Category: HIPAA Guide

The HIPAA Breach Notification Rule (45 C.F.R. § 164.408) requires healthcare organizations to report data breaches of 500 or more health records to the Secretary of the Department of Health and Human Services (HHS) no later than 60 days following the discovery of a breach. Breaches of less than 500 health records could be reported to the DHS at any time as long as it is no later than 60 days from the end of the calendar year when the data breach occurred.

That means smaller healthcare data breaches should generally be reported to the HHS by March 1 each year. However, because this year is a leap year, February has an extra day. And so the deadline for reporting smaller breaches is earlier by one day or no later than February 29, 2020.

All breaches should be submitted to the Secretary of the HHS via the Office for Civil Rights breach portal. Each data breach should be reported independently including all the information concerning each breach. In the event that there are a number of small data breaches experienced in the 2020 calendar year, submitting breach reports might take more time. It is thus recommended not to wait until the last minute to send the data breach reports to make sure not to miss the deadline. When data breach reports are submitted later than the 60-day deadline, there will be financial penalties.

When the number of individuals affected by a breach is not yet determined, an estimated number of people affected by the breach should be provided. It is not permissible to delay breach reporting. If the actual number of affected individuals is known, there must be a submission of an addendum. Addenda must also be utilized to update breach reports when there are additional data regarding the breach.

The Countrywide Institute of Standards and Technology (NIST) has released its latest draft guidance document about cyber supply chain risk management. Its purpose is to help organizations to use an efficient cyber supply risk management system.

Organizations today depend on other organizations to supply vital products and services, however they frequently lose sight of their supply ecosystems. Having third parties to supply products and services may give numerous advantages, however, there are also risks. Threat actors can exploit vulnerabilities in supply chains, in fact, attacks on supply chains are increasing.

In the latter half of 2018, an attack on the Operation ShadowHammer supply chain resulted in the compromise of the software update utility of ASUS. Before the discovery of the cyberattack, around 500,000 users of the ASUS Live Update utility were affected.

The threat group called DragonFly, also known as Energetic Bear, compromised the update website employed by a number of industrial control system (ICS) software makers and put in a backdoor to ICS software program. There were three ICS software makers compromised, causing the malware infection of firms in the field of energy.

Carbon Black published an Incident Threat Report in 2019 and learned that there was an “island hopping” in 50% of attacks. Island hopping is the expression used to refer to cyberattacks on a business, its customers and associates.

The Ponemon Institute conducted the November 2018 Data Risk in the Third-Party Ecosystem study, which showed that 59% of companies were affected by a data breach that happened at a third party supplier. A CrowdStrike report publicized in July 2018 showed that 66% of survey respondents were affected by an attack on the software supply chain.

With increasing supply chain attacks, it is very important that organizations continue to create and put into practice an efficient cyber supply chain risk management plan, however, a lot of organizations have no clue where to begin and those that used this kind of an application do not consider it to be powerful.

NIST has been doing a study on the task of protecting supply chains and has written a number of guidance documents and case studies throughout the last 10 years to assist businesses evaluate and handle supply chain threats. The purpose of the most recent guidance document is to assist institutions to begin with Cyber Supply Chain Risk Management (C-SCRM).

The document consists of a fundamental set of C-SCRM critical practices, which are dependent on industry case studies done in 2015 and 2019, previous NIST research and guidance, and field best practice records. As soon as the fundamental critical practices were followed, more in-depth standards, recommendations, and best practices could then be used to even more strengthen supply chain security.

The latest guidance report – Key Practices in Cyber Supply Chain Risk Management: Observations from Industry (Draft NISTIR 8276) – is available for download here.  NIST welcomes feedback on the draft guidance document up to March 4, 2020.

Privacy Framework version 1.0 of the National Institute of Standards and Technology (NIST) was issued on January 16, 2020. The objective of the Privacy Framework is to assist institutions of different sizes in their use of personal data including protected health information (PHI) while properly handling privacy issues.

The Privacy Framework is a tool that helps with privacy risk management as well as in achieving and demonstrating compliance with privacy regulations like the Health Insurance Portability and Accountability Act (HIPAA), New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act, the California Consumer Privacy Act (CCPA), and the EU’s General Data Protection Regulation (GDPR).

The Privacy Framework could help companies identify the privacy outcomes they want to attain, provide strategies to follow to enhance privacy protections and accomplish those privacy goals, clarify privacy management ideas, and demonstrate how it could be used along with the NIST Cybersecurity Framework and how both work together. NIST states that organizations that have adopted the NIST Cybersecurity Framework and an excellent security posture may not have addressed all of their privacy problems.

Version 1.0 maintains the structure of the September 2019 draft version but features a few updates as an answer to public opinions. Just as with the draft version, the Privacy Framework comprises of three segments:

1. Core is a set of privacy activities
2. Profiles assists organizations in determining which activities are needed to accomplish their privacy objectives
3. Implementation Tiers section leads organizations in the optimization of resources to address privacy problems.

