This page contains news stories from 2013
Click for the latest news stories
Click for the Directory of News Stories
$150K Settlement for Stolen USB Drive and No Breach Policies
On December 27, 2013, US Department of Health and Human Services Office for Civil Rights announced that Adult & Pediatric Dermatology, P.C., of Concord, Mass., (APDerm), a private practice that delivers dermatology services in six locations, has agreed to settle potential HIPAA violations, agreeing to a $150,000 payment and a corrective action plan to correct deficiencies in its HIPAA compliance program. This is the first settlement with a covered entity for not having HIPAA Breach Notification policies and procedures in place.
An unencrypted thumb drive with the health information of 2,200 individuals was stolen from a vehicle and never recovered. APDerm had not conducted a HIPAA Risk Analysis and did not have in place written policies, procedures, and training for breach handling. In addition to the $150,000 resolution, the settlement includes a corrective action plan requiring a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, and provide an implementation report to OCR.
The resolution agreement and press release can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/apderm-agreement.html
Accounting of Disclosures Rule Recommendations Released
On December 4, 2013, the US Department of Health and Human Services Office of the National Coordinator for Health IT Health IT Policy Committee Privacy and Security Tiger Team (the USDHHS-ONCHIT-HITPC-PSTT?) released a report with its recommendations for implementation of the HITECH Act requirements for Accounting of Disclosures, available as a PDF of slides, at http://www.healthit.gov/FACAS/sites/faca/files/HITPC_PSTT_Accounting%20of%20Disclosures_FINAL_12042013.pdf The recommendations call for a staged implementation relying on available technologies, with an accounting of disclosures outside the organization from certified EHRs as the first step, a new right to request an investigation of internal access, and recommendations to expand the Security Rule to call for more detailed ability to log access for auditing.
Compared with the proposed rule, the recommendations are more reasonable, more implementable, and more likely to satisfy the desires of patients. There is also an AHIMA article on the report at http://journal.ahima.org/2013/12/09/onc-committee-makes-accounting-of-disclosures-recommendations/
HHS OIG Slams HHS OCR for HIPAA Audit Program Deficiencies
The US Department of Health and Human Services Office of Inspector General (OIG) issued in late November 2013 highly critical of the work done by the HHS Office for Civil Rights (OCR) in implementation of requirements for audits of HIPAA Security Rule compliance to be performed under the HITECH Act, enacted in February of 2009. In addition, OIG found that OCR's own system implementations used in the management of their audit process were not performed securely.
The OIG report, titled The Office for Civil Rights Did Not Meet All Federal Requirements in Its Oversight and Enforcement of the Health Insurance Portability and Accountability Act Security Rule, calls for better controls on the HITECH auditing process and systems used by HHS, and implementation of periodic Security Rule audits. See: http://oig.hhs.gov/oas/reports/region4/41105025.pdf
The impact of the report is that it may be now expected that efforts to audit HIPAA Security Rule compliance will be increased, putting additional pressure on HIPAA entities to do the work necessary for HIPAA Security Rule compliance now.
HHS OCR Releases New HIPAA Security Risk Analysis Tipsheet
On November 22, 2013, the US Department of Health and Human Services Office for Civil Rights released an updated Security Risk Analysis Tipsheet including an overview of the HIPAA Security Rule Risk Analysis requirement, a table of risk and safeguard examples, and a table of Myths vs. Facts about Security Risk Analysis. The Tipsheet is available at: http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/SecurityRiskAssessment_FactSheet_Updated20131122.pdf
PCI Security Standards Council Releases DSS v3.0, eff. 1/1/14
On November 7, 2013, the PCI Security Standards Council released version 3.0 of the PCI Data Security Standard, to which all payment card merchants and data handlers are held, effective January 1, 2014, with a compliance deadline of July 1, 2015. The new version emphasizes maintaing awareness of threats and education to help ensure secure use of systems. PCI documentation is available at: https://www.pcisecuritystandards.org/security_standards/documents.php?agreements=pcidss&association=pcidss For an overview of PCI DSS compliance, see: https://www.pcisecuritystandards.org/security_standards/index.php The press release from PCI, including many details of the changes, is available at: https://www.pcisecuritystandards.org/pdfs/13_11_06_DSS_PCI_DSS_Version_3_0_Press_Release.pdf
HHS OCR Holds Accounting of Disclosures Hearing
On September 24, 2013, the US Department of Health and Human Services Office of Civil Rights announced that the HIT Policy Committee's Privacy and Security Tiger Team will be holding a virtual, public hearing to explore practical ways to provide patients with greater transparency about the uses and disclosures of their electronic PHI, to facilitate implementation of the HITECH requirement that a patient’s right under the HIPAA Privacy Rule to an "accounting" of disclosures include disclosures for "treatment, payment and operations" when such disclosures are made through "an electronic health record." This hearing will be held on Monday, September 30 from 11:45 a.m. to 5:00 p.m. EDT. To listen to this meeting, see: http://www.healthit.gov/facas/calendar/2013/09/30/policy-privacy-security-tiger-team-virtual-hearing
The Tiger Team invites members of the public to provide written answers to key discussions questions through the ONC blog at: http://www.healthit.gov/buzz-blog/. The Tiger Team will consider these answers as it continues to deliberate and make recommendations on these issues. In addition, the hearing will include time for public comments from 4:45 to 5:00 p.m. EDT.
