Montefiore Medical Center Employee Terminated and Belden Class Action Lawsuit

Montefiore Medical Center has learned that one more employee got access to patient data without any legit work reason.

The New York hospital reported in February 2020 that one employee was found to have viewed health records with no permission for 5 months in 2020, and a different employee was discovered to have gotten the protected health information (PHI) of roughly 4,000 patients from January 2018 to July 2020.

The most recent findings concerned an employee viewing patient records with no permission for over one year. Montefiore’s FairWarning software detected the breach. The software tracks logs of improper access.

Upon discovery of unauthorized medical record access, the center suspended the employee pending an investigation. An evaluation of record access showed that the employee had viewed records without having legit work reasons from January 2020 to February 2021.

The types of data accessed differed from one patient to another and involved first and last names, addresses, emails, birth dates, medical record numbers, and the last 4-numbers of Social Security numbers. Montefiore did not find any proof of access to financial data or clinical details.

The unauthorized record access is a violation of Montefiore’s guidelines and HIPAA. The center dismissed the employee from work and referred the issue to law enforcement for probable criminal prosecution.

Class Action Lawsuit Against Belden Over November 2020 Data Breach

Belden, a networking equipment vendor in the U.S., is confronted with a class-action lawsuit in connection with a November 12, 2020 data breach that resulted in the compromise of the personal data of present and past employees. Hackers obtained access to only a few file servers and copied employees and some business partners’ information.

The breach report was lately submitted to the HHS’ Office for Civil Rights as affecting the PHI of 6,348 people. The following information was stolen: names, Social Security numbers, financial account numbers, tax identification numbers, residence addresses, email addresses, birth dates and other employment-associated data. Belden reported the breach on November 24, 2020 and began informing affected persons on December 14, 2020.

The lawsuit against Edke v. Belden Inc. claims the plaintiff and class members suffered harm due to the breach and needed to wait a few weeks prior to being informed about the theft of their personal data. They assert the information breach has put them at “considerable risk of identity theft and different types of personal, financial and social hurt. The lawsuit states Belden was careless and negligent, and because of security breakdowns at the company, patient data was stolen.

HHS OIG Rated the HHS Information Security Program as ‘Not Effective’

The Department of Health and Human Services Office of Inspector General has publicized the results of its yearly assessment of the HHS information security programs and practices, in accordance with the requirements of the Federal Information Security Modernization Act of 2014 (FISMA). It was confirmed that the HHS information security program hasn’t yet attained the degree of maturity to be regarded as effective.

The third-party review was performed on behalf of the HHS’ OIG by Ernst & Young (EY) to find out conformity to FISMA reporting metrics and to evaluate if the total security program of the HHS achieved the necessary information security requirements.

The HHS was evaluated with the Identify, Protect, Detect, Respond, and Recover functional areas of the Cybersecurity Framework throughout the FISMA domains: Risk management, identity and access management, configuration management, data protection and privacy, information security continuous monitoring (ISCM), security training, contingency planning, and incident response.

There are five maturity levels for information security:

  • Level 1 (Ad hoc policies)
  • Level 2 (Defined)
  • Level 3 (Consistently Implemented)
  • Level 4 (Managed and Measurable)
  • Level 5 (Optimized policies)

An information security policy must get to Level 4 for it to be regarded as effective.

Until September 30, 2020, the HHS had made improvements from the prior audit and had carried out a number of modifications to reinforce the maturity of its enterprise-wide cybersecurity program. There were enhancements throughout all FISMA domains, which include greater maturation of data security and privacy and constant tracking of information programs.

Nevertheless, the HHS received a “not effective” score because of the inability to obtain the Level 4 maturity level in at least one of the five functional areas: Identify, Protect, Detect, Respond, and Recover. The review showed there were inadequacies inside the Identify, Protect, and Respond functional parts and the level of maturity was under Consistently Implemented for some FISMA metric questions, each at the HHS entire and at chosen Contingency Planning operating divisions (OpDivs).

The HHS got Defined (Level 2) for 17 FISMA metrics and Consistently Implemented (Level 3) for 42 FISMA metrics however had not reached Managed and Measurable (level 4) in at least one of the IG FISMA metrics. There was no modification in any of the FISMA metrics out of the audit in FY19, though the review showed improvement had been done in a number of individual IG FISMA metrics, like the steady implementation of information exfiltration systems, ongoing Authorization to Operate (ATO) checking, and configuration management controls. There is no progress in other areas because of the insufficient data security continuous monitoring throughout the different HHS operating divisions, which is necessary for offering dependable information for making risk management decisions.

A number of suggestions were created to reinforce the HHS’ enterprise-wide cybersecurity program. The HHS agreed with 11 out of the 13 suggestions.

GetApp Recognized TigerConnect as Leader in Telemedicine Software

TigerConnect, the industry-leading company offering HIPAA-compliant clinical communication and collaboration solutions to the healthcare industry, has been called a category leader in the 2021 GetApp software rankings.

