements, which may or may not allow such a disclosure.  Almost all BAAs will allow the BA to disclose where "required by law," but some epidemiological disclosures are not technically required: for example, many states require doctors, nurses, educators and certain others to disclose suspected abuse, and allow but do not require the general public to make similar disclosures.  If the disclosure to state infection control officials is permitted but not required, and the BAA allows only "required" disclosures, then the BA must refrain from making the disclosure.

Some BAAs say that the BA may disclose where "permitted or required;" in that case, the BA would be able to report to state health officials.

Ultimately, this is a small-potatoes fix, but it does point out two important things.  First, an interesting factoid to keep in mind about the HIPAA regs: while the HITECH act did incorporate BAs directly into HIPAA in many ways, there still are differences between CEs and BAs, and you have to read the specific language of the regulations carefully (obviously, OCR is reading it carefully).  Secondly, since BAs have fewer rights and less flexibility with respect to uses and disclosures of PHI, ultimately the BA can only do what the BAA allows.  So the language of the BAA really does make a difference.

Keep this in mind, and stay safe out there.

Jeff [12:12 PM]

[ Thursday, April 02, 2020 ]

 

While we're all focused on the novel coronavirus that causes Covid-19, do not lose focus on the general blocking and tackling of data security.  Microsoft has taken the remarkable step of actually warning some large hospital systems that they are severely at risk of a ransomware attack, mainly due to bad patching of vulnerabilities in gateways and access points such as VPN networks and VPN-connected devices. 

As more data use become remote, new data transmission highways develop, and whenever there is change, there are new and unknown vulnerabilities that could be exploited.

Do not fall down on the job of patching software ASAP, constant vigilance to data security needs and changing equipment or patters of use, regular backups, penetration and phish testing, and training of staff.  When staff change work patterns (like working from home), they may be less vigilant, and need more reminders.

Be safe out there.  Wash your hands and practice social distancing, but don't forget to keep up your defenses of the other viruses that were there before.

Jeff [12:36 PM]

[ Friday, March 27, 2020 ]

 

Zoom: Seems like everyone's using Zoom these days.  One thing to be aware of, though, with respect to the free Zoom service: as Consumer Reports points out, their terms of service allow them to use a lot of the information you transmit, particularly if you use the free or low-cost service.  (As always, if a service is free, the service isn't the product, you/your information is).

That doesn't mean they are doing so, just that they could use an attendee list, or even a video, powerpoint or document transmitted on the service to do targeted marketing, or potentially to sell to third parties.  Zoom hasn't responded to Consumer Reports, though.

This highlights two things: think about the services your are using that get to view your information and find out what they can do with it (especially find out if they are actually doing it or deny doing it, even though they have the right to).  And make sure you get a BAA if (i) you are a covered entity under HIPAA and (ii) any of the information that the service comes into contact with might be PHI.

I've looked at Zoom's BAA.  It's ok ("meh").  Doxy.me has a much better one.  But both are minimally sufficient.

UPDATE: one other thing: be the host, if you are the CE.  The host gets to keep data too; that's not a terrible idea, and if the host was in the meeting the host had access to that information, at least at the time of the meeting, so having it later isn't a whole new thing.  But it's like recording a call: don't be surprised later that the meeting host has what amounts to perfect memory.  And if you are the host, be aware of where the recording is stored and transmitted, and how it's used; if it's a telehealth visit, it's PHI, so it should be stored like any other medical record (encrypted at rest and in transit, hopefully).

Jeff [12:44 PM]

[ Friday, March 20, 2020 ]

 

OCR issues the FAQs to flesh out its bulletin on enforcement discretion for uses of Skype and related apps.  One thing to keep in mind: OCR isn't saying use of these apps doesn't violate HIPAA (they're also not saying it does, and people who categorically say that using Skype and FaceTime in any situation violates HIPAA, no matter what, are incorrect); use of those less-than-perfectly-secure apps, when there are safer, more secure apps that could be used without any adverse effect, may well violate HIPAA in most cases, even now.  What they are saying is that OCR won't levy fines if you use those apps during this time of crisis.