HHS Issues Guidance on Decedents, Student Immunizations, Law Enforcement
On September 19, 2013, a busy day at the HHS Office for Civil Rights, OCR issued guidance on decedents and student immunizations, as well as the guidance and delay announcement below, and, the next day, released a guide to HIPAA for Law Enforcement. The guidances, and other essential HIPAA news from HHS are at: http://www.hhs.gov/ocr/privacy/
HHS Refill Reminders Guidance and Enforcement Delay
On September 19, 2013, the HHS Office for Civil Rights (OCR) issued guidance on how the changes to the HIPAA Privacy Rule’s marketing provisions apply to refill reminders and other communications about drugs or biologics currently being prescribed for individuals. The new Fact Sheet and corresponding FAQs explain how the refill reminder exception to the marketing rule works, the scope of communications that fall within the exception, and the types of third party payments that are considered “reasonable”.
In addition, OCR will not enforce the restrictions on refill reminders for a period of 45 days following the September 23, 2013, compliance date, or until November 7, 2013.
See: http://www.hhs.gov/ocr/privacy/
HHS Delays HIPAA NPP Enforcement for CLIA Laboratories
On September 19, 2013, the US Department of Health and Human Services Office of Civil Rights announced that it would delay enforcement of the required update of the HIPAA Notice of Privacy Practices for HIPAA-covered laboratories that are subject to CLIA or otherwise not required to provide access to individuals under HIPAA, not including any laboratories that are part of a larger entity and do not have their own separate NPP. The delay is being allowed because such notices will need to be updated when the CLIA regulations are updated, which is expected soon, and it would be a burden to have to update twice over a short period of time. The delay was announced just four days before the new rules became enforceable. The announcement is available at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/clia-labs.html
HHS OCR and ONC Release HIPAA Privacy Notice Templates
On September 16, 2013, the US Department of Health and Human Services Office of Civil Rights and the Office of the National Coordinator for Health IT published a set of templates in four formats, for both providers and health plans, and instructions for use, for HIPAA Notices of Privacy Practices, that include the required changes pursuant to the HIPAA Omnibus Update of 2013. The templates are available at: http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html
In related news, the AMA released in September 2013 updated tools for HIPAA Privacy and Security Compliance, including new sample Notice of Privacy Practices and Business Associate Agreement templates, as well as toolkits and FAQs. See: http://www.ama-assn.org/go/hipaa
PHI on Old Copier Yields $1.2 million Settlement with Affinity
On August 14, 2013, the US Department of Health and Human Services announced that it will settle with Affinity Health Plan, Inc. potential violations of HIPAA for $1,215,780, as a result of a breach involving the information of more than 340,000 individuals that was left on a leased copier purchased by CBS Evening News as part of an investigation into private information held on old copiers. The CBS Evening News story that identified the breach is available at http://www.youtube.com/watch?v=iC38D5am7go
Part of the settlement includes a corrective action plan that requires Affinity to try to retrieve all the old copiers it has ever returned under leases so that PHI may be properly destroyed. The agreement and CAP are available on the HHS OCR Web site at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/affinity-agreement.html
Also included in the news release was additional information on copier compliance:
• For more information on safeguarding sensitive data stored in the hard drives of digital copiers: http://business.ftc.gov/documents/bus43-copier-data-security.
• The National Institute of Standards and Technology has issued guidance on media sanitation: http://csrc.nist.gov/publications/drafts/800-88-rev1/sp800_88_r1_draft.pdf.
• OCR offers free training on compliance with the HIPAA Privacy and Security Rules for continuing medical education credit at http://www.medscape.org/sites/advances/patients-rights.