GetApp conducts a yearly analysis of a large selection of technology products to determine the best products available on the market to assist small- and medium-sized enterprises select the most effective software solutions for their needs. The Gartner firm has been evaluating business software products for the last Decade to guide SMBs to make the perfect decisions regarding the software that could fix their problems, enhance productivity and performance, and speed up development.

Every software product is evaluated in five areas, depending on impartial ratings from legitimate users of the products. The best-rated products are labeled as Leaders in their particular categories. Raters of the products evaluate software products on the simplicity of use, value for money, performance, consumer support, and the odds of recommending the product to friends, co-workers, and other companies.

This year, the TigerConnect communication and collaboration solution earned the title of a category leader in the area of telemedicine software in North America. 95% of TigerConnect end users ranked the product as excellent or very good, while 100% of TigerConnect end-users stated they will recommend the product to an associate or a good friend.

The solution was remarkably lauded by clients and attained high rankings throughout all five categories, with consumers obtaining significant benefits from utilizing the product while finding it user-friendly.

Founder and CEO Brad Brooks of TigerConnect stated that it was an honor to be regarded as a top choice for the telemedicine software programs. Additionally, the company gives thanks to its clients, community, and development team without whom this won’t be possible. Many thanks for the trust given to the company.

Massachusetts Mental Health Clinic Pays $65,000 to Settle HIPAA Right of Access Case

Boston, MA-based Arbour Hospital, a mental health clinic, has settled a HIPAA Right of Action investigation with the HHS’ Office for Civil Rights (OCR) by paying a $65,000 penalty.

On July 5, 2019, OCR was informed regarding a potential HIPAA Right of Access violation. A patient of Arbour Hospital stated he had submitted a request for a copy of his medical records from the hospital on May 7, 2019 however had not been given those records in a period of two months.

Whenever a healthcare company receives a request from an individual who wants to exercise their HIPAA Privacy Rule right to get a copy of their healthcare records, a copy of that information should be given immediately and no later than 30 days after receiving the request. It is possible to extend the period beyond 30 days in cases where records are saved offsite or are otherwise not quickly accessible. In such instances, the patient wanting to have the records should be advised concerning the extension in writing within 30 days and be provided with why the documents are delayed.

OCR contacted Arbour Hospital and offered technical support on the HIPAA Right of Access on July 22, 2019 and closed the complaint. The patient then sent a second complaint to OCR on July 28, 2019 because he still did not receive his healthcare data. The records were eventually provided to the patient on November 1, 2019, nearly 6 months after submitting the written request and more than 3 months after the technical assistance on the HIPAA Right of Access given by OCR.

OCR confirmed that the failure to respond to a written, signed medical record request from an individual promptly violated the HIPAA Right of Access – 45 C.F.R. § 164.524(b). Besides the financial penalty, Arbour Hospital needs to undertake a corrective action plan that entails employing policies and procedures regarding patient record access and giving training to the employees. Arbour Hospital will additionally be under OCRmonitoring for 1-year compliance.

Health care providers have a responsibility to give their patients prompt access to their own health records, and OCR will hold providers responsible for this requirement so that patients can exercise their rights and get necessary health data to be active participants in their medical care, explained by Acting OCR Director Robinsue Frohboese.

The HIPAA Right of Access enforcement initiative began at the end of 2019 to make sure patients are furnished with on-time access to their medical records at a fair price. This is the sixteenth financial penalty to be paid to OCR to resolve HIPAA Right of Access violations following this enforcement initiative and the 4th HIPAA Right of Access settlement to be reported in 2021.

Hospice CEO Confesses to Falsifying Medical Care Claims and Inappropriate Medical Record Access

The ex – CEO of Novus and Optimum Health Services, which manages two hospices within Texas, pleaded guilty in a fraudulence case that resulted in the loss of tens of millions of dollars by Medicare and Medicaid because of bogus medical care claims submissions.

Acting U.S. Attorney Prerak Shah for the Northern District of Texas, lately reported that Bradley Harris, 39 years old, pleaded guilty to conspiracy to undertake medical care fraud and is currently awaiting his sentence.

Besides defrauding the federal healthcare services, the actions of Harris led to the denial of vulnerable patients to get the medical care they need, the approval of prescriptions for pain treatment without the doctor’s input, and the non-examination of terminally ill patients.

Harris confessed to charging Medicare and Medicaid for hospice services from 2012 to 2016 that were not rendered, not instructed by a medical specialist, or were given to people who were not qualified for hospice services. Harris additionally confessed to utilizing blank, pre-signed controlled substances prescriptions and giving the medications with no physician involvement.

Harris paid two coconspirators, Dr. Laila Hirjee and Dr. Mark Gibbs, $150 each for every fake order they sign and would frequently approve the hospice patients who had terminal conditions and a life expectancy of at least 6 months, with no need to get any assessments. Dr. Gibbs, Dr. Hirjee, and another doctor, Dr. Charles Leach, supplied blank prescription medications for controlled substances which permitted Harris to schedule beneficiaries their II-controlled substances from Medicaid and Medicare in the hospice with no need for consultations with a medical specialist at a cost

Harris additionally broke the Health Insurance Portability and Accountability Act (HIPAA) Guidelines when he gained access to the healthcare records of patients to determine people who can be contacted and provided Novus hospice services. In summer 2014, Harris discussed an agreement with Express Medical which permitted him to get access to the healthcare records of potential patients in exchange for utilizing the company for lab services and home health appointments. Harris’s wife then contacts the past patients of Express Medical and other hospice personnel to recruit them, no matter if they were really qualified for hospice services. This permitted Harris to get new hospice patients to steer clear of going above Medicare’s aggregate hospice limit.

