This page contains news stories from 2010
Click for the latest news stories
Click for the Directory of News Stories
Red Flag Program Clarification Act Lifts Burden for Many
On December 18, 2010, the Red Flag Program Clarification Act went into effect, limiting the definition of creditor in such a way as to exempt many professional offices of doctors, lawyers, and others who may not collect payment at the time services are rendered, but do not engage in the review of information from or submission of information to credit bureaus. The very brief law is available at: http://www.gpo.gov/fdsys/pkg/BILLS-111s3987enr/pdf/BILLS-111s3987enr.pdf
New HIPAA/HITECH Regulation Expected in 2011
On December 14, 2010, a senior health IT and privacy specialist at the HHS Office for Civil Rights indicated that new rules under HIPAA and HITECHwould be issued in 2011, and that the rules would include all of the HIPAA-related issues currently in the proposed or interim final phases of adoption, including breach notification, enforcement, the variety of changes under the recent NPRM, and changes under the Genetic Information Nondiscrimination Act (GINA). The rules in the HIPAA Update roll-up will not include the long-expected rules on Accounting of Disclosures from an EHR, which will be proposed and adopted separately from the other issues, as would any rule changes for Audit procedures now under development. A story in iHealthBeat is available at: http://www.ihealthbeat.org/articles/2010/12/15/federal-officials-aim-to-release-new-rules-on-hipaa-hitech-in-2011.aspx
NIST Releases Final Draft of New Guide to Risk Management
On December 14, 2010, the National Institute of Standards and Technology (NIST) released the final draft of a new Special Publication, SP 800-39, Integrated Enterprise-Wide Risk Management: Organization, Mission, and Information System View. This special publication will replace the Risk Management information currently found in SP 800-30, and that SP will be repurposed as a guide to risk assessment in a new version under development. The draft of SP 800-39 is at: http://csrc.nist.gov/publications/drafts/800-39/draft-SP800-39-FPD.pdf
Study: Data Breaches Cost Hospitals $6 Billion
A new study by the Ponemon Institute and ID Experts Corp. found data breach protection to be a low priorityamong hospitals and noted that the healthcare industry is struggling to protect patient information. The report, Benchmark Study on Patient Privacy and Data Security, is available from ID Experts at: http://www2.idexpertscorp.com/resources/healthcare/healthcare-articles-whitepapers/ponemon-benchmark-study-on-patient-data-security-practices/
A related article in Healthcare IT News on the report is available at: http://www.healthcareitnews.com/news/hospitals-struggling-protect-patient-data
HIPAA Breach List Now in Searchable, Sortable Format
The list of health information breaches affecting 500 or more individuals, as required by the HITECH Act, is now presented by the US Department of Health and Human Services in a searchable, sortable tableon their web site, available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html. In addition, the full list is downloadable in both CSV and XML formats, from the same HHS Web page.
Connecticut Requires 5-day Notification of Insurer Breaches
On August 18, 2010, the State of Connecticut Insurance Department issued Bulletin IC-25, requiring all types of insurer entities and even "Health Care Centers"to notify the department of "any information security incident ... that could pose a potential risk to the privacy of an individual's personal health and/or financial information..." within 5 calendar days, whether or not the data are encrypted. The bulletin is available at: http://www.ct.gov/cid/lib/cid/Bulletin_IC_25_Data_Breach_Notification.pdf and related news stories are available at: http://www.healthleadersmedia.com/content/COM-256614/CT-Breaches-Lead-to-Tougher-Notification-Requirement and http://www.healthdatamanagement.com/news/health-care-technology-news-breach-notification-connecticut-41013-1.html?zkPrintable=true
Verizon Business RISK Team Releases 2010 Breach Report
On July 28, 2010, the Verizon Business RISK Team released its 2010 Data Breach Investigations Report. According to the report, comprising information from 57 private investigations conducted by Verizon and 84 cases investigated by the US Secret Service in 2009, 70 percent of breaches were committed by outsiders. In more than a third of the breaches, cyber criminals used stolen login credentials, accounting for 86% of compromised records. In many cases, cyber thieves relied on configuration errorsinstead of security vulnerabilities to steal data.