Australian Defence Signals Directorate Releases Security Guides
In July 2013, the Australian Defence Signals Directorate released information security advice that is useful for healthcare security professionals to consider as they discover and plan for mitigation of information security risks. One of the guides, Top 4 Strategies to Mitigate Targeted Cyber Intrusions, available at http://www.dsd.gov.au/infosec/top-mitigations/top-4-strategies-explained.htm provides ways to eliminate 85% of all threats. Another of the guides focuses on Assessing Security Vulnerabilities and Patches, and is available at http://www.dsd.gov.au/publications/csocprotect/assessing_security_vulnerabilities_and_patches.htm. A third guide, released in April of 2013, discusses Additional Security Considerations and Controls for Virtual Private Networks; see http://www.dsd.gov.au/publications/csocprotect/addtional_security_considerations_and_controls_for_vpn.htm. These guides are written for the use of all levels of the Australian government but are compact, easy to understand, and provide a great foundation for security. All of the guides are available on the Web pages listed above, and as downloadable .pdf files on those pages.
WellPoint Gets $1.7 million Settlement for Insecure Database
On July 11, 2013, the US Department of Health and Human Services announced that the managed care company WellPoint, Inc. has agreed to a $1.7 million settlement to resolve HIPAA Privacy and Security Rule potential violations regarding weaknesses in an online application database. WellPoint did not have good access control policies and procedures in place, did not do a technical evaluation of a software upgrade, and did not have technical safeguards to verify the identity of those accessing the database. 612,402 individuals were affected by the breach, which took place in 2010.
Potential violations like this are easily prevented if a good information security management process is instituted. The Press Release can be found on the HHS News page: http://www.hhs.gov/news/press/2013pres/07/20130711b.html and the Resolution Agreement can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/wellpoint-agreement.html.
NIST Releases Revised Guidelines for Mobile Device Security
On June 24, 2013, the National Institute of Standards and Technology announced the final release of Special Publication (SP) 800-124 Revision 1, Guidelines for Managing the Security of Mobile Devices in the Enterprise. The purpose of the guide is to help organizations centrally manage and secure mobile devices against a variety of threats, providing recommendations for selecting, implementing, and using centralized management technologies, and explaining the security concerns inherent in mobile device use. The scope of SP 800-124 Revision 1 includes securing both organization-provided and personally-owned (bring your own device) mobile devices. The guidelines are available at http://csrc.nist.gov/publications/PubsSPs.html#800-124
Shasta Regional Medical Center Settles HIPAA Case for $275K
In a June 14, 2013 announcement, the US Department of Health and Human Services let it be known that there is no such thing as an implied authorization for release of PHI. Officials at Shasta Regional Medical Center discussed a patient's PHI with staff and the press following a disclosure to the press by the patient. Even when the patient has released the same information, an authorization must be given for the covered entity to release the information.
The settlement includes $275,000 and a Corrective Action Plan covering all facilities of the organization. The Press Release can be found at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/shasta-agreement-press-release.html and the Resolution Agreement can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/shasta-agreement.pdf
New Unofficial HIPAA Combined Rule Issued by HHS OCR
On June 13, 2013, the US Department of Health and Human Services Office for Civil Rights released an updated Combined Regulation Text of All Rules pertaining to HIPAA, including the Omnibus Update and the June 7 Technical Corrections. This combined rule document is now the go-to source for HIPAA regulations. (It is referred to as an unofficial document because the only official rule is what is published in the Federal Register.) The new combined rule is at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/index.html
Technical Corrections Issued for Omnibus Update Regulations
On June 7, 2013, technical corrections to the HIPAA Omnibus update were issued by the US Department of Health and Human Services Office for Civil Rights. The corrections, mostly minor typos and such, do clarify several internal references and should be used together with the Omnibus update rule and the prior unofficial 2006 combined rule published by HHS OCR to define the current HIPAA rules.
The technical corrections are available in PDF Federal Register format at http://www.gpo.gov/fdsys/pkg/FR-2013-06-07/pdf/2013-13472.pdf , the Omnibus update is at http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf and the 2006 unofficial (non-Federal Register) combined rule is at http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/adminsimpregtext.pdf . It is hoped that HHS OCR will release a new unofficial combined rule including all the HITECH modifications and technical corrections sooner than later.