The HHS’ Centers for Medicare and Medicaid Services obtained several reports of potential fraudulence and suspended Novus; nevertheless, Harris then moved patients from Novus to another hospice organization, which then moved back reimbursements for hospice services to Novus. Dr. Gibbs is known as the new hospice organization’s medical director.

Harris is slated to get his sentence on August 3, 2021 of around 14 years in prison. Dr. Gibbs, Dr. Hirjee and two more coconspirators are going to have their trial on April 5, 2021. 10 codefendants confessed and are waiting for sentencing for their part in the fraud. Dr. Charles Leach earlier pleaded guilty to one count of conspiracy to perform healthcare fraudulence in 2018, for his part in the $60 million scams case. Based on court files, the blank prescription medications Dr. Leach authorized were employed to get hold of controlled substances, high quantities of which were then given to patients by nurses to speed up their demise.

The Justice Department can’t permit unethical businessmen to get in the way of the practice of medicine. It is determined to take out healthcare scams. It is going to work tirelessly with the state and federal associates to make those who perform medical care scams responsible and get justice for people that are hurt by the fraud schemes, said FBI Dallas Special Agent in Charge Matthew DeSarno.

2019 American Medical Collection Agency Data Breach Investigation Ends in Multistate Settlement

An alliance of 41 state Attorneys General has decided to resolve an investigation of the 2019 data breach involving Retrieval-Masters Creditors Bureau dba American Medical Collection Agency (AMCA) that led to the compromise/theft of the protected health information (PHI) of about 21 million U.S. citizens.

Retrieval-Masters Creditors Bureau is an agency engaged in debt collection. Its AMCA arm offers small debt collection services to medical care clients, for instance, laboratories and medical testing centers.

From August 1, 2018 to March 30, 2019, an unauthorized person got access to AMCA’s systems and exfiltrated sensitive information like names, personal data, Social Security numbers, payment card details, and, for certain people, medical test data and diagnostic codes. The AMCA data breach was the biggest healthcare data breach documented in 2019.

AMCA informed states regarding the breach beginning June 3, 2019, and people impacted by the breach were given two years of free credit monitoring services. Because of the huge cost of breach remediation, AMCA had to file for bankruptcy protection last June 2019.

The Indiana, Connecticut, New York, and Texas Attorneys General led the multi-state investigation of the AMCA breach. The Texas and Indiana AGs likewise took part in the bankruptcy proceedings to make sure that the investigation carried on, and the personal data and PHI of breach victims were secured. AMCA obtained authorization from the bankruptcy court to negotiate the multistate action and requested for termination of the bankruptcy last December 9, 2020.

The multistate investigation affirmed that information security inadequacies contributed to why the breach occurred and in spite of AMCA getting notices from banking institutions that processed AMCA payments regarding fraudulent usage of payment cards, AMCA still did not identify the attack.

The terms of the settlement required AMCA to make and follow an information security plan, create an incident response program, hire a competent chief information security officer (CISO), employ a third-party evaluator to conduct an information security evaluation, and continue to help state attorneys general with the data breach investigations.

A $21 million financial penalty was charged to AMCA which will be allocated pro-rata among the impacted states; nonetheless, because of the company’s financial position, the $21 million financial penalty was put on hold. That payment will just be required if AMCA fails to follow the conditions of the settlement agreement.

When a business doesn’t sufficiently invest in information security, a data breach can cost a lot leading to bankruptcy – ruining the business and harming the affected people. AMCA’s security problems allowed illegal access to 21 million Americans’ data. State AGs should be committed to safeguarding the state citizens’ personal information and should hold companies responsible when they neglect to protect that information. The AMCA settlement agreement makes certain that the company implements the necessary security and incident response plan in order that such a failure won’t happen again.

Connecticut, Indiana, Texas, and New York were on top of the investigation while Florida, Illinois, Massachusetts, Maryland, Michigan, Tennessee, and North Carolina assisted the investigation. The Attorneys General of Arizona, Arkansas, the District of Columbia, Colorado, Georgia, Hawaii, Iowa, Idaho, Louisiana, Kansas, Kentucky, Maine, Missouri, Minnesota, Nebraska, New Hampshire, Nevada, New Jersey, New Mexico, Oklahoma, Ohio, Oregon, Pennsylvania, South Carolina, Rhode Island, Utah, Virginia, Vermont, West Virginia, and Washington likewise joined the settlement.