For more information, please see:
Internet Storm Center: http://isc.sans.edu/diary.html?storyid=9283and http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf
Rite Aid Hit With $1 Million "Settlement" for HIPAA Violations
The US Department of Heath and Human Services and the US Federal Trade Commission have entered into a $1 Million settlement agreement with Rite AidCorporation pertaining to the potentialimproper disposal of pill bottles and labels containing PHI. This settlement is related to a similar case involving CVS, settled in February of 2009, and a similar case concerning Wallgreen's pharmacies is proceeding toward a similar settlement. In addition to the monetary settlement, Rite Aid will be subject to periodic review by the FTC for the next 20 years.
For more information and to see the settlement agreement, please see: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/riteaidresagr.html
HHS OCR Issues Final Guidance for HIPAA Risk Analysis
On July 14, 2010, the US Department of Health and Human Services Office for Civil Rights released final guidance on performing Risk Analysisas called for in the HIPAA Security Rule and the Meaningful Use criteria for EHR adoption. The guidance does inform HIPAA covered entities and business associates about the process and expected content of documentation for risk analysis. The guidance is available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf
HHS Proposes Blockbuster Changes to HIPAA Regulations
On July 8, 2010, the US Department of Health and Human Services issued a Notice of Proposed Rule Making containing significant modifications to the HIPAA Privacy and Security regulations. Some of the changes have been anticipated since the passage of the HITECH Act within ARRA in February of 2009, but some came as a surprise. The NPRM was officially published in the Federal Register on July 14, 2010.
Among the many changes, not only are business associates of HIPAA covered entities now covered directly under the regulations, but also sub-contractors to business associates are now directly subject to the HIPAA rulesfor business associates. Other changes mean modifying all Notices of Privacy Practices and all Business Associate Agreements.
The NPRM is available at http://edocket.access.gpo.gov/2010/pdf/2010-16718.pdfand http://edocket.access.gpo.gov/2010/2010-16718.htm
An excellent initial take on the NPRM by John R. Christiansen is available at: http://informationlawtheoryandpractice.blogspot.com/2010/07/preliminary-thoughts-on-hitechhipaa.html or http://tinyurl.com/37bours
FTC Extends Enforcement Deadline for Red Flags Rule Again
In what is becoming a long running saga in how to not implement a regulation, the US Federal Trade Commission announced on May 28, 2010, just days before the June 1 enforcement deadline, that the FTC, at congressional request, has delayed enforcement of the FTC Red Flags Rule a fifth time, now through December 31, 2010. The press release is at: http://www.ftc.gov/opa/2010/05/redflags.shtm Furthermore, on June 25, 2010 the FTC said it would not enforcethe rule against physician groups until at least 90 days aftera lawsuit about the rule with the American Bar Association is ruled on in federal appeals court.
HHS OCR Issues Draft Guidance for HIPAA Risk Analysis
On May 7, 2010, the US Department of Health and Human Services Office for Civil Rights released draft guidance on performing Risk Analysisas called for in the HIPAA Security Rule. While leaving many specifics out, the guidance does provide enough information to inform HIPAA covered entities and business associates about the process and expected content of documentation. The guidance is available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/radraftguidanceintro.html Feedback on the guidance is requested, via a link on the page listed above.
HIPAA Jail Time for Hospital Employee Snooping in Records
On April 28, 2010 Healthcare Info Security and on April 30, 2010 Health Leaders Media reported a former UCLA Healthcare System employee has been sentenced under HIPAA to four months in prison for reading the medical recordsof co-workers and celebrities. The violator accessed the records system for three weeks following his dismissal. Security Tip: Make sure your system access is terminated immediately for employees that are terminated. Note that this conviction is for just snooping, with no improper use or sale of the PHI. See: http://www.healthcareinfosecurity.com/articles.php?art_id=2470&rf=042810ehhttp://www.healthleadersmedia.com/content/TEC-250390/Jail-Time-For-HIPAA-Violator
NIST Releases Guide to Protecting Confidentiality of PII
On April 9, 2010 the National Institute of Standards and Technology (NIST) announced the release of Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), providing practical, context-based guidelines for identifying PII and appropriate levels of protection, including safeguards and incident response plans. The announcement is at: http://csrc.nist.gov/news_events/index.html#apr6and the guide is available at: http://csrc.nist.gov/publications/PubsSPs.html#800-122
Virginia Enacts Health Information Breach Notice Law
On April 7, 2010, the Information Law Group posted a notice that the Commonwealth of Virginia has passed a breach notice law that requires notice of security breaches involving medical informationin situations where the breach is not already reportable under the new HIPAA/HITECH Breach Notification Rule. Note that this law does require notice of breaches of encrypted datawhen the breach involves a person who has access to the encryption key. See: http://www.infolawgroup.com/2010/04/articles/breach-notice/virginia-adds-medical-information-breach-notice-law/
Verizon Business Releases Incident Sharing Framework
On March 9, 2010, Verizon Business released a beta version of the Verizon Incident Sharing Framework (VerIS), a version of the assessment document used by Verizon forensic investigators to systematically gather, categorize, and report on data breach incidents. A white paper on the framework is available at: http://www.verizonbusiness.com/resources/whitepapers/wp_verizon-incident-sharing-metrics-framework_en_xg.pdf and the framework itself is available at: http://securityblog.verizonbusiness.com/wp-content/uploads/2010/03/VerIS_Framework_Beta_1.pdf
HHS Posts List of Major PHI Breaches on its "Wall of Shame"
On February 22, 2010 the Office for Civil Rights (OCR) within the US Department of Health and Human Services (HHS)posted on its website a list of the covered entities that have reported breachesof unsecured protected health information affecting more than 500 individuals.
Section 164.408 of the breach notification interim final rule, which implements section 13402(e)(3) of the HITECH Act, requires covered entities to provide notification of breachesof unsecured protected health information directly to the Secretary of HHS, who is obligated to post on its website a list of breaches affecting more than 500 individuals. The list of covered entities and breaches is available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html or http://tinyurl.com/yczfmgy.
Enforcing of New HIPAA Business Associate Provisions Delayed
On February 19, 2010, Hunton & Williams LLP reported on thePrivacy and Information Security Law Blogthat HHS will not seek to enforcethe business associate provisions of the HITECH Act, which became effective February 17, 2010, until the final rules are published. See: http://tinyurl.com/y8nbr3c or http://www.huntonprivacyblog.com/2010/02/articles/hipaa-1/hhs-delays-enforcement-of-hitech-act-business-associate-provisions/index.html
Data Breach Costs Top $200 Per Customer Record in 2009
On January 25, 2010 Network World magazine reported that the Ponemon Institute's annual study of the costs of data breaches shows that the average cost of a data breach rose to $204 per customer record in 2009. The three main causes for data breaches are negligence, system failures, and attacks. The article is at: http://www.networkworld.com/news/2010/012510-data-breach-costs.html
First Lawsuit Filed by a State Attorney General Under HIPAA
On January 13, 2010, the Connecticut Attorney General sued Health Net of Connecticut, Inc. for failing to properly secure the records of 446,000 enrollees, in the first such actionauthorized under changes contained in the ARRA/HITECH Act allowing state attorneys general to enforce HIPAA. The Connecticut Attorney General's Office press release is available at: http://www.ct.gov/ag/cwp/view.asp?A=2341&Q=453918
Click for the latest news stories
Click for the Directory of News Stories