Other high points:


Jeff [10:31 PM]

[ Tuesday, March 17, 2020 ]

 

This news came via email from the Office for Civil Rights, the HIPAA enforcement agency, to the OS OCR PrivacyList email group, and is not in the form of posted guidance yet (as far as I can tell). But providers may use "Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance . . . related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency."

Providers should:


Full text of the email follows.  And watch this blog for further discussion and analysis of HIPAA in times of Coronavirus.
March 17, 2020

Notification of Enforcement Discretion for Telehealth Remote Communications during the COVID-19 Nationwide Public Health Emergency


We are empowering medical providers to serve patients wherever they are during this national public health emergency. We are especially concerned about reaching those most at risk, including older persons and persons with disabilities. – Roger Severino, OCR Director.

The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) is responsible for enforcing certain regulations issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, to protect the privacy and security of protected health information, namely the HIPAA Privacy, Security and Breach Notification Rules (the HIPAA Rules). 

During the COVID-19 national emergency, which also constitutes a nationwide public health emergency, covered health care providers subject to the HIPAA Rules may seek to communicate with patients, and provide telehealth services, through remote communications technologies.  Some of these technologies, and the manner in which they are used by HIPAA covered health care providers, may not fully comply with the requirements of the HIPAA Rules. 

OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.  This notification is effective immediately. 

A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients.  OCR is exercising its enforcement discretion to not impose penalties for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth using such non-public facing audio or video communication products during the COVID-19 nationwide public health emergency.  This exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.

For example, a covered health care provider in the exercise of their professional judgement may request to examine a patient exhibiting COVID- 19 symptoms, using a video chat application connecting the provider’s or patient’s phone or desktop computer in order to assess a greater number of patients while limiting the risk of infection of other persons who would be exposed from an in-person consultation.  Likewise, a covered health care provider may provide similar telehealth services in the exercise of their professional judgment to assess or treat any other medical condition, even if not related to COVID-19, such as a sprained ankle, dental consultation or psychological evaluation, or other conditions. 

Under this Notice, covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency.  Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications. 

Under this Notice, however, Facebook Live, Twitch, TikTok, and similar video communication applications are public facing, and should not be used in the provision of telehealth by covered health care providers.

Covered health care providers that seek additional privacy protections for telehealth while using video communication products should provide such services through technology vendors that are HIPAA compliant and will enter into HIPAA business associate agreements (BAAs) in connection with the provision of their video communication products.  The list below includes some vendors that represent that they provide HIPAA-compliant video communication products and that they will enter into a HIPAA BAA.

  • Skype for Business

  • Updox

  • VSee

  • Zoom for Healthcare

  • Doxy.me

  • Google G Suite Hangouts Meet

Note: OCR has not reviewed the BAAs offered by these vendors, and this list does not constitute an endorsement, certification, or recommendation of specific technology, software, applications, or products. There may be other technology vendors that offer HIPAA-compliant video communication products that will enter into a HIPAA BAA with a covered entity.  Further, OCR does not endorse any of the applications that allow for video chats listed above.

Under this Notice, however, OCR will not impose penalties against covered health care providers for the lack of a BAA with video communication vendors or any other noncompliance with the HIPAA Rules that relates to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency. 

OCR has published a bulletin advising covered entities of further flexibilities available to them as well as obligations that remain in effect under HIPAA as they respond to crises or emergencies at https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf - PDF.

Guidance on BAAs, including sample BAA provisions, is available at https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.

Additional information about HIPAA Security Rule safeguards is available at https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html.
HealthIT.gov has technical assistance on telehealth at https://www.healthit.gov/telehealth. 
.

UPDATE: Here's a link to the actual announcement

Jeff [7:22 PM]

 

So, you've probably heard that HHS was hit by a cyber-attack intended to disrupt and slow down its operations; if it can happen to them, it can certainly happen to you.

It's extremely likely that your organization has implemented at least some unusual operating conditions.  Even if you are business as usual, your employees and workforce are more worried, and may not be as focused as they usually are on privacy and security.  Specifically, your workforce members are probably receiving more emails than usual, and are definitely more likely now to open an email or click on a link that sounds important or scary than they were a couple of months ago.  Hackers know that, and they don't care that there's an epidemic (they never let a crisis go to waste).  So now would be a good time to remind your staff to be extra vigilant to phishing efforts.  But it's not just ransomware; remind them to practice all of your data privacy and security hygiene measures.

