The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) released its October Cybersecurity Newsletter last week with a focus on mobile devices. Given the amount of work conducted on mobile devices (odds are that at least some of you are reading this on a smart phone), the newsletter is practical for many in the health care industry. It is also timely in light of the increasing development and use of health apps. (For those developers interested in HIPAA and mobile devices, see our recent post here.)

The key HIPAA risk faced by those in the health care sector using mobile devices is the compromise of electronic protected health information (ePHI); a risk that is compounded by the portability and lack of robust security on these devices. In its newsletter, OCR advises organizations to take some important steps to ensure that ePHI is well-protected on mobile devices. According to OCR, organizations should:

  • Ensure that mobile devices are properly configured before accessing/storing ePHI
  • Train employees on the secure use of mobile devices and the risks of malware infecting mobile devices
  • Implement policies and procedures for mobile devices
  • Take certain IT-related precautions such as:
    • Automatic lock/logoff
    • Logon authentication
    • Regular software/security patch updates
    • Encryption, anti-virus and remote wipe capabilities
    • Use ONLY secure Wi-Fi connections
    • Use Virtual Private Networks (VPNs)
    • Limit downloads to only verified third-party apps

Depending on the size of your organization, some of these recommendations might sound a bit involved, but any efforts now can go a long way to saving you from a data breach. This is particularly true when considering that a breach involving health records can cost upwards of $350 per record.

The newsletter also contains links to much more detailed guidance and information for how to minimize cybersecurity risk on mobile devices.

Last week, the HHS Office for Civil Rights (OCR) launched an improved version of their HIPAA Breach Reporting Tool (HBRT), commonly referred to by OCR and regulated entities alike as the HIPAA “Wall of Shame.” OCR has also made minor changes to the interface for breach reporting.

The HBRT now makes it easy to navigate and mine information on all reported data breaches (breaches must be reported when they involve the protected health information of 500 or more people). Continue Reading The HIPAA “Wall of Shame” is Now Easier to Navigate

It was a busy April for the Office for Civil Rights (“OCR”) (see our prior post on a settlement from earlier in April).  On April 20, OCR announced a Resolution Agreement with Center for Children’s Digestive Health, S.C. (“CCDH”) related to CCDH’s failure to enter into a business associate agreement with a paper medical records storage vendor.  The cost of that missing agreement?  $31,000.  Then, on April 24, OCR announced a settlement with CardioNet, a remote monitoring company for cardiac arrhythmias, related to CardioNet’s failure to implement compliant HIPAA policies and procedures and failure to conduct a sufficient risk assessment.  The price of those failures?  $2.5 million! Continue Reading Two HIPAA Mistakes Lead to Fines from OCR

Last week, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) released new guidance on reporting and monitoring cyber threats.  The guidance urges covered entities and business associates to report suspicious activity, including cybersecurity incidents, to the United States Computer Emergency Readiness Team (US-CERT). US-CERT is an organization within the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) that is responsible for analyzing and reducing cyber threats and vulnerabilities, disseminating cyber threat warning information, and coordinating incident response activities. It is operational 24 hours a day, and accepts, triages, and collaboratively responds to incidents. Continue Reading OCR Releases Guidance on Reporting and Monitoring Cyber Threats

Data-Thirsty ZombiesThis Halloween, the scariest monsters might not be in your closet or under your bed. They may be overseas, orchestrating intrusions into your electronic medical record. Or they may be lurking in your own workforce, carrying around unencrypted laptops or skipping out on HIPAA training. From data harvesting zombie hackers to the impending blood-thirsty auditors of Phase 2, we present a parade of the HIPAA monsters that have been terrorizing regulated entities for most of this year. Be assured that they are lurking around your own privacy and security program just waiting for an opportunity to strike, as soon as you turn off the light, or forget to install the latest security patch or update your risk assessment.

The Sophisticated Overseas (Zombie) Hacker

While we can’t confirm zombie involvement, this monster is responsible for a number of  infamous and record-setting breaches this year – CareFirst Blue Cross/Blue Shield (affecting 1.1 million); Premara Blue Cross/Blue Shield (affecting 11.2 million); Anthem (affecting 80 million); UCLA Health (affecting 4.5 million); Excellus BlueCross BlueShield (affecting 10 million); and the Office of Personnel Management (affecting 21.5 million federal workers). Each hacking incident involved detailed personal information such as names, social security numbers, financial information, and more.