Idaho State University Settles HIPAA Security Case for $400K
At the close of the first day of the annual NIST-OCR HIPAA Security conference in Washington, DC, just in time for OCR Director Leon Rodriguez to discuss in his day-two keynote address, HHS released information about a new $400,000 settlement for HIPAA Security Rule violations, this time related to a breach of records of 17,500 patients at ISU's Pocatello Family Medicine Clinic, caused by some server firewalls' being disabled for most of a year, and lack of a real Risk Analysis and system activity reviews that could have prevented or limited the breach, among other violations. The press release is available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/isu-agreement-press-release.html.html and the Resolution Agreement is available at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/isu-agreement.pdf
New HHS HIPAA Educational Tools for Consumers, Providers
On April 30, 2013, the US Department of Health and Human Services Office for Civil Rights announced new tools to educate consumers and providers about the HIPAA Privacy and Security Rules. See http://www.hhs.gov/ocr/privacy
OCR has posted a series of fact sheets for consumers, available in eight languages, about cpmsumer rights under the HIPAA Privacy Rule,on OCR’s website at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers
The fact sheets compliment a set of seven videos released earlier this year on OCR’s YouTube channel. A video on The HIPAA Security Rule, has been designed for providers in small practices and offers an overview of how to establish basic safeguards to protect patient information and comply with the Security Rule’s requirements. The videos are available on the HHS OCR YouTube Channel at http://www.youtube.com/user/USGovHHSOCR
OCR has also launched three modules for health care providers that offer free Continuing Medical Education (CME) credits for physicians and Continuing Education (CE) credits for health care professionals, on compliance with various aspects of the HIPAA Privacy and Security Rules, available at Medscape.org:
• Patient Privacy: A Guide for Providers
http://www.medscape.org/viewarticle/781892?src=ocr
• HIPAA and You: Building a Culture of Compliance
http://www.medscape.org/viewarticle/762170?src=ocr
• Examining Compliance with the HIPAA Privacy Rule
http://www.medscape.org/viewarticle/763251?src=ocr
Reports on Breaches Show Weaknesses, Identity Theft
In addition to the Verizon report noted in the story below, additional reports have been released looking at data breaches and healthcare information. In a new study, Ponemon Institute surveyed a sample of privacy and compliance leaders in various organizations about their expectations of having a breach, their breach prevention practices, and their data breach response plan, and found that among healthcare organizations, 94% had had a breach in the last two years, 39% had no breach response plan, and only 19% were equipped to determine the size or causes of breaches. The report is available at: http://www.experian.com/data-breach/readiness-survey.html
Separately, analysis by Javelin Strategy and Research on the results of the massive Utah PHI breach in 2012 that affected 780,000 people found that 25% of all affected individuals had suffered identity theft, and that costs of the incident, caused by a simple but entirely preventable human error, approach a total of over $400 million. The analysis is available at: https://www.javelinstrategy.com/blog/2013/04/28/financial-pain-ensues-when-custodians-of-health-fail-to-be-good-stewards-of-privacy/
2013 Verizon Data Breach Investigations Report Released
On April 23, 2013, the Verizon 2013 Data Breach Investigations Report was released, describing the security threat landscape and characteristics of breaches over the last year. The report includes information about 621 confirmed data breaches as well as more than 47,000 reported security incidents that were investigated by Verizon and 18 of its global partners, including law enforcement.
Probably the most damning statistic is that the vast majority of breaches are discovered by someone other than the entity having the breach. As always, if you are serious about security, you need to review this annual report.
The report is at: http://www.verizonenterprise.com/DBIR/2013/ and a related story in GovInfoSecurity.com is at: http://www.govinfosecurity.com/interviews/verizon-report-ddos-broad-threat-i-1892
NIST/OCR HIPAA Security Conference Announced: May 21-22
The National Institute of Standards and Technology (NIST) and the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) are co-hosting the 6th annual conference Safeguarding Health Information: Building Assurance through HIPAA Security on May 21 & 22, 2013 at the Ronald Reagan Building and International Trade Center in Washington, D.C., exploring the current health information technology security landscape and the HIPAA Security Rule, and highlighting the present state of health information security, and practical strategies, tips and techniques for implementing the HIPAA Security Rule.
Presentations will cover a variety of topics including the Omnibus HIPAA/HITECH Final Rule, identity management, strengthening cybersecurity in the health care sector, integrating security safeguards into health IT, managing insider threats, securing mobile devices, and more. Participants can choose to participate on-site, or through a live web cast. Lunch and refreshments are included in the on-site registration fee and all registrations include access to archived webcast presentations and materials.