The framework has building blocks that can help you in achieving your privacy goals, such as the laws your organization must adhere to. If you want to increase customer trust by means of offering more privacy-protective products or services, the framework can also help.

The Privacy Framework does not only protect sensitive data such as Social Security numbers, but it also helps protect lower value data including data types that may be combined with others to become sensitive as a unit. New data uses are frequently being identified, like for artificial intelligence. It is thus necessary to use a framework for handling privacy risks instead of having a checklist of tasks to execute. Adopting the Privacy Framework will enable organizations to make policies, procedures, and strategies to protect data, handle privacy risks properly and make sure those risks are managed over time.

The framework will help organizations future-proof their products and services with privacy practices that will adjust to evolving technologies, policies, and new laws. The framework additionally deals with some aspects of privacy that are absent from HIPAA but are notably relevant nowadays due to advancements in technology.

The framework serves as a companion roadmap to point the way toward more research to deal with present privacy challenges. NIST is building a repository of guidance resources to help in the implementation of the framework.

Download the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management on NIST’s website (PDF).

HIPAA is applicable to healthcare organizations, healthcare clearinghouses, health plans, and business associates of covered entities but is HIPAA applied to schools as well? This post will take a look at the application of HIPAA to schools and how it relates to the Family Educational Rights and Privacy Act (FERPA).

Is HIPAA Applicable to Schools?

Basically, HIPAA isn’t applicable to schools considering that they aren’t HIPAA covered entities, nevertheless, in certain instances a school may be a covered entity in the event that students receive healthcare services. In these circumstances, HIPAA may still not be applicable because any student health details obtained would be listed in the students’ school records and school records are not covered by the HIPAA Privacy Rule yet are protected by FERPA.

A growing number of schools are giving healthcare services to their learners. Medical specialists are employed by a number of schools, several have on-site health centers, and they usually give medicines and provide vaccinations. When providing healthcare services, health data are obtained, recorded, retained, and transmitted. Although a school employs nursing staff, doctors or psychologists, schools aren’t typically classified as covered entities for the reason that they don’t do healthcare transactions digitally for which the Department of Health and Human Services (HHS) has required criteria. Nearly all schools are under this classification as not covered entities hence HIPAA is not applicable.

A number of schools work with a healthcare company that performs digital transactions for which the HHS has required standards. In such cases, the school will be classified as a HIPAA covered entity. The HIPAA Transactions and Code Sets and Identifier Rules ought to be followed when there are digital transactions, but it isn’t required to comply with the HIPAA Privacy Rule in case healthcare information is kept in school records, which are protected by FERPA. In case health data is saved in school records, it’s not classified as protected health information (PHI) and is thus not protected by the HIPAA Privacy Rule. Nevertheless, the school must adhere to FERPA privacy requirements.

One case where the HIPAA Privacy Rule will be applicable is when a healthcare expert delivers medical services like vaccines at the school though he isn’t hired by the school. In this case, the healthcare specialist should abide by the HIPAA, the HIPAA would cover the information while it is retained by the healthcare specialist, and that person ought to acquire authorization prior to the disclosure of health data to the school. If that information is included in the student’s school records, FERPA would apply in lieu of HIPAA.

HIPAA, FERPA and Private Schools

FERPA is applicable to all schools that obtain direct funding by means of programs governed by the Department of Education. FERPA for that reason is applicable to public schools. Private schools aren’t generally covered by FERPA because they get no federal funding from the Department for Education. In case the private school isn’t protected by FERPA, it may or may not be protected by HIPAA based on whether or not it performs digital transactions for which there are criteria mandated by the HHS. In case it does, it should follow HIPAA but if not, the HIPAA and FERPA wouldn’t be applicable.

More Information

To help make clear concerns concerning health data disclosures under FERPA and HIPAA, the HHS’ Office for Civil Rights and the U.S. Department of Education created updates to their combined guidance in December 2019. The revised guidance can be accessed on this page.

The Department of Education and the Department of Health and Human Services’ Office for Civil Rights made revisions to the guidance on the sharing of student health records according to the Health Insurance Portability and Accountability Act (HIPAA) and the Family Educational Rights and Privacy Act (FERPA).

The initial guidance document was first published in November 2008 to support school facilitators and healthcare experts to learn the use of FERPA and HIPAA to student academic and healthcare data. The guidance comprises of a couple of Q&As addressing the two rules. Additional Q&As were incorporated to clear up likely areas of misunderstandings concerning how to implement HIPAA and FERPA to student data, including the time it is all right to show student information under FERPA and the HIPAA Privacy Rule with no demand to first get written permission.

HIPAA is applicable to healthcare companies, healthcare clearinghouses, business associates of covered entities and health plans. HIPAA doesn’t typically apply to schools, because medical data obtained by an educational establishment would frequently be categorized as educational data under FERPA. The HIPAA Privacy Rule does not include educational data according to the definition of protected health information (PHI), although there are circumstances where HIPAA and FERPA meet.