It seems that no security measures are sufficient to keep this sneaky monster out – it  can go for months or even years without being detected, causing staggering amounts of damage and raising questions about the sufficiency of even the most sophisticated security system.  For example, the recent Excellus hack occurred over a year and a half before being discovered, according to the company’s website notification and FAQs. Your best defense against this monster: encryption, potentially (but read on), as well as a comprehensive audit and activity review program. Continue Reading Data-Harvesting Zombie Hackers, Blood-Thirsty Auditors, and Other Reasons to be Scared on Halloween

The HHS Office for Civil Rights (OCR) has released a new platform to provide mobile health developers (and any other interested stakeholders) a sounding board to ask questions, voice concerns, and “spitball” ideas about HIPAA and its interplay in the Health IT space. Users can submit questions and comments on the site, on which other viewers can comment and vote (similar to “liking” a timeline post on Facebook). All comments remain anonymous and OCR has stated specifically that they will not be used as the basis of enforcement actions. Although OCR will not normally respond to these comments, it has said that feedback provided through the platform will be used to inform the development of future guidance. Continue Reading OCR Launches Platform for Developer HIPAA Questions

The HHS Office of Civil Rights (OCR) and the Workgroup for Electronic Data Interchange (WEDI) are co-sponsoring four upcoming webinars to help smaller health care providers feeling overwhelmed by the 138-page HIPAA Omnibus Rule  better understand HIPAA compliance and enforcement topics.  The webinars will specifically focus on practical strategies for implementing the Omnibus Rule’s new requirements within a small clinical practice. Continue Reading OCR Announces Free HIPAA Omnibus Rule Webinars

Written by: Dianne Bourque and Stephanie Willis

No one wants to be the first, especially not in this case.  The Department of Health and Human Services’ Office of Civil Rights (OCR) announced its first settlement with a covered entity stemming from a report submitted pursuant to the Health Information Technology for Economic and Clinical Health Act’s (HITECH) Breach Notification Rule (the “Rule”).  According to the Resolution Agreement, Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1.5 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and submitted to an extensive 450-day corrective action plan with two required biannual reports to address deficiencies in its HIPAA compliance program.

Since the Rule’s publication in August 2009, covered entities have had to notify the Secretary and affected individuals of any breach of unsecured protected health information.  If the breach affects more than 500 individuals, notification must be provided to the media.  Breaches affecting fewer than 500 individuals must be reported to the Secretary on an annual basis.

On November 3, 2009, BCBST reported to HHS that 57 unencrypted computer hard drives, among other computer equipment, were stolen around October 2, 2009 from a network data closet at an unstaffed facility that it leased.  The computer hard drives were part of a system which recorded and stored over 300,000 video recordings and over 1 million audio recordings of customer service calls.  The data contained the protected health information (PHI) of just over 1 million individuals, including member names, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers. The breach happened only a month before the computer servers containing the data were to be transferred to another facility.

OCR determined that BCBST failed to implement both administrative and physical safeguards required under the HIPAA Security Rule.  First, BCBST neglected to perform the required security evaluation in response to operational changes – the transfer of staff from the facility and the transfer of security responsibilities to the property management company.  Second, even though the network data closet was secured by biometric and keycard scan security with a magnetic lock and an additional door with a keyed lock, OCR still determined that BCBST did not use adequate controls restricting facility access – likely because it had not evaluated the quality of or educated the property management’s security services on how to secure the PHI contained in the servers.

Even though the annual deadline for reporting breaches affecting less than 500 individuals has already passed (mentioned in our 2/7/12 post), it is never too early for covered entities and their business associates to evaluate and improve internal HIPAA compliance processes.  BCBST was the first, but there are bound to be more enforcement actions related to disclosures under the Rule, and every organization can benefit from a comprehensive HIPAA/HITECH checkup.

Written by Dianne Bourque

The HHS Office of Civil Rights has begun notifying the 150 covered entities chosen for its first round of audits under HITECH, and it has posted a sample audit notification letter.    

If your organization receives one of these letters, immediate attention is critical.  You may have as few as ten days to respond to documentation requests accompanying the audit notification.  Requested documentation will likely include policies and procedures, forms, evidence of HIPAA privacy and security program implementation (such as documentation of completed training), and other documentation required by the HIPAA privacy rule and security standards.  A site visit may occur as soon as thirty days following the audit notification letter.  During a site visit, auditors will interview key personnel and observe your business operations to evaluate compliance. 

Don’t wait until you receive an audit notification letter to evaluate your HIPAA compliance program. There is never a good time to have a gap in your program, but the stakes are even higher in the post-HITECH world.