Visit the conference web page for more information and registration: http://www.nist.gov/itl/csd/2013-hipaa-conference.cfm
HHS to Survey Entities Receiving a 2012 HIPAA Audit; New Audit Effort to Begin in FY 2014, beginning October 1, 2013
On March 19, 2013, the US Department of Health and Human Services announced it will be surveying those entities subjected to the random audit program in 2012, to help design the revised HIPAA random audit program, now slated to restart in the next Federal Fiscal Year, which begins October 1, 2013, barely a week after the new HIPAA rules go into effect.
The announcement is available at https://www.federalregister.gov/articles/2013/03/19/2013-06281/agency-information-collection-activities-proposed-collection-public-comment-request
A story on the announcement in Health Data Management is available at http://www.healthdatamanagement.com/news/hipaa-privacy-security-breach-notification-enforcement-45853-1.html and in iHealthBeat at http://www.ihealthbeat.org/articles/2013/3/19/ocr-seeks-input-on-survey-of-hipaa-audit-program-participants.aspx
HHS OCR Hiring Staff for HIPAA Enforcement Activity
On February 27, 2013, the US Department of Health and Human Services (DHHS) Office for Civil Rights (OCR) Office of the Deputy Director Health Information Privacy (ODDHIP) announced several job positions, since closed March 12, seeking experience in privacy and security compliance and enforcement as well as in the areas of policy, outreach, and health information technology systems. The OCR Division of Health Information Privacy enforces the HIPAA Privacy and Security Rules and the confidentiality provisions of the Patient Safety and Quality Improvement Act.
It is unknown what impact the Sequester will have on these positions, but the indication is clear that HIPAA enforcement activity will be on the increase.
H-P Print Server Software Vulnerable to Attack by Hackers
A story published January 23, 2013 on the Information Week Web site indicates that any printers using H-P JetDirect print server software may be hacked to allow access to copies of documents previously printed, among other vulnerabilities. The software is used by many printer manufacturers, not only H-P.
Users of printers that use JetDirect should ensure they have applied all patches issued and work with vendor support to find ways to delete copies of printed documents until new patches are developed by H-P. The article is at: http://www.informationweek.com/security/vulnerabilities/security-flaws-leave-networked-printers/240146805
HIPAA Business Associate Agreement Language Updated
On January 25, 2013, the US Department of Health and Human Services updated on its Web site the sample language for Business Associate Agreements meeting the requirements of the new final HIPAA rule, published the same day. While the language should always be finalized by your own attorney, the sample language does show the required elements any agreement should contain. The sample language is available at the same address as the old sample language: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
HIPAA Final Omnibus Rule Finally Released, Major Changes
On January 17, 2013, the US Department of Health and Human Services released the new final HIPAA rule for all the HITECH Act changes (and more, with the exception of the proposed Accounting of Disclosures changes). The rule will be published January 25, 2013 in the Federal Register, go into effect 60 days later and are enforceable by September 23, 2013.
Significant changes from the proposed and interim final rules include allowing Business Associate Agreements using the old language before the publication date of the rule (not the effective date, as proposed) to be able to have 18 months to update the agreement to the new rules.
Also significant is the elimination of the "Harm Standard" in the Breach Notification Rule, replaced with a risk assessment to determine if there is a "low probability of compromise" of the data.
The changes from the current and proposed rules are significant and will be discussed in further detail over the coming weeks. The Rulemaking announced January 17, 2013 may be viewed as a PDF and in the Federal Register at https://www.federalregister.gov/articles/2013/01/25/2013-01073/hipaa-privacy-security-enforcement-and-breach-notification-rules. The HHS Press Release is at: http://www.hhs.gov/news/press/2013pres/01/20130117b.html.
HIPAA Settlement for Laptop Breach at Idaho Hospice Agency
The Hospice of North Idaho (HONI) has agreed to pay the U.S. Department of Health and Human Services’ (HHS) $50,000 to settle potential violations of the HIPAA Security Rule. An unencrypted laptop computer containing the electronic protected health information of 441 patients had been stolen, and OCR discovered that HONI had not conducted a risk analysis to safeguard ePHI and did not have in place policies or procedures to address mobile device security.
From the press release: “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”
Here's the link to the HHS OCR news release on the settlement, with links to the agreement, and to guidance on how to protect mobile data: http://www.hhs.gov/news/press/2013pres/01/20130102a.html
Click for the latest news stories
Click for the Directory of News Stories