45-Days Extension of Comment Period on Proposed HIPAA Privacy Rule Changes Announced

Making changes to the HIPAA Regulations does not happen quite often, thus when there is a proposal for updates, the tendency is to include a variety of new standards and revisions to current terms. Prior to making any updates, a request for information (RFI) is released to let the HHS get feedback on areas of the HIPAA Rules that are creating issues, and parts that need improvements.

Right after the RFI, the HHS issues a notice of proposed rulemaking, which is followed by a comment period. During this comment period, industry stakeholders, such as patients and their households, get the last opportunity to say their thoughts regarding the proposed modifications prior to signing them into law.

After the HHS’ Office for Civil Rights issued an RFI, a Notice of Proposed Rulemaking was published on December 10, 2020. The standard 60-day comment period began from the date, January 21, 2021, when the proposed rulemaking was published in the Federal Register. The comment period will end on March 22, 2021.

Because the proposed modifications consist of updates to the HIPAA Privacy Rule that is going to affect almost everybody in the healthcare sector, the HHS has decided to give an extension for the comment period.

The proposed Privacy Rule modifications consist of fortifying patient rights to get easy access to their own healthcare records, modifications to support a greater family and caregiver participation in the care of people during health and emergency crises, modifications to provide more flexibility for disclosures during emergency scenarios, updates to minimize the administrative load on healthcare companies, and modifications to enhance data sharing for better care coordination and case administration.

The HHS’ Office for Civil Rights is requesting all stakeholders to go through the proposed modifications and give their comments. All feedback obtained will be properly considered and will be used for the final rule which is estimated to be released in late 2021 or early 2022.

OCR expects a high level of public interest in giving feedback on the proposals since the HIPAA Privacy Rule impacts just about everyone who uses the health care system. With the comment period extended for 45 days until May 6, 2021, the public can have the opportunity to look at the proposals and send feedback to shape the future policy.

You can find the HIPAA Privacy Rule Proposed Modifications on this page.

Two Employees Dismissed for Impermissible Disclosures of PHI to Third Parties

Humana has found out that a staff of a hired subcontractor of a business associate impermissibly shared the protected health information (PHI) of around 65,000 members to a third-party for training purposes.

Humana contracted Cotiviti to give services in managing medical records. Then, Cotiviti got a subcontractor to look at the requested health files. Under HIPAA, subcontractors employed by business associates must also follow the HIPAA.

The privacy violations took place between October 12, 2020 and December 16, 2020. Cotiviti informed Humana concerning the HIPAA violation on December 22, 2020. Together, Cotiviti and Humana worked to make certain that security procedures are executed to avoid very similar privacy breaches again. Also, those safeguards are set up at any subcontractors it hires. The individual who shared the information is no longer hired by the subcontractor.

The types of records compromised include the member names, phone numbers, dates of birth, addresses, email addresses, full or partial Social Security Numbers, insurance identification numbers, provider names, medical record numbers, dates of service, treatment data, and medical photos.

Although the disclosures were not intended for malicious reasons and it is believed that there were no further exposures of the PHI, Humana is providing affected people with 2 years of credit monitoring and identity theft protection services for free.

UPMC St. Margaret Dismisses Employee for Impermissible Disclosure of PHI

UPMC St. Margaret has learned about the impermissible disclosure of the protected health information of some of its patients by an employee to a third-party provider without authorization.

In August 2020, UPMC, St. Margaret learned that an organization got a medication administration report even with no legitimate work purpose. The report included details like names, UPMC ID numbers, and medication administration data, such as drug name, dose, time/date of administration, and the reason for having the medication.

After the discovery of the impermissible disclosure, UPMC terminated the staff’s access to UPMC systems and terminated the person’s employment after the investigation was finished. The provider notified the impacted persons regarding the privacy breach on March 5, 2021. There was no reason provided for the delay in sending the notification.

Whistleblower Who Wrongly Accused a Nurse Violated HIPAA Serves 6 Months in Jail

A man from Georgia who wrongly accused a former associate of violating patient privacy and breaching the HIPAA Guidelines got penalized $1,200 and 6 months jail time.

In October 2019, Jeffrey Parker, a 44-year old resident of Rincon, GA, served as a HIPAA whistleblower and notified the authorities regarding a major privacy violation committed by a nurse working at a Savannah, GA hospital, which included sending emails with graphic images of hospital patients with traumatic injuries within and outside the hospital.

Based on court documents, Parker was involved in a complex scheme to set up a former associate as violating the Federal Health Insurance Portability and Accountability Act’s Privacy Rule. To support the false claims, Parker made several email accounts using the names of actual patients and utilized those email accounts to submit false allegations of privacy violations. The hospital where the nurse is employed, the Department of Justice (DOJ), and the Federal Bureau of Investigation (FBI) received copies of the email messages.

Parker additionally claimed that he received threats for being a whistleblower, and so law enforcement officials had taken action to make certain that he is safe. When asked with regards to the threats and the HIPAA rule violations, an FBI agent found irregularities in his statements and after more questioning, Parker confessed that he falsely accused the former associate to frame him up for fake HIPAA violations.

When Parker got charged, U.S. Attorney Bobby L. Christine explained that making false accusations on others of criminal activity is unlawful, and it slows down justice system staff by making them pursue needless investigations. This bogus complaint prompted federal investigators to shift resources and caused unnecessary trouble for a vital health care organization in the community.