Risks and threats are elevated in unusual times, and clearly we are in unusual times.  We are living through a "Black Swan" event.  Be extra careful out there.

Jeff [12:20 PM]

[ Monday, March 16, 2020 ]

 

Specifically, the Secretary of HHS will:
"waive sanctions and penalties arising from noncompliance with the following provisions of the HIPAA privacy regulations:  (a) the requirements to obtain a patient’s agreement to speak with family members or friends or to honor a patient’s request to opt out of the facility directory (as set forth in 45 C.F.R. § 164.510); (b) the requirement to distribute a notice of privacy practices (as set forth in 45 C.F.R. § 164.520); and (c) the patient’s right to request privacy restrictions or confidential communications (as set forth in 45 C.F.R. § 164.522); but in each case, only with respect to hospitals in the designated geographic area that have hospital disaster protocols in operation during the time the waiver is in effect."

Basically, HIPAA is still fully operational during this emergency.  However, there's a little flexibility with respect to issues involving notifying friends and family members (in an emergency, you don't want sick people unaccounted for because the provider is afraid to reach out to family and friends of the ill individual), and if a covered entity fails to deliver a Notice of Privacy Practices in the frantic rush to care for people in an epidemic, OCR will forgive that sin. 

However, the rest of HIPAA is still in effect as before.  But that's OK, because, as you'll learn more from me soon (watch this space), one of the beauties of HIPAA is that is operationally flexible and based on a rule of reason, so that it works equally well in fair weather or foul.

Like I said, more to come.


UPDATE: HHS has now issued a bulletin specific to HIPAA (the prior one referenced EMTALA and several other federal laws and regulations).  Again they note the same provisions (splitting the first and third into 2 parts):
• the requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
• the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
• the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
• the patient's right to request privacy restrictions. See 45 CFR 164.522(a).
• the patient's right to request confidential communications. See 45 CFR 164.522(b)

The bulletin also adds specific limited circumstances when the provisions are waived: "only (1) in the emergency area identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol."

More importantly, they point out a lot of the ways HIPAA continues to work, and how to make it work in these unique times (more specifically, they point out when HIPAA otherwise permits covered entities and business associates to disclose PHI).  Read the bulletin for more information.

Jeff [7:52 PM]

[ Friday, March 13, 2020 ]

 

Slightly off-topic, but HIPAA (the healthcare privacy silo) occasionally runs up against FERPA (the education privacy silo), so I thought some of you might be interested in seeing how the US Department of Education is advising stakeholders about student privacy in the age of Coronavirus.  

Jeff [3:45 PM]

[ Wednesday, March 04, 2020 ]

 

Quest settled a class action lawsuit against them for a data breach caused by an outside bad actor.  The settlement was less than $200,000, so I'm sure it made financial sense to settle.  But I think this will help feed the class action breach business, which is just bad law when there are no actual damages.  Nobody could show how the accessed data was improperly used, much less any damage anyone actually suffered.  Lots of class action cases are solely about attorneys' fees.

Jeff [8:56 AM]

 

This has nothing to do with HIPAA.  Drug companies are using NON-MEDICAL information to target people who MIGHT be the appropriate target market for their drugs.  HIPAA is not implicated, not in the least.  Get a grip.  

Jeff [8:48 AM]

[ Monday, March 02, 2020 ]

 

Harris Health System, the Houston-area public health system, can't find a couple pages of paper documents with patient information on them.  No telling what happened -- the pages disappeared while in route from one facility to another.  This happens from time to time.

Harris did the right thing -- notified everyone potentially affected, all 2,300.

This is also why you shouldn't freak out about every reported breach.  Some are out of an abundance of caution.  There's a 99.9% chance that no PHI got out to the "bad guys," but reporting requirements are such that, that's still considered a breach. 

Jeff [8:59 AM]

[ Wednesday, February 19, 2020 ]

 

Adding Insult to Injury: As @PogoWasRight noted over the weekend at databreaches.net, class action lawsuits have been filed against Hackensack Meridian Health due to the fact that HMH got hit by ransomware.  The hospitals had to delay and reschedule non-emergency procedures.  No emergency patients were denied care, and no inpatients were harmed by the attack.  It's not even clear if the ransomware event resulted in data exfiltration; the fact that the hospital system has not reported the incident to HHS or notified patients leads me to believe there was no exfiltration.

