The July 2018 cyber security newsletter issued by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) reminds health care providers and their business associates of the importance of properly disposing and destroying electronic devices and/or media that are no longer needed or that will be repurposed. The HIPAA Security Rule requires covered entities and business associates to have policies and procedures in place that govern that proper disposal and re-use of hardware and electronic media that contains electronic protected health information (“ePHI”).
The first statistic comes from a recently published study by the Ponemon Institute, with sponsorship from IBM Security, entitled “2018 Cost of a Data Breach Study: Global Overview.” Ponemon’s study found that heavily regulated organizations, most notably the health care industry, face breach costs that are substantially higher than their peers. The study found that the per capita cost of a data breach in the health care industry is $408–nearly double that of the financial industry, which claims the second spot on the list. The chart below makes the health care industry’s outlier status crystal clear: Continue Reading These Statistics Keep Health Care Execs Up At Night
In its most recent Cybersecurity Newsletter, OCR focuses on the intersection of HIPAA and information security. To be sure, HIPAA requires covered entities and business associates to address their organizations’ information security. This obligation stems from HIPAA’s requirement that covered entities and business associates assess the potential risks and vulnerabilities to the confidentiality, integrity and availability of their electronic protected health information. This is referred to as a “risk assessment” or “risk analysis” and is a core element of HIPAA’s Security Rule. But it is not enough to simply assess or analyze the risk; HIPAA requires that the risks be mitigated. This is particularly important when it comes to information security risk. As OCR states in its newsletter: Continue Reading HIPAA, Security Vulnerabilities and Patching
Earlier this week, I moderated a panel discussion at an event hosted by the New York chapter of the Health Information and Management Systems Society (HIMSS). The panel was comprised of private sector health information technology and security experts and was tasked with discussing challenges related to the interoperability and security of health information systems. I started off by asking the panelists how these challenges have evolved over the years, anticipating that the conversation would soon turn to the challenges faced by newer technologies such as cloud computing and artificial intelligence. But it was the panelists’ opinion that many in the health care space continue to struggle with the basics, including basic HIPAA compliance. Continue Reading HIPAA Tips from the Trenches
The May 2018 cyber security newsletter from the U.S. Department of Health and Human Services Office for Civil Rights (OCR) focused on a topic often overlooked by covered entities and their business associates: physical security. The HIPAA Security Rule requires covered entities and business associates to implement “physical safeguards for all workstations that access ePHI to restrict access to authorized users.”
Back in late 2015, we blogged about the interesting twist in the $125 million Warner Chilcott settlement that a Massachusetts physician had been criminally charged with violating the Health Insurance Portability and Accountability Act (HIPAA). See HERE for that previous post.
That physician has now been convicted of the HIPAA violation, as well as an unrelated charge of obstructing a federal health care investigation. The US Attorney’s Office in Boston made the announcement late last month.
The Warner Chilcott settlement involved illegal drug promotion. Specifically, sales reps were accused of flagging patient medical records with product brochures and filling out the provider’s prior authorization forms in advance for specific patients. All of this required impermissible access to patient records. The physician’s criminal liability stems from providing these sales reps with access to her patients’ records. In some cases, the reps were even allowed to take the records home with them!
We are often reminded through settlements with the HHS Office for Civil Rights that HIPAA violations are taken seriously and can include hefty fines and corrective action plans (see HERE, HERE and HERE for just a few examples). This case serves as fair warning that intentional misuse of protected patient information can lead to jail time. When this physician is sentenced, she could be looking at up to a year in prison, a $50,000 fine, and a year of supervised release. If you picture a sales rep combing through your personal health issues in his or her living room to determine whether you might be a sales target, it shouldn’t be so surprising that this conduct can rise to the level of criminal liability.
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced a $100,000 settlement with a company that is no longer in business. Filefax, Inc. (Filefax) was an Illinois company that provided storage and delivery services for medical records held by covered entities. OCR had been investigating Filefax since 2015 for allegedly leaving medical records containing PHI of approximately 2,150 patients in an unlocked vehicle in a Filefax parking lot and/or allowing an unauthorized person to remove the files from the facility.
A court-ordered receiver liquidated Filefax’s assets in 2016. As part of the settlement with OCR, the receiver agreed to pay $100,000 and properly dispose of all medical records and PHI remaining in Filefax’s possession. The settlement amount may be small, but the circumstances are striking. OCR’s pursuit of a settlement against a defunct company serves as a lesson to other health care companies that no one is off limits to HIPAA enforcement actions.
OCR’s press release about the settlement is available here.
As we look back on 2017, one message is clear: don’t be a Scrooge when it comes to HIPAA compliance. With ever-evolving security threats and unrelenting enforcement, regulated entities must maintain a spirit of compliance that lasts the whole year through. It is in that spirit – and with apologies to Charles Dickens – that our HIPAA year in review is brought to you by the ghosts of HIPAA Past, HIPAA Present and HIPAA Yet to Come.
The Ghost of HIPAA Past
2017 continued to be haunted by large-scale data breaches. As reported by our Privacy & Security colleagues, Equifax announced one of the largest breaches in US history in September, which involved highly sensitive information such as social security numbers and birth dates. The Equifax breach didn’t involve health information, but in July, OCR sent a clear message regarding the importance of health information security and ratcheted up the fear factor associated with its HIPAA Breach Reporting Tool (HBRT), commonly referred to as the HIPAA “Wall of Shame.” The updates make it easier to search and view information about data breaches and make it harder for offenders to hide in the aftermath of a breach. Continue Reading Bah, Humbug! HIPAA Compliance Isn’t Getting Any Easier
Consumers are increasingly turning to health apps for a variety of medical and wellness-related purposes. This has in turn caused greater amounts of data—including highly sensitive information—to flow through these apps. These data troves can trigger significant compliance responsibilities for the app developer, along with significant legal and contractual risk. This latest installment in our health app series will introduce some of these considerations, including approaches that developers can take to minimize their risk. Continue Reading Building a Health App? Part 6: HIPAA and Other Privacy and Security Considerations
As Texas, Florida, and the Caribbean rebuild after the latest string of deadly hurricanes and prepare for the possibility of future storms, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reminded health care providers of the importance of ensuring the availability and security of health information during and after natural disasters. OCR’s guidance is a good reminder to all health care providers – regardless of where they are located – of the applicability of the HIPAA Privacy and Security Rules during natural disasters and other emergencies.