HIPAA/Privacy & Security

Earlier this week, the Mintz Levin privacy team  updated the “Mintz Matrix,” a summary of the U.S. state data breach notification laws, with updates from New Mexico, Tennessee, and Virginia.  As the privacy team reports, with New Mexico enacting a data breach notification law, only Alabama and South Dakota remain the only states without data breach notification laws.  Their full blog post on the updates is available here.

In addition to complying with HIPAA, health care organizations must remain aware of the separate state notification obligations and other privacy and security laws when responding to data breaches.  These states laws are often broader than HIPAA and apply may apply to personally identifiable information that is not protected health information.

Our quick disclaimer: The Mintz Matrix is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (e.g., the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.

In July 2015, we posted about the N.Y. Attorney General’s False Claims Act (FCA) settlements with Trinity HomeCare and its related entities, and how the case provided insight into the future of FCA enforcement.  We identified five key trends based on the settlements:

  1. The FCA cases were based on qui tams and pursued by the State Attorney General after federal government declination.
  2. The FCA cases were based on a narrow, single state or regional arrangement, as opposed to allegations of a national scheme or program.
  3. One of the FCA cases was based on conduct about which Trinity had previously been warned.
  4. The FCA cases were based on government billings for specialty drugs.
  5. All parties to the arrangement were named as defendants in the qui tams.

Trinity was already under investigation by the N.Y. Attorney General’s office for its billing of hemophilia drugs (the basis of the first 2015 settlement) when a second qui tam alleged that Trinity submitted false claims in connection with a specialty drug used to treat premature infants at risk for lung disease.  That second qui tam led to the second settlement and now, almost 20 months later, has led to a new Complaint. Continue Reading Five Trends in False Claims Act Enforcement: Take Two

Phishing Scam ImageEarlier this week, the HHS Office for Civil Rights (“OCR”) announced a $400,000 settlement with Metro Community Provider Network (“MCPN”) related to a 2012 HIPAA breach caused by a phishing scam.  The phishing scam, carried out by accessing MCPN employees’ email accounts, gave a hacker access to the electronic protected health information (“ePHI”) of 3,200 individuals.  In investigating the breach, OCR determined that, prior to the breach, MCPN had not conducted a security risk analysis (a requirement under HIPAA).  Further, OCR found that even after MCPN conducted a risk analysis, its analysis was insufficient to meet the requirements of the HIPAA Security Rule.

In addition to the $400,000 fine, MCPN agreed to a corrective action plan with OCR.  That plan requires MCPN to conduct a comprehensive risk analysis and to submit a written report on the risk analysis to OCR.  Additionally, MCPN will be required to develop an organization-wide risk management plan, to review and revise its Security Rule policies and procedures, to review and revise its Security Rule training materials, and to report to OCR any instance of a workforce member failing to comply with its Security Rule policies and procedures. Continue Reading Gone Phishin’: Hack Leads to HIPAA Settlement

Last week the Health Care Compliance Association hosted its annual “Compliance Institute.”  Iliana Peters, HHS Office for Civil Rights’ Senior Advisor for HIPAA Compliance and Enforcement, provided a thorough update of HIPAA enforcement trends as well as a road map to OCR’s current and future endeavors.

Continuing Enforcement Issues

Ms. Peters identified key ten enforcement issues that OCR continues to encounter through its enforcement of HIPAA. These issues include:

  1. Impermissible Disclosures. HIPAA’s Privacy Rule prohibits covered entities and business associates from disclosing PHI except as permitted or required under HIPAA. Impermissible disclosures identified by Ms. Peters all center on the need for authorization, and include:
    • Covered entities permitting news media to film individuals in their facilities prior to obtaining a patient’s authorization.
    • Covered entities publishing PHI on their website or on social media without an individual’s authorization.
    • Covered entities confirming that an individual is a patient and providing other PHI to reporters without an individual’s authorization.
    • Covered entities faxing PHI to an individual’s employer without the individual’s authorization.
  2. Lack of Business Associate Agreements. OCR continues to see covered entities failing to enter into business associate agreements.
  3. Incomplete or Inaccurate Risk Analysis. Under HIPAA’s Security Rule, covered entities are required to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI (ePHI). According to Ms. Peters, organizations frequently underestimate the proliferation of ePHI throughout their environment, including into systems related to billing, faxing, backups, and medical devices, among others.
  4. Failure to manage identified risks. HIPAA requires regulated entities to put in place security measures to reduce risks and vulnerabilities. According to the presentation, several OCR breach investigations found that the causes of reported breaches were risks that had previously been identified in a risk analysis but were never mitigated. In some instances, encryption was included as part of the remediation plan, but was never implemented.
  5. Lack of transmission security. While not required in all cases, HIPAA does require that ePHI be encrypted whenever it is deemed appropriate. The presentation identified a number of applications in which encryption should be considered when transmitting ePHI, including email, texting, application sessions, file transmissions (e.g., FTP), remote backups, and remote access and support services (e.g., VPNs).
  6. Lack of Appropriate Auditing. HIPAA requires the implementation of mechanisms (whether hardware, software or procedural) that record and examine activity in systems containing ePHI. HIPAA-regulated entities are required to review audit records to determine if there should be additional investigation. The presentation highlighted certain activities that could warrant such additional investigation, including: access to PHI during non-business hours or during time off, access to an abnormally high number of records containing PHI, access to PHI of persons for which media interest exists, and access to PHI of employees.
  7. Patching of Software. The use of unpatched or unsupported software on systems which contain ePHI could introduce additional risk into an environment. Ms. Peters also pointed to other systems that should be monitored, including router and firewall firmware, anti-virus and anti-malware software, and multimedia and runtime environments (e.g., Adobe Flash, Java, etc.).
  8. Insider Threats. The presentation identifies insider threats as a continuing enforcement issue. Under HIPAA, organizations must implement policies and procedures to ensure that all members of its workforce have appropriate access to ePHI and to prevent those workforce members who do not have access from obtaining such access. Termination procedures should be put in place to ensure that access to PHI is revoked when a workforce member leaves.
  9. Disposal of PHI. HIPAA requires organizations to implement policies and procedures that ensure proper disposal of PHI. These procedures must guarantee that the media has been cleared, purged or destroyed consistent with NIST Special Publication 800-88: Guidelines for Media Sanitization.
  10. Insufficient Backup and Contingency Planning. Organizations are required to ensure that adequate contingency planning (including data backup and disaster recovery plans) is in place and would be effective when implemented in the event of an actual disaster or emergency situation. Organizations are required to periodically test their plans and revise as necessary.

Upcoming Guidance and FAQs

OCR also identified upcoming guidance and FAQs that it will use to address the following areas:

  • Privacy and security issues related to the Precision Medicine Initiative’s All of Us research program
  • Text messaging
  • Social media
  • Use of Certified EHR Technology (CEHRT) & compliance with HIPAA Security Rule (to be release with the Office of the National Coordinator for Health Information Technology (ONC))
  • The Resolution Agreement and Civil Monetary Penalty process
  • Updates of existing FAQs to account for the Omnibus Rule and other recent developments
  • The “minimum necessary” requirement

Long-term Regulatory Agenda

The presentation also identifies two long-term regulatory goals to implement certain provisions of the HITECH Act. One regulation will relate to providing individuals harmed by HIPAA violations with a percentage of any civil monetary penalties or settlements collected by OCR, while the second will implement a HITECH Act provision related to the accounting of disclosures of PHI.

Audit Program Status

The presentation discussed the current status of OCR’s audit program. As we have previously discussed, OCR is in the process of conducting desk audits of covered entities and business associates. These audits consist of a review of required HIPAA documentation that is submitted to OCR. According to Ms. Peters, OCR has conducted desk audits of 166 covered entities and 43 business associates. Ms. Peters also used the presentation to confirm that on-site audits of both covered entities and business associates will be conducted in 2017 after the desk audits are completed. We will continue to follow and report on developments in the audit program.

Commentary

The list of continuing enforcement issues provides covered entities and business associates with a helpful reminder of the compliance areas that are most likely to get them in compliance trouble. Some of the enforcement issues may require HIPAA-regulated entities to revisit decisions that they previously made as part of a risk analysis. Transmission security (#5, above) is an example of such an area that may warrant reexamination. In the past, encrypting data was often too expensive or too impracticable for many organizations. However the costs of encryption have decreased while it has become easier to implement. A covered entity or business associate that suffers a breach due to transmitting unencrypted PHI over the internet will likely garner little sympathy from OCR going forward. The presentation is also notable for the long list of guidance and FAQs that OCR will be publishing, as well as their plan to issue regulations to address changes ushered in by the HITECH Act that were not captured by the 2013 Omnibus Rule. These regulations, particularly the regulations related to accounting for disclosures of PHI, could have a far-reaching impact on how covered entities and business associates comply with HIPAA in the future.

Last week, the FBI issued guidance specifically applicable to medical and dental facilities regarding the cybersecurity risk of File Transfer Protocol (“FTP”) servers operating in “anonymous” mode.  FTPs are routinely used to transfer information between network hosts.  As further described in the guidance, when an FTP server can be configured to permit anonymous users (through the use of a common user name like “anonymous” and without the use of a password) to gain access to the information stored on the server, which might include sensitive information about patients.  In addition to potentially directly compromising the security of the stored information, a hacker could use the FTP server in anonymous mode to launch a cyber attack on the entity. Continue Reading FBI Warns of Cybersecurity Risk from FTPs

On Wednesday, March 8, James B. Comey, Director of the FBI, was at Boston College to deliver the keynote address for the inaugural Boston Conference on Cyber Security (BCCS 2017).  Director Comey addressed various industry, cyber security, FBI, law enforcement and military experts in attendance regarding current cyber threats to both industry and government assets and the FBI’s approach to confronting them.   During his remarks, Director Comey was asked to opine on the biggest cyber threat to healthcare providers, to which Comey quickly responded, “ransomware.” Continue Reading Advice to Healthcare Providers on Ransomware from the Head of the FBI

Last week, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) released new guidance on reporting and monitoring cyber threats.  The guidance urges covered entities and business associates to report suspicious activity, including cybersecurity incidents, to the United States Computer Emergency Readiness Team (US-CERT). US-CERT is an organization within the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) that is responsible for analyzing and reducing cyber threats and vulnerabilities, disseminating cyber threat warning information, and coordinating incident response activities. It is operational 24 hours a day, and accepts, triages, and collaboratively responds to incidents. Continue Reading OCR Releases Guidance on Reporting and Monitoring Cyber Threats

As reported on the Privacy and Security Matters blog last week, the Mintz Levin privacy team recently updated the “Mintz Matrix,” a summary of the U.S. state data breach notification laws that we update on a quarterly basis, or more frequently as needed.  In addition to HIPAA, health care organizations must remain aware of the separate state notification obligations and other privacy and security laws when responding to data breaches. The Mintz Matrix is available here.

Continue Reading Mintz Matrix Updated with Amended State Data Breach Notification Laws in Five States

On February 16, 2017, the HHS Office for Civil Rights (OCR) disclosed a $5.5 million settlement with Memorial Healthcare Systems (MHS) for HIPAA violations affecting the protected health information (PHI) of 115,143 individuals. The Resolution Agreement, which can be found here, also contains a detailed corrective action plan (CAP).

The Florida-based health system reported to OCR that the PHI had been impermissibly accessed by MHS employees and impermissibly disclosed to affiliated physician office staff. The PHI consisted of names, dates of birth, and social security numbers.

Continue Reading $5.5 Million HIPAA Settlement Underscores Importance of Audit Controls

Earlier this week, the U.S. Department of Homeland Security (DHS) updated a prior advisory revealing cybersecurity vulnerabilities in St. Jude Medical’s Merlin@home transmitter.

The Merlin@home transmitter is used by patients with St. Jude implantable cardiac devices to wirelessly transmit data from the patient’s cardiac device to the Merlin.net Patient Care Network. The uploaded data can then be monitored by a physician to determine whether the device is functioning properly.  This past January, DHS released an advisory detailing a vulnerability that could allow an unauthorized user to remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered transmitter could then be used to modify the implanted device to rapidly deplete its battery and/or administer inappropriate pacing or shocks to the patient. St. Jude quickly made an update available to patch this vulnerability.

The updated advisory extends the vulnerability to Merlin transmitters that are used by providers. These transmitters contain the same hardware and software as the models used by patients in their home, but have an additional functionality called MerlinOnDemand that allows providers to use one transmitter in their office to obtain device data from multiple patients. According to the advisory, the endpoints between the implanted device and the Merlin.net website are not verified. This makes the transmission vulnerable to a “man-in-the-middle” that would allow an attacker to remotely access the device. St. Jude has said that the MerlinOnDemand-enabled devices will receive the same patch that was provided to the home-based models.

The new vulnerability comes on the heels of the U.S. Food and Drug Administration’s release of final guidance on the postmarket management of cybersecurity in medical devices.