(Despite OCR's claim that any ransomware attack is a reportable breach, the regulations do not support that interpretation.  Unless there is "an acquisition, access, use or disclosure of protected health information in a manner not permitted" by HIPAA, there is no breach.  A third party encrypting your data isn't what you want to have happen, but data encryption is, in fact, permitted by HIPAA (in fact, it's encouraged).  So the fact of the encryption is not a breach; it's only a breach if, in addition to the encryption, there's an acquisition, access, use or disclosure that's not permitted, which basically means it has to get out.  Some current ransomware versions to take data outside the attacked system, so the hackers can also sell the data in addition to collecting the ransom for decrypting it; in those cases, the ransomware attack is a breach because it meets the definition.  Where there is no exfiltration, the incident likely doesn't.

This is idiotic, and these lawyers really should be ashamed of themselves.  Third-party bad actors attacked HMH's network and caused a huge disruption.  There's no evidence at all of any fault or blame on the part of HMH; ransomware attacks are pretty common, some phishing techniques are pretty clever, and there's no such thing as perfect data security.  But more importantly, nobody was hurt.  What damages did these plaintiffs suffer? 


Jeff [8:25 AM]

[ Wednesday, February 05, 2020 ]

 

United Healthcare announced a breach into a patient portal that exposed name, plan information, and health data; however, only 36 people affected (I'm surprised this made the news, given the low numbers).  

Jeff [6:16 PM]

 

1. Ransomware: Many companies who are hit by ransomware don't pay the ransom and their data is deleted.  In the old days, that was the end of the story.  Now, some ransomware variants (the currently popular Maze, for example) will actually steal the data, not just encrypt it.  It seems that some of those ransomware hackers are punishing the non-ransom-paying victims by publishing and/or selling the data they have stolen. Of course, there are some healthcare entities in the mix; obviously, they might have some HIPAA reporting obligations. . . .

2. More Ransomware: Of course, even if your ransomware attack doesn't steal your data, if you don't pay the ransom (and sometimes even when you do) by the deadline and the decryption key is deleted, the data is lost forever.  That's apparently the case with Fondren Orthopedic in Houston, and some others as well.

3. Texting and HIPAA: This isn't a good mix from a HIPAA perspective for a couple of reasons, but it's not actually prohibited.  And for some patients, texting is their preferred, if not only, effective means of receiving communications from their providers.  When the rules aren't clear, what's a provider to do?  One option is to ask HHS to provide some guidance, and that's what some are doing. We will see if there's a response. . . .

Jeff [1:31 PM]

[ Tuesday, January 14, 2020 ]

 

Buck, a HR/benefits consultancy, has just completed a survey of HIPAA compliance among company health plans, and the results are not surprising to those of us in the space.  Big problems with conducting risk assessments, ensuring business associate agreements are in place, regular employee training, and adopting and reviewing policies and procedures keep popping up.  There's a solid one half to two thirds that show good, consistent compliance; and this is employee health plans, not entities that are HIPAA covered entities by virtue of being in the healthcare business, so some slippage is to be expected (at least I hope the healthcare industry participants are better than this).  But given that compliance really isn't that hard, it's still distressing. 

Jeff [12:05 PM]

[ Thursday, January 02, 2020 ]

 

Sinai Health System in Chicago apparently suffered an email system compromise that exposed PHI of about 13,000 people.  Probably a phishing exercise that got through.  

Jeff [12:54 PM]

 

OCR has fined West Georgia Ambulance $65,000 for a breach involving a lost unencrypted laptop.  Of course, the real reason for the fine is that the company had failed to do a risk analysis and take other basic HIPAA hygiene steps (which, had they done so, might've led them to encrypt the laptop, which would have mooted this entire episode).

Of particular interest here is the relatively small size of the fine; I suspect that West Georgia couldn't afford more, so this probably stings pretty badly.  But that's the point, and I applaud OCR for the apparent reasonableness of the fine.  In my opinion, they should issue more smaller fines, rather than just a few big ones.  That's more likely to get people into compliance.  

Jeff [12:51 PM] http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template