HIPAA/Privacy & Security

On February 16, 2017, the HHS Office for Civil Rights (OCR) disclosed a $5.5 million settlement with Memorial Healthcare Systems (MHS) for HIPAA violations affecting the protected health information (PHI) of 115,143 individuals. The Resolution Agreement, which can be found here, also contains a detailed corrective action plan (CAP).

The Florida-based health system reported to OCR that the PHI had been impermissibly accessed by MHS employees and impermissibly disclosed to affiliated physician office staff. The PHI consisted of names, dates of birth, and social security numbers.

Continue Reading $5.5 Million HIPAA Settlement Underscores Importance of Audit Controls

Earlier this week, the U.S. Department of Homeland Security (DHS) updated a prior advisory revealing cybersecurity vulnerabilities in St. Jude Medical’s Merlin@home transmitter.

The Merlin@home transmitter is used by patients with St. Jude implantable cardiac devices to wirelessly transmit data from the patient’s cardiac device to the Merlin.net Patient Care Network. The uploaded data can then be monitored by a physician to determine whether the device is functioning properly.  This past January, DHS released an advisory detailing a vulnerability that could allow an unauthorized user to remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered transmitter could then be used to modify the implanted device to rapidly deplete its battery and/or administer inappropriate pacing or shocks to the patient. St. Jude quickly made an update available to patch this vulnerability.

The updated advisory extends the vulnerability to Merlin transmitters that are used by providers. These transmitters contain the same hardware and software as the models used by patients in their home, but have an additional functionality called MerlinOnDemand that allows providers to use one transmitter in their office to obtain device data from multiple patients. According to the advisory, the endpoints between the implanted device and the Merlin.net website are not verified. This makes the transmission vulnerable to a “man-in-the-middle” that would allow an attacker to remotely access the device. St. Jude has said that the MerlinOnDemand-enabled devices will receive the same patch that was provided to the home-based models.

The new vulnerability comes on the heels of the U.S. Food and Drug Administration’s release of final guidance on the postmarket management of cybersecurity in medical devices.

On January 18th, the U.S. Department of Health and Human Services (HHS) and 15 other federal agencies issued a final rule updating regulations for the protection of human research subjects, the so-called “Common Rule.”  The original Common Rule had been in place for almost 30 years, with little change despite significant research and technology advances during that time.  Further change is on the horizon for the Common Rule, as the 21st Century Cures Act (Cures) includes a mandate for HHS and the Food and Drug Administration (FDA) to harmonize long-standing differences between the Common Rule and FDA Human Subject Protection regulations.    Continue Reading The Newly Updated Common Rule is Here – And On a Collision Course With the 21st Century Cures Act

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) recently announced the first ever settlement related to a Covered Entity’s untimely breach notification in violation of HIPAA.  Presence Health, a health care network in Illinois, discovered a breach of unsecured personal health information (PHI) on October 22, 2013.  After reporting the breach to OCR over three months later on January 31, 2014, OCR determined that Presence Health failed to notify OCR, each of the affected individuals, and prominent media outlets of the breach without unreasonable delay and within 60 days of learning of the breach, as required of Covered Entities under HIPAA. The violation resulted in a $475,000 settlement between OCR and Presence Health.

Continue Reading Recent HIPAA Enforcement Actions

On January 12th at 1:00pm EST, my colleague Susan Foster, PhD will present a webinar on Transferring Data from the EU.  In particular, Sue will discuss the ways in which the EU General Data Protection Regulation creates new avenues for data transfers, and narrows others, and will also address sector-specific Commission decisions, privacy seals/certifications, the exception for non-repetitive, limited transfers, and the outlook for BCRs and Model Clauses.

Click here to register!  If you’ve missed the other installments of this important series on EU privacy, recording are available here.

As we reported earlier this week, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights described a phishing campaign that is attempting to convince recipients of their inclusion in OCR’s Phase 2 audit program. The email, which was disguised as an official communication, suggests that recipients click on a link. This link takes recipients to a non-governmental website marketing cybersecurity services.

On Wednesday, OCR followed up their alert with additional details about the phishing campaign. According to OCR, the phishing email originates from the email address OSOCRAudit@hhs-gov.us and directs individuals to a URL at http://www.hhs-gov.us. OCR points out the subtle difference from the official email address for its HIPAA audit program, OSOCRAudit@hhs.gov, noting that such subtlety is typical in phishing scams.

OCR also took the opportunity to confirm that it has notified select business associates of their inclusion in the Phase 2 HIPAA audits.  For more information about the Phase 2 audit program please visit our earlier post.

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published an alert on Monday describing a phishing campaign disguised as an email from OCR. The email is being circulated on mock HHS letterhead under the signature of OCR’s Director Jocelyn Samuels and is being sent to HIPAA covered entities and their business associates.  The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. When clicked, the link takes the recipient to a non-governmental website marketing a firm’s cybersecurity services. In its alert, HHS clarified that it is in no way associated with the firm.

Covered Entities and Business Associates should be aware of this email and should make their workforces aware of it.  This can also serve as an important reminder of the importance of being vigilant about phishing campaigns and not clicking links in any email that seems suspicious or unexpected.

While the firm’s specific claims of inclusion in the audit program are not based in fact, OCR’s audit program is itself quite real. This past July we discussed the audit letters that were sent to health care providers and health care clearinghouses alerting them to their inclusion in the audit. We also described how OCR would be auditing businesses associates during the fall season. Given that fall is upon us, it is now more critical than ever for business associates to review their compliance efforts.

In non-election news, the Office for Civil Rights (OCR) at the Department of Health and Human Services recently released its November Cyber Awareness Newsletter.  This month’s newsletter focuses on the topic of authentication.  OCR encouraged health care companies to review and strengthen their authentication methods and other safeguards to avoid breaches of electronic protected health information (ePHI).

Continue Reading OCR Reminds Companies that Authentication is Key

If you missed the Mintz Levin Privacy and Security Practice Webinar last week, you can still get it here!

The current Privacy Webinar Series is focusing on the EU General Data Protection Regulation (GDPR), which will impact how US businesses handle and process personal data from the EU, including possible changes to business processes.  The healthcare industry is no stranger to privacy and data protection, but any business that deals with personal data from the EU needs to understand the reach and scope of the GDPR, so they can prepare for this potentially game-changing privacy regulation.

In the webinar focusing on Accountability, Data Security, Data Impact Assessments and Breach Notification, our colleague Sue Foster covers the practical implication of the GDPR for your business.

And register now for the next webinar in the series on November 10, which will focus on the new restrictions around relying on user consent to data processing and data transfers.

On October 7, 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) published guidance to assist cloud service providers (CSPs) and their customers with HIPAA compliance. As discussed below, the guidance clarifies important questions about operating in the cloud, including the role of encryption when determining whether a cloud service provider is a business associate. Continue Reading HHS Publishes Guidance on HIPAA and Cloud Computing