The HIPAA Privacy Rule demands getting permission before the sharing of health data for reasons besides treatment, paying bills, or healthcare procedures. The guidance makes clear that in emergencies and cases when a person’s well being is at stake, educational organizations and healthcare companies may make known a student’s health data to somebody able to avert or relieve harm, which includes relatives, friends, health caregivers, and police officers.

The guidance says that healthcare providers could disclose PHI with any person as needed to avert or lower a serious and upcoming threat to the well being or safety of a person, another individual, or the public – in accordance with applicable legislation (including state statutes, case law or regulations) and the provider’s criteria of ethical conduct. It is furthermore allowable to disclose psychotherapy notes and details with regards to mental health concerns and substance abuse issues on particular occasions. The update identifies the occasions when these disclosures are authorized.

OCR Director Roger Severino mentioned that this current resource empowers school administrators, healthcare companies, and mental health specialists by dispelling the belief that HIPAA forbids the disclosure of health records in emergency cases.

The update furthermore comprises data on when PHI or personally identifiable information could be disclosed without risking a student or other people. In addition, the sharing of health records to law enforcement and the National Instant Criminal Background Check System is incorporated in the guidance now.

U.S. Secretary of Education Betsy DeVos says that misunderstandings on when information may be shared should never stop the protection of students while they’re in school. This updated guidance could give the required clarity and help make sure that students receive the support they need, and school managements have the details necessary to safeguard the students.

Ransomware attacks are generally performed indiscriminately, since file-encrypting software programs are distributed in bulk spam email campaigns. Nevertheless, since 2017, ransomware attacks are a lot more targeted. Nowadays, cybercriminals choose targets that are more likely to pay the ransom.

Cybercriminal’s primary target are healthcare companies because of the large volumes of sensitive information, low threshold for system downtime, and high demand for information availability. They additionally have the money to pay ransom demands and most are protected by cybersecurity insurance plans. Insurance firms frequently opt to pay the ransom because it is cheaper compared to the cost associated with systems downtime and data restoration from backups.

Because more severe attacks happen more frequently, healthcare companies ought to make certain to have well-protected networks and policies and procedures that give a speedy response in case of an attack.

Ransomware attacks are becoming more sophisticated and new strategies and techniques are continually being created by cybercriminals to access networks and install ransomware. However, most of the attacks still employ proven techniques to give the ransomware payload. The most popular tactics of accessing healthcare networks are still phishing and exploiting vulnerabilities, like flaws unpatched apps and operating systems. By searching and fixing vulnerabilities and strengthening defenses against phishing, healthcare companies can stop all except the most advanced and determined attackers and maintain the security and operations of their networks.

The Department of Health and Human Services explained in its Fall 2019 Cybersecurity Newsletter that most ransomware attacks could be prevented by means of adopting HIPAA Security Rules. By means of HIPAA compliance, healthcare companies can ensure fast recovery in case of a ransomware attack.

Six provisions of the HIPAA Security Rule which are pertinent to securing, mitigating and getting back from ransomware attacks are the following:

Risk Analysis (45 C.F.R. §164.308(a)(1)(ii)(A))

Risk analysis allows healthcare companies to determine threats to the integrity, confidentiality, and availability of ePHI and mitigate those threats. Ransomware is frequently introduced by means of exploiting technical vulnerabilities., including unsecured, open ports, obsolete software, and awful access management/provisioning.

Risk Management (45 C.F.R. §164.308(a)(1)(ii)(B))

All risks identified should be managed and minimized to a low and tolerable level. Doing so will make it more difficult for attackers to be successful. Risk management consists of implementing anti-malware software, spam filters, web filters, intrusion detection systems, and robust backup systems.

Information System Activity Review (45 C.F.R. §164.308(a)(1)(ii)(D))

In case of a breach of an organization’s defenses, intrusions must be immediately detected. By performing information system activity checks, healthcare companies can identify anomalous activity and do something to minimize attacks in progress. Ransomware isn’t always installed upon network access. It could take days, weeks, or months, so doing a system activity check could identify a compromise before ransomware is deployed. Security Information and Event Management (SIEM) solutions may be helpful for doing activity checks and automating the review of logged activities.

Security Awareness and Training (45 C.F.R. §164.308(a)(5))

Phishing attacks often target employees, so it is important to have regular security awareness training for employees. It will help them identify phishing emails and malspam and learn to respond properly by reporting the threats to the IT security group.

Security Incident Procedures (45 C.F.R. §164.308(a)(6))

In case of an attack, a quick response can significantly limit the harm done by ransomware. There must be written policies and procedures, which are properly disseminated to all workforce members so that they know the proper response during an attack. Security processes must be tested to make sure of effectiveness in case of a security breach.

Contingency Plan (45 C.F.R. §164.308(a)(7))

There should be a contingency plan to ensure continuity of critical services and recovery of ePHI in case of a ransomware attack. This means that all ePHI must have backups. Covered entities should likewise test those backups to make sure of data recovery. Threat actors target backups systems to make it more difficult for covered entities to get back if the ransom is not paid. So, there must be at least one backup copy stored safely on a non-networked device or remote system.