Category: HIPAA News

respiratory disease.

CMS Administrator Seema Verma explained that the Trump Administration is eliminating bureaucratic red tape to allow the healthcare delivery system to use its time and means for patient care.

The CMS has acknowledged that gathering quality measured data and sending reports for services for the duration of the COVID-19 outbreak might not represent the real level of performance in areas like cost, readmissions, and the experience of the patient. The switch will additionally alleviate the burden on health professionals during these extraordinary situations.

Policy exclusions and extensions are given for 2019 and the data submissions deadlines in 2020 for the following quality reporting programs:

Provider Programs
Medicare Shared Savings Program Accountable Care Organizations (ACOs)
Quality Payment Program – Merit-based Incentive Payment System (MIPS)

Hospital Programs
Ambulatory Surgical Center Quality Reporting Program
End-Stage Renal Disease (ESRD) Quality Incentive Program
CrownWeb National ESRD Patient Registry and Quality Measure Reporting System
Hospital-Acquired Condition Reduction Program
Hospital Outpatient Quality Reporting Program
Hospital Value-Based Purchasing Program
Hospital Inpatient Quality Reporting Program
Hospital Readmissions Reduction Program
Inpatient Psychiatric Facility Quality Reporting Program
Promoting Interoperability Program for Eligible Hospitals and Critical Access Hospitals
PPS-Exempt Cancer Hospital Quality Reporting Program

PAC Programs
Hospice Quality Reporting Program
Home Health Quality Reporting Program
Inpatient Rehabilitation Facility Quality Reporting Program
Long Term Care Hospital Quality Reporting Program
Skilled Nursing Facility Value-Based Purchasing Program
Skilled Nursing Facility Quality Reporting Program

More information about the new reporting due dates, exclusions, and extensions are available on this CMS web page.

The Healthcare and Public Health Sector Coordinating Council (HSCC) has issued guidelines for sharing cyber threat data. The new guidance document is supposed to assist healthcare companies in developing, implementing, and maintaining a successful cyber threat data sharing program to minimize risks.

The new document is based on earlier guidance, the Health Industry Cybersecurity Matrix of Information Sharing Organizations (HIC-MISO), which presented the key Information Sharing and Analysis Organizations (ISAOs) for the healthcare industry determined by the HSCC. The new guidance document will enable organizations to know which information to share, in what way the information can be shared, and how to secure sensitive data, as well as providing recommendations for acquiring internal and legal authorizations for data sharing processes.

One of the primary benefits of taking part in these programs is to know about probable attacks and the mitigations to employ to avert getting victimized. In the event that an attack happens at one healthcare company, it is likely that the same attacks will occur on others. By means of sharing threat information, healthcare companies could learn about the attacks from others and prepare an improved security posture. This is predominantly crucial for healthcare companies with minimal resources for cybersecurity as it makes it possible for them to get cybersecurity expertise by crowdsourcing.

The threat landscape changes quickly and cybercriminals are continually developing new ways of attack. Cyber threat intelligence sharing programs allow participants to stay on top of new attack strategies and take action on reducing risk by means of speedy sharing of actionable intelligence. Cross-organizational venture additionally helps to better patient safety via the creation of trusted networks that help handle possible threats.

The guidance document will enable organizations to start outlining the actions they need to take prior to participating in a threat information sharing program. Getting ready calls for the establishment of information sharing goals and objectives, and governance models to regulate compliance. Information sharing assets need to be classified. There must be a governance body created and sanitization regulations established. HSCC advises the early involvement of the legal department on the information sharing process and ensuring the understanding of the value and extent of information sharing.

The HSCC cyber threat information sharing document specifies the types of data that must be shared, for instance strategic, operational, tactical, and technical intelligence, open-source information and data on incident response. Threat intelligence not just includes data about malware, hacking tactics, and threat actors, but also the variety of forms of threat intelligence data, which encompass all cyber risk that can affect the medical industry, for instance, insider threats, third-party risks, regulatory risks, cybersecurity risks, and geopolitical risks.

The guidance additionally gives recommendations for sharing information, including the use of the traffic light protocol, setting up legal protections against any liability, and the information about the people to whom the threat data can be shared with. The document ends with case studies demonstrating the benefits of sharing information to the community and secure against cyber attacks.

The new guidance about cyber threat information sharing is available for download here.

The University of Kentucky (UK) is fighting to get rid of downloaded malware on its network last February 2020. Cybercriminals were able to access the UK network and downloaded cryptocurrency mining malware which employed the processing functionality of UK computers for mining Bitcoin and various cryptocurrencies.

The malware brought about a substantial network slowdown with momentary computer system failures causing repetitive every day interruptions to daily functions, particularly in UK healthcare.

UK is convinced that the attack was settled after a month of work. On Sunday morning, UK conducted a major IT systems reboot, which lasted about 3 hours. The UK feels the cybercriminals were removed from its systems, however, they will be tracking the network carefully to make sure the blocking of external access. The attacker is thought to be from outside the U.S.A.

UK Healthcare caters to over 2 million patients and operates the Good Samaritan Hospital in Lexington, KY and the UK Albert B. Chandler Hospital. Although computer systems were seriously affected at times, there is no impact on patient care and patient safety.

An investigation of the breach with the assistance of third-party computer forensics experts was started. According to University spokesman Jay Blanton, it is difficult to know if any sensitive information was viewed or copied. It is believed that the malware attack was exclusively done to hijack the UK network’s “vast processing capabilities” and use it for mining cryptocurrency.

UK took steps to strengthen its cybersecurity, which includes installing the CrowdStrike security software program. Over $1.5 million was spent getting rid of hackers from the network and improving security.

Systems Reboot at Arkansas Children’s Hospital to Manage ‘Cybersecuirty Threat’

Arkansas Children’s Hospital located in Little Rock has encountered a cyberattack, which impacted Arkansas Children’s Northwest and Arkansas Children’s Hospital. The hospital rebooted its IT systems to deal with the cybersecurity threat and engaged an independent digital forensics company to help with the investigation.

There is no disclosure yet regarding the exact nature of the threat. It is also unclear as of this time when the attack will be fixed. All Arkansas Children’s Hospital facilities continue to provide patient care but rescheduled some non-urgent consultations.

There is a continuing investigation of the attack. At this point, there is no evidence found that indicates the breach of patient information.

Jessica Meier, 41, of Hamlin, NY, was accused of unauthorized access of the health records of a patient, on countless instances in an effort to discover facts that may be employed in a child custody case. She was an ex-employee of ACM Global Laboratories, which is an associate of Rochester Regional Health,

The supposed HIPAA violations were put under a criminal investigation when allegedly Jessica Meier had abused her access rights to patient data for malicious reasons.

Kristina Ciaccia had a relationship with the half brother of Meier in the past and has an extended child custody case. In court, Ciaccia knew of a historic visit by her own brother to the Rochester Regional Health emergency room, when she herself did not know about the visit. She suspected the snooping on the medical records of her family and reported the issue to Rochester Regional Health.

In accordance with the court records, the Rochester Regional Health audit showed that Meier had accessed Ciaccia’s private medical records on over 200 times from March 2017 to August 2019 without any legit work reason. It was also affirmed that Meier had seen the health records of Ciaccia’s family members.

Ciaccia submitted a report of the criminal HIPAA violations to law enforcement, which prompted the investigation. Meier had an arraignment in Gates Town Court on February 11, 2019 regarding 215 felony counts of computer trespass plus 215 counts of a misdemeanor for the unauthorized access of a computer. The case will likely be heard before a grand jury after Meier pleaded not guilty to all counts.

Snooping into somebody’s health records must be held accountable and charged. Ciaccia feels that Rochester Regional Health must also be held responsible, not for the breach but for the inability to tag a recurring privacy violation that happened for over two years.

Rochester Regional Health only knew about the unauthorized health record access after Ciaccia submitted a report of the potential privacy violation. Ciaccia stated that she felt like Rochester Regional paid Meier all year to access her health records. Rochester Regional Health subjected Meier to disciplinary action after being aware of the unauthorized access.

HIPAA necessitates healthcare institutions to employ safety measures to protect the confidentiality, availability, and integrity of patient data. Even though there are access controls and other security measures implemented, it isn’t possible to stop all instances of improper access to health records by employees. Nevertheless, when improper accesses occur, they must be identified immediately.

HIPAA expects healthcare organizations to maintain audit logs to monitor the accessing of protected health information. Those logs make it possible to perform audits, like the case when Ciaccia brought the matter to Rochester Regional Health’s attention.

HIPAA additionally calls for the regular checking of audit logs to recognize unauthorized PHI access. If the audit logs were monitored more carefully, Rochester Regional Health should have identified the privacy violation and applied the sanctions against Meier a lot sooner.

Sunshine Behavioral Health Group located in Portland, OR provides healthcare companies with business services. The group submitted a breach report of its web-based system where patient medical records were stored. Due to an accidental misconfiguration, anyone could access patient data online.

The group uncovered the problem on September 4, 2019 and immediately executed access controls to prevent unauthorized access to patient records. On November 14, 2019, the group also restricted access to patient records online.

On December 23, 2019, Sunshine Behavioral Health Group confirmed that the following information was contained in a folder located in the cloud-based system: names, physical addresses, debit/credit card numbers, digital signatures of individuals who paid for medical services, security codes, and expiry dates.

The people whose data were exposed included those who paid for services at the addiction treatment and rehabilitation centers of Willow Springs Recovery, Chapters Capistrano, Mountain Springs, and Monarch Shores.

The group provided all people who had their data exposed two years of complimentary MyIDCare protection services.

The incident has not been published on HHS’ Office for Civil Rights breach portal so it is uncertain at the moment how many individuals were impacted.

Patient Data Exposed Due to Lake County Behavioral Health Burglary

A break-in at Lake County Behavioral Health in Clearlake, CA on December 5, 2019 resulted in the stealing of a locked filing cabinet which has the health records of clients.

The stolen records may contain the following information about the patients: names, contact numbers, prescription medications, case numbers, consultation schedules, payments, and amounts due. One file additionally contained a patient’s birth date, healthcare history, Social Security number, income verification details, disability status, Medi-Cal ID number and record of substance use.

Lake County Behavioral Health sent breach notifications by mail to all patients whose information was taken and instructed them to send a fraud report in case of data misuse. All remaining patient records were moved to a locked room inside the facility that is secured with an alarm system and 24-hour video monitoring. The break-in is still under investigation by the Clearlake Police Department. There is no apprehension yet so far.

The HIPAA Breach Notification Rule (45 C.F.R. § 164.408) necessitates healthcare companies to report data breaches involving 500 and up medical records to the Secretary of the Department of Health and Human Services (HHS) not beyond the 60 days after uncovering a breach. Breaches of under 500 medical records may be reported to the DHS at any date provided that it is not after 60 days from the close of the calendar year wherein the data breach happened.

This means healthcare data breaches affecting less than 500 records ought to be reported to the HHS on or before March 1 every year. However, since 2020 is a leap year, February has one extra day. Therefore, the due date for reporting breaches that affected less than 500 persons is one day earlier – on or before February 29, 2020.

All breach reports ought to be sent to the Secretary of the HHS through the Office for Civil Rights. Every data breach ought to be reported on their own including the complete details regarding each breach. In case there are a couple of small data breaches encountered in the 2020 calendar year, sending breach reports might take longer. It is hence a good idea not to delay until the last minute to submit the data breach reports to be sure not to forget the due date. In case data breach reports are sent in after the 60-day deadline, there are going to be monetary penalties.

In cases where the number of people impacted by a data breach is not yet known, an approximate number of individuals impacted by the breach must be given. It isn’t allowable to defer breach reporting. Once the exact number of impacted people is identified, there should be a report of an addendum. Addenda ought to also be employed to update breach reports when there are more details concerning the breach.

A new report from Coveware, a ransomware incident response company, has a new report that showed the sharp increase in payments made by ransomware victims in Q4 of 2019. There is a doubling of average ransomware payment in Q4 since two of the high profile ransomware gangs, Sodinokibi and Ryuk, began attacking big enterprises. The average ransom payment of $41,198 in Q3 of 2019 jumped to $84,116 in Q4.

The big increase in ransom demands is mostly because of the two ransomware gangs’ changing strategies. Ryuk is currently seriously targeting big enterprises. Victim companies have an average number of employees of 1,075 in Q3 and went up to 1,686 in Q4. The biggest ransom demand in Q4 was $779,855.5, which jumped from $377,027 in Q3.

In Q4, the frequency of ransomware attacks is as follows:

• 29.4% – Sodinokibi
• 21.5% – Ryuk
• 10.7% – Phobos
• 9.3% – Dharma
• 6.1% – DoppelPaymer
• 5.1% – NetWalker
• 10.7% – Snatch, Rapid, GlobeImposter or IEncrypt ransomware variants

The ransomware variants mentioned above are usually spread using the ransomware-as-a-service model, where affiliates could register and employ the ransomware and keep a percentage of the ransom payments. The more advanced gangs are careful in accepting affiliates while the smaller ransomware gangs accept any affiliate. Only a few affiliates are employed to send Sodinokibi, with a few focusing on various kinds of attacks. A Sodinokibi affiliate has extensive expertise in remote tracking and management tools and is an expert in attacking managed service providers.

Ransomware is generally installed by buying stolen RDP credentials or brute-forcing weak RDP credentials. This strategy is employed in over 50% of successful ransomware attacks. The next strategy is phishing (26%) and exploiting software vulnerabilities (13%).

Coveware discussed in the report that attackers give valid keys to 98% of victims who paid the ransom, thus allowing them to decrypt the files. The likelihood of success really relies upon the ransomware variant employed. Certain threat actors default after getting the ransom payment and do not give valid keys. Threat groups connected with the ransomware Phobos, Rapid, and Mr. Dec, were known as frequent defaulters, less picky and accepts any affiliate.

Even with valid decryptors, it is expected that there will some data loss. On average, 97% of the companies helped by Coveware were able to recover data. The 3% permanently lost files were corrupted at the time of data encryption/decryption. More advanced attackers like the Sodinokibi and Ryuk threat actors are usually more cautious in data encryption making sure that file recovery is achievable and their reputation isn’t ruined.

The average downtime after a ransomware attack were 12.1 days in Q3 of 2019 and 16.2 days in Q4. This is mainly because of the growth in attacks on big businesses that have sophisticated systems that take more time to bring back.

The statistics for the report normally only consist of ransomware victims that engaged Coveware’s services to make a deal with the attackers and help with recovery. A lot of companies opt to talk with the attackers themselves or employ alternative ransomware recovery companies.

Beaumont Health in Southfield, MI, a non-profit 8-hospital health system, learned about the unauthorized access to its patients’ health data by an ex-employee who likely disclosed protected health information (PHI) with another person.

Upon knowledge of the unauthorized access of health documents, the hospital system started an internal investigation. The access logs of the ex-employee were examined and showed the unauthorized access initially took place on February 1, 2017 and went on until October 22, 2019. Then, the healthcare provider learned about the data breach in December 2018.

Beaumont Health mentioned its internal investigation established on December 10, 2019 that the ex-employee had access to the health records of 1,182 patients for 20 months. The data likely acquired and exposed included names, email addresses, addresses, contact phone numbers, Social Security numbers, dates of birth, health insurance details, and reasons for seeking health care.

The person with whom the ex-employee shared the data was associated with a personal injury attorney. A lot of the patients whose data were accessed had gotten treatment for injuries acquired in motor vehicle accidents.

Once unauthorized access was affirmed, Beaumont Health terminated the employee for breaking hospital guidelines and HIPAA Regulations. The data breach report has been sent to authorities and Beaumont Health stated it will help law enforcement in case of pursuing prosecution. The incident was additionally reported to the Michigan Health and Hospital Association.

Beaumont Health sent by mail notification letters to all impacted patients. People who had their Social Security numbers exposed likewise got offers of credit monitoring and identity theft protection services. Individuals were told to be careful about the danger of identity theft and fraud and were instructed to monitor their explanation of benefits statements and accounts diligently and to report in case of misuse of their information.

To avoid the happening of identical breaches, Beaumont Health kept up to date its internal policies and procedures.

Previous VA Employee Got Sentence for Leaking Health Records of Ex-Army Major

Jeffrey Miller, 40, of Huntington, WV, a Department of Veteran Affairs’ Benefits Administration ex-employee, received his sentence for the unauthorized access of the health records of veterans and for exposing the healthcare data of ex- U.S. Army major who campaigned for a position in Congress in West Virginia.

Miller pleaded guilty to obtaining the health information of 6 veterans, among them was the retired Army Major, Richard Ojeda. Photos of the information were obtained and mailed to a friend. The picture of Ojeda’s healthcare records was then handed out to high-ranking Republicans in an effort to manipulate his 2018 election campaign for the 3rd Congressional District in West Virginia.

The federal court announced the sentence on Miller on January 21, 2020 and will be imprisoned for 6 months.

The California Consumer Protection Act (CCPA) became effective beginning January 1, 2020. CCPA increased privacy protections for state residents and provided Californians with new rights concerning their personal information.

Healthcare information that is covered by the Health Insurance Portability and Accountability Act (HIPAA) Rules and California’s Confidentiality of Medical Information Act (CMIA) were not covered by the CCPA however it is still possible for CCPA to bring about compliance problems for healthcare companies.

The purpose of the new bill AB 713 is to make compliance easier by including more categories of data to the exemptions of CCPA, particularly health information that were de-identified according to HIPAA Rules, personal data employed for public health and safety reasons, medical research information, and health data gathered, maintained, or utilized by business associates of HIPAA-covered entities. The Health Committee of the State Senate unanimously approved the bill this month.

The modification to the exemption for deidentified health information is necessary because the definitions of deidentified information vary with the HIPAA and CCPA and information de-identified according to HIPAA could still consist of information covered by CCPA. HIPAA simply requires taking away identifiers that can be utilized to identify patients. There is no requirement to remove identifiers for employees or providers that are covered by CCPA.

AB 713 includes a new exemption for health information that is deidentified according to HIPAA, as long as these three conditions are satisfied:

Data is deidentified by means of the safe harbor or expert determination approach explained in 45 CFR § 164.514 (b); data is obtained from protected health information, medical data, individually identifiable health data, or identifiable private data, in line with the Federal Policy for the Protection of Human Subjects (Common Rule); the business or business associate doesn’t attempt to or really re-identify people from the information.

The exemption is applicable to data deidentified according to HIPAA. This exemption would consequently likewise be applicable to entities not under HIPAA.

Although AB 713 will exempt deidentified data, a business needs to disclose, through a consumer-facing public notice, when deidentified data is shared with third parties and the method employed to deidentify the information.

CCPA doesn’t cover certain types of personal data utilized for research, like data gathered for clinical trials governed by the Common Rule. AB 713 provides more exemptions for personal data gathered or employed in

• biomedical research studies governed by institutional review board standards
• the International Council for Harmonization’s good clinical practice guidelines
• the ethics and privacy standards of the Common Rule
• the FDA’s human subject protection requirements
• research, governed by all applicable ethics and privacy laws,
• individually identifiable health data (45 CFR § 160.103)
• medical data covered by the California Confidentiality of Medical Information Act (CMIA)

AB 713 additionally includes an exemption for personal data that is employed for the purposes below, given the data is covered according to all confidentiality and privacy provisions pertinent under federal or state regulation:

• Public health activities and purposes explained in 45 CFR § 164.512
• Product registration and tracking in line with applicable FDA rules and regulations
• FDA-regulated quality, security, and efficiency activities

HIPAA is applicable to healthcare companies, health plans, healthcare clearinghouses, and business associates of entities but is HIPAA applicable to schools also? This post will explore the application of HIPAA to schools and how it intersects with the Family Educational Rights and Privacy Act (FERPA).

Is HIPAA Applicable to Schools?

In general, HIPAA doesn’t apply to schools since they are not HIPAA covered entities, however, in particular cases a school can be a covered entity when students are provided healthcare services. In such instances, HIPAA may still not be applicable since any student health data gathered would be contained in the students’ education records and education records are exempt from the HIPAA Privacy Rule but are covered by FERPA.

Increasingly more schools are providing healthcare services to their students. Medical experts are employed by certain schools, a few have on-site health clinics, and they frequently distribute medications and administer vaccines. When giving healthcare services, health information is gathered, stored, maintained, and transmitted. Even though a school employs nurses, physicians or psychologists, schools are not generally categorized as covered entities since they do not perform healthcare transactions electronically for which the Department of Health and Human Services has used standards. The majority of schools fall under this category as not covered entities therefore HIPAA does not apply.

Several schools hire a healthcare organization that conducts electronic transactions for which the HHS has implemented standards. In this instance, the school is categorized as a HIPAA covered entity. The HIPAA Transactions and Code Sets and Identifier Rules should be followed when there are electronic transactions, but it wouldn’t be mandatory to comply with the HIPAA Privacy Rule when healthcare data is saved in education records, which are covered by FERPA. When health information is kept in education records, it isn’t categorized as protected health information (PHI) and is consequently not covered by the HIPAA Privacy Rule. However, the school would need to comply with FERPA privacy requirements.

One circumstance where the HIPAA Privacy Rule would be applicable is when a healthcare specialist gives medical services such as vaccinations at the school yet he is not employed by the school. In this scenario, the healthcare expert must comply with HIPAA, the HIPAA would cover the data while it is kept by the healthcare expert, and that individual should get authorization before the disclosure of health information to the school. When those data are added to the student’s education records, FERPA would apply instead of HIPAA.

FERPA, HIPAA, and Private Schools

FERPA covers all educational institutions that get direct funding via programs administered by the Department of Education. FERPA consequently covers public schools. Private schools are not usually covered by FERPA since they receive no federal funding from the Department for Education. When the private school isn’t covered by FERPA, it may or may not be covered by HIPAA subject to whether or not it executes electronic transactions for which there are standards required by the HHS. If it does, it must adhere to HIPAA although if not, the HIPAA and FERPA would not apply.

Additional Information

To help clarify issues regarding health information disclosures under FERPA and HIPAA, the U.S. Department of Education and the HHS’ Office for Civil Rights made updates to their shared guidance in December 2019. The modified guidance is accessible on this link.