Parker admitted to committing a case of making false claims and is likely to face a 5-year jail period. U.S. District Court Judge Lisa Godbey Wood sentenced Parker to stay in jail for 6 months.

Special Agent Chris Hacker who is in Charge of FBI Atlanta stated that numerous investigative hours and resources were spent in figuring out that Parker’s claims as a whistleblower were fraudulent and intended to cause damage to another person. Before he can cause more problems, his fancy scheme was discovered by a perceptive FBI agent and at this point, he is going to serve time for his planned criminal offense.

Parker is not entitled to get parole and is going to serve the complete term, and afterward, he will get 3 years of monitored release.

HHS Secretary Declares Limited HIPAA Waiver in Texas Because of the Winter Storm

Right after President Joseph R. Biden declared an emergency in the State of Texas, Acting Secretary Norris Cochran of the Department of Health and Human Services also announced a public health emergency because of the impact of the winter storm in Texas.

In accordance with Section 1135(b)(7) of the Social Security Act, the HHS Secretary declared a limited waiver of sanctions and fines that may result from non-compliance with some HIPAA Privacy Rule provisions.

For the duration of the waiver, the sanctions and penalties won’t be enforced for non-compliance with these requirements of the HIPAA Privacy Rule:

  • 45 C.F.R. § 164.510(a) – the requirement to get a patient’s consent to talk to family members of friends;
  • 45 C.F.R. § 164.510(b) – the requirement to respect the request of a patient to be taken from the facility directory;
  • 45 C.F.R. § 164.520 – the requirement to send out a notification of privacy practices;
  • 45 C.F.R. § 164.522(a) – the patient’s right to ask for privacy limitations;
  • 45 C.F.R. § 164.522(b) – the patient’s right to ask for private communications.

On February 19, 2021, the waiver is going to be enforced and is going to be retroactive to February 11, 2021.

The waiver is just applicable to hospitals in the location where the public health emergency is declared and to hospitals that carried out their disaster protocols at that time that the waiver became effective. The waiver is in effect for about 72 hours since a hospital executed its disaster protocol.

As soon as the Presidential or Secretarial proclamation ends, hospitals need to then abide by the earlier mentioned provisions of the HIPAA Privacy Rule or suffer sanctions and penalties. That is applicable to patients that remain under the hospital’s care, even when the 72-hour period has not passed.

More information regarding the HIPAA waiver and HIPAA Privacy and Disclosures during Emergency cases is available in the HHS HIPAA Bulletin.

$75,000 Penalty Paid by Renown Health for its HIPAA Right of Access Violation

The Department of Health and Human Services’ Office for Civil Rights (OCR) is going ahead with its program to end non-compliance with the HIPAA Right of Access. OCR revealed its fifteenth settlement deal that dealt with a HIPAA Right of Access enforcement action.

Renown Health, a non-profit healthcare network in Northern Nevada, consented to pay $75,000 as a financial penalty for its HIPAA case with OCR to be able to resolve its potential violation of the HIPAA Right of Access.

OCR began investigating Renown Health after a patient reported a complaint because she did not receive a digital copy of her protected health information (PHI). In January 2019, the patient placed her request to Renown Health with an instruction to give her medical and billing data to her attorney. No record was received after waiting for more than a month. Therefore, the patient submitted her complaint to OCR. Renown Health provided the required information only on December 27, 2019, approximately one year after filing the initial request.

As per the HIPAA Privacy Rule (45 C.F.R. § 164.524), healthcare records should be delivered to the asking party within 30 days of filing the request. OCR determined that Renown Health violated the Privacy Rule for waiting too long to provide the requested information.

Apart from having to pay the financial penalty, Renown Health is going to carry out a corrective action plan. It is required to create, keep, and update, as necessary, the provider’s written guidelines and procedures making certain that they follow the HIPAA Right of Access. Staff members should undergo training with regards to the guidelines and procedures. A sanctions policy ought to be enacted when workers do not stick to the guidelines and procedures. Renown Health will be supervised by OCR for two years to make sure of the HIPAA Right of Access compliance.

Having access to patient health records is a vital HIPAA right. Medical care companies are accountable to the law to give patients prompt access to their medical records.

The aforementioned settlement is the third announced by OCR in 2021. The first two prior settlements involved Banner Health and Excellus Health Plan. The former paid a $200,000 settlement for violating the HIPAA Right of Access, while the latter paid $5,100,000 as the penalty for multiple HIPAA violations that brought about a data breach in 2015 affecting 9,358,891 records.

Sharp HealthCare Pays $70,000 Penalty to Settle its HIPAA Right of Access Violation

The HHS’ Office for Civil Rights (OCR) has penalized Sharp HealthCare $70,000 for not being able to deliver prompt access to a patient’s health records. This is the 16th financial penalty issued by OCR in association with the HIPAA Right of Access enforcement initiative that began in the latter part of 2019.

OCR got a patient complaint on June 11, 2019 that stated Sharp Healthcare, also known as Sharp Rees-Stealy Medical Centers (SRMC), was unable to give him a copy of his health records in 30 days as the HIPAA Privacy Rule requires.

The patient explained that he made a written request on April 2, 2019 yet did not receive the requested records even after over 2 months. OCR looked into the complaint and offered technical support to SRMC regarding the HIPAA Right of Access provision of the HIPAA Privacy Rule and the need to deliver medical records to a third party when asked for by a patient. OCR marked the complaint as resolved on June 25, 2019.

OCR received a second complaint from the same patient submitted on August 19, 2019 because the requested medical records were not yet received. The complainant eventually got the required medical records on October 15, 2019, after over 6 months since the patient first requested the records.

OCR affirmed that not delivering the requested records within the prescribed time violated 45 C.F.R. § 164.524 and the HIPAA violation called for finance charges. If the provider gave the records on time after getting technical support, a financial penalty might have been averted.

Besides spending $70,000 on penalty, Sharp HealthCare has consented to follow a corrective action plan with OCR’s close supervision for compliance in a period of 2 years. The corrective action plan calls for Sharp HealthCare to create, keep, and update, as required, policies and guidelines that cover patient requests for copies of their medical information. Employees must have training regarding the people’s right to access their own PHI.

In a statement concerning the most recent settlement, Acting OCR Director Robinsue Frohboese stated that patients have the right to prompt access to their medical information. OCR designed the Right of Access Initiative to implement and protect this vital right.

Micky Tripathi and Robinsue Frohboese Get New Appointment as Heads of ONC and OCR at the HHS

The Biden government has chosen Micky Tripathi to take the position of National Coordinator for Health IT of the Department of Health and Human Services’ Office.

Tripathi is going to head the Office of the National Coordinator for Health IT with its responsibility of coordinating work to embark on advanced health information technology to make the sharing of health information secure. The ONC is at present overseeing the work of giving Americans immediate access to their health data through their mobile phones and is utilizing the 21st Century Cures Act provisions to increase health IT interoperability and restrict information blocking.

Tripathi is a seasoned expert in secure health information exchange and understands the existing interoperability issues in the healthcare field. Prior to becoming an ONC member, Tripathi was formerly the chief alliance official at Arcadia, a healthcare analytics and software business. He was responsible for making partnerships to enhance healthcare utilizing revolutionary IT technology.

Tripathi was similarly the manager of strategy and management consulting firm Boston Consulting Group (BCG), the first president and CEO of the Indiana Health Information Exchange, the CEO of the Massachusetts eHealth Collaborative, and was a board member of the Datica, HL7 FHIR Foundation, Sequoia Project, the CommonWell Health Alliance and the CARIN Alliance.

Arcadia CEO Sean Carroll mentioned that Micky was a well-known leader on healthcare interoperability and possesses a vision for the importance of immediate sharing of the appropriate information to deliver the best healthcare while lessening expenses. Tripathi is truly most suitable for this very critical mission. Donald Rucker, M.D. held this position over the past 4 years.

The HHS has furthermore affirmed the appointment of Robinsue Frohboese as the current Acting Director of the HHS’ Office for Civil Rights, the main enforcer of HIPAA compliance. Frohboese was previously the primary deputy director of OCR and became an acting director to replace March Bell, who obtained the position last January 15, 2020 following the stepping down of past OCR Director Roger Severino from the position.

Frohboese has had a vital part in many civil rights projects and in OCR’s enforcement of the HIPAA Privacy Rule.

Prior to getting the position as OCR’s primary deputy director, Frohboese had been working for 17 years with the Special Litigation Section of the Civil Rights Division of the U.S. Department of Justice. He was the first Senior Trial Attorney and then had become the Deputy Chief.

Fertility App Provider Sued for Disclosing User Data with Chinese Firms Without Permission

A lawsuit was filed against Easy Healthcare Corp. based in Burr Ridge, IL because of the alleged disclosure of sensitive user data with third-party companies situated in China.

Easy Healthcare Corp is the programmer of Premom, a well-known smartphone fertility app for monitoring users’ ovulation cycles to know the days they are most fertile. The legal action states that a variety of sensitive user information was shared with at least three Chinese firms without getting users’ permission. Because the data is kept on servers in China, the lawsuit claims sensitive data could possibly be accessed or taken by the Chinese government.

The data sent to the Chinese organizations consists of sensitive healthcare details, geolocation information, user and advertiser IDs, device activity data, and device hardware identifiers. Considering that the identifiers don’t change, merging them with the information where it was found would permit data collectors to re-create app users’ activities.

Identifiers given to the Chinese organizations consist of MAC addresses or Wi-Fi media access controls, which are specific identifiers for network interface controllers; MAC/BSSID addresses of routers, which details geographical location; and SSID (Service Set IDs) of routers, which offer Wi-Fi networks data. It is additionally possible for the information to be collected about users’ interests, health, religion, political perspectives, and other sensitive information.

The lawsuit states user data was shared with Jiguang (Aurora Mobile Ltd), Umeng, and UMSNS, which provide activity analysis, precision marketing, financial risk management, and location-based analysis services to their customers.

Based on the legal action, the Premom privacy policy says that it will not share or sell your personal data to data brokers, marketing platforms, or data resellers, therefore the distribution of the information is in direct violation of those policies. Although the privacy policy does express that non-identifiable user data may be gathered, users are advised that the information would not be shared with third parties without user authorization.

The plaintiff found out that her personal information was disclosed to the three Chinese firms for three years without her permission or knowledge. She states Easy Healthcare deceived her as she was not told that her information would be given to the Chinese entities. The lawsuit likewise claims Easy Healthcare shared the data to get money and that the company was misrepresenting its data-sharing policies. The lawsuit likewise claims user data is logged each time users unlock or use their phone, even when they aren’t using the application, which breaches Google Play’s developer policies.

The lawsuit was filed a couple of months following a bipartisan group of senators wrote to the Federal Trade Commission (FTC) to ask for scrutiny of the data security and privacy policies of the Premom app, after discovering the unauthorized information sharing by International Digital Accountability Council.

The legal action was filed in the US Northern District Court of Illinois, Eastern Division and wants class-action status and damages for application users. The lawsuit additionally requires Easy Healthcare to stop sharing user data with organizations without first acquiring authorization from app end users. Easy Healthcare has denied any wrongdoing.

Premom is not the only health application found to be sharing user information without acquiring informed permission from software users. The FTC recently settled a data privacy and security case with Flo Health in January 2021 for misrepresenting privacy practices for its fertility app and shared user data with a data analytics firm without authorization. Flo Health was instructed to evaluate and modify its privacy policies and acquire permission from app users prior to sharing their information.

Public Health Emergency Privacy Act Approved to Make sure Privacy and Security of COVID-19 Information

Last January 28, 2021, democratic senators presented the Public Health Emergency Privacy Act to secure the privacy of Americans and make sure there are information security measures implemented to safeguard COVID-19 related health information obtained for public health uses.

Sens. Richard Blumenthal, D-Conn., Mark Warner, D-Va., and U.S. representatives Suzan DelBene, D-WA, Jan Schakowsky, D-IL., and Anna Eshoo, D-CA., introduced the Public Health Emergency Privacy Act. The Act calls for solid and enforceable privacy and information security rights in order to establish health information.

Sen. Blumenthal mentioned that technologies such as contact tracing, home screening, and online appointment scheduling are absolutely vital to prevent the propagation of this disease, however, Americans are rightly cautious about the safety of their sensitive health information. Legal safety measures that secure consumer privacy could not match up with technology, and that affecting the struggle against COVID-19.

The Public Health Emergency Privacy Act is going to make certain that tight privacy protections are put in place so that any health information gathered for public health purposes will just be employed to accomplish the public health reason for which it was gathered.

The Public Health Emergency Privacy Act confines the usage of the information gathered for public health reasons to public health uses, forbids the usage of the information for discriminatory, unconnected, or invasive purposes, and inhibits government agencies that are not part of public health services from misusing the information.

The Act calls for the application of data security and data integrity protection to secure health information, for the data gathered to be limited to the minimum required data to accomplish the purpose for which it is gathered, and mandates tech companies to delete the data as soon as the public health emergency has concluded.

Americans’ voting rights are safeguarded by not conditioning the right to vote on any health condition or usage of contact tracing applications. The Act will likewise provide Americans control over public health efforts by ensuring transparency and demanding opt-in authorization. The Act additionally demands regular reports on the effect of digital collection resources on civil rights.

The Public Health Emergency Privacy Act won’t replace the prerequisites of the Privacy Act of 1974, the HIPAA, or federal and state medical record retention and health data privacy rules.

According to Sen. Warner, having strong privacy protections for COVID health information becomes more important with the ongoing vaccination efforts and firms get started tinkering with things such as ‘immunity passports’ to protect access to facilities and services. Without the appropriate health privacy laws, it’s possible that privacy violations and discriminatory usage of health information could turn out to be common in medical care and public health.

This isn’t the first proposal of this type of legislation. An identical bill was presented in 2020, however, it did not earn the support of congress.

Employee Terminated by Montefiore Medical Center and Bethesda Hospital for HIPAA Breaches

Baptist Health’s Bethesda Hospital located in Boynton Beach, FL has terminated a worker because of impermissibly accessing the protected health information (PHI) of a patient and modifying a home health order that was used to give home care services to a patient.

The hospital discovered the HIPAA breach on December 1, 2020 and conducted an internal investigation. The employee involved in the breach ended up being dismissed. The hospital already informed law enforcement about the incident.

The investigation showed that the former employee also accessed other patient records from June 1, 2019 to December 2, 2020. The types of data possibly accessed included names, birth dates, addresses, medical insurance details, Social Security numbers, and clinical records.

All affected persons received notification and offers of free identity theft protection and credit monitoring services. Baptist Health is looking for more ways to protect patients’ PHI and avoid the same breaches later on.

The HHS’ Office for Civil Rights’ website has not listed the incident yet so the number of patients affected is presently uncertain.

Montefiore Medical Center TerminatesTerminates Employee for Unauthorized Access of Medical Records

Montefiore Medical Center located in New York found out that an unauthorized worker accessed the PHI of patients in a span of 5 months last 2020. Upon becoming aware of the unauthorized access, Montefiore quickly blocked the employee from accessing the electronic medical record system and started an investigation to know the magnitude of the HIPAA violation.

Following the comprehensive investigation, the medical center terminated the employee and reported the breach to law enforcement for probable criminal prosecution. The former employee viewed types of information that varied from one patient to another and may have included first and last names, birth dates, addresses, medical record numbers, the last four numbers of Social Security numbers, and clinical data like examination results, consultation histories, and diagnoses.

There is no reason given regarding the person’s motive for accessing the information. There is also no evidence found that suggests the use of patient data for identity theft or fraudulence. Montefiore Medical Center already notified all affected patients and offered them free identity theft protection services.

This is Montefiore Medical Center’s second incident that involved inappropriate access of medical records in the last 5 months. The first was in September 2020 when the medical center reported the theft of approximately 4,000 patients’ PHI by a former employee from January 2018 to July 2020.

HHS Gives $20 Million to Expand COVID-19 Vaccine Information Sharing

The U.S. Department of Health and Human Services has made $20 million readily available to make data sharing between health information exchanges (HIEs) and immunization information systems better.

The funding was from the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) fund that President Trump signed on March 27, 2020 to help vaccination initiatives to combat the COVID-19 pandemic.

The funds expand the Office of the National Coordinator for Health Information Technology (ONC)’s Strengthening the Technical Advancement and Readiness of Public Health Agencies via Health Information Exchange (STAR HIE) Program and can support communities in their health information sharing regarding COVID-19 vaccinations.

Public health agencies could get extra help to monitor and recognize persons who have not yet gotten a second dose of the COVID-19 vaccine. The extra money will help physicians identify and get in touch with high-risk individuals who have not acquired their first vaccination.

The added investment will be allocated countrywide and will be utilized to support communities that have been hit hard by COVID-19. The HHS will additionally be giving funding to the Association of State and Territorial Health Officials (ASTHO) as well as the Colorado Regional Health Information Organization (CORHIO) to boost HIE immunization collaborations.

These CARES Act funds are going to help doctors better get access to information of their patients from their community immunization registries by utilizing the sources of their local health information exchanges. Using this collaborative work, public health departments and physicians will be ready to more effectively give immunizations to at-risk patients, fully grasp undesirable events, and better monitor long lasting health outcomes as more Americans receive immunizations.

The success of vaccination programs depends on properly identifying patients and making sure patients get two doses of the appropriate vaccine. That means hospitals, pharmacists, and public health authorities must have access to patient information and vaccine data. Good data exchange and patient matching can likewise help to provide insights into the efficiency of the vaccines and monitoring long term health outcomes. STAR HIE has plans to present statistics to determine vaccination outcomes.

There are roughly 100 HIEs in the US which reach about 92% of Americans. There are 63 immunization information systems in the United States, one for each state, 8 in territories, and five in cities. The immunization information systems have funds, partly from the Centers for Disease Control and Prevention’s National Center for Immunization and Respiratory Diseases (NCIRD).

OCR to Have Enforcement Discretion Concerning the Use of Online or Web-based Scheduling Applications for COVID-19 Vaccination Appointments

The Department of Health and Human Services’ Office for Civil Rights has announced that it will exercise enforcement discretion and will not issue financial fines on HIPAA-covered entities or business associates in case of violations of the HIPAA Rules connected with the good faith use of online or web-based scheduling applications (WBSAs) for making individual sessions for COVID-19 vaccinations.

The notice of enforcement discretion covers the use of WBSAs for the limited role of booking individual visits for COVID-19 shots for the duration of the COVID-19 public health emergency. The notification is in force right away, is retroactive to December 11, 2020, and will continue to be in effect throughout the COVID-19 national public health emergency.

A WBSA is a non-public facing internet or web-based app that enables individual meetings to be booked in connection with large scale COVID-19 vaccination. The goal of a WBSA is to permit covered healthcare companies to quickly timetable huge numbers of appointments for COVID-19 vaccinations.

A WBSA, and the information created, obtained, kept, or transmitted by the WBSA, will just be accessible to the intended parties, such as the healthcare organization or pharmacy giving the vaccinations, an authorized person booking sessions, or a WBSA staff member that must have access to the solution and/or records for delivering technical assistance.

The notice of enforcement discretion will not apply to an appointment scheduling program that connects directly to electronic health record (EHR) systems.

A WBSA may not fulfill all specifications of the HIPAA Guidelines and would consequently not be allowed for use in association with electronic protected health information (ePHI) under standard situations. It is additionally probable that the vendor of a WBSA may not know that their application is being utilized by healthcare organizations in correlation with ePHI, which would hence categorize the vendor as a business associate under HIPAA.

Although the notice of enforcement discretion is in force, OCR is not going to charge penalties against HIPAA covered entities, their business associates, and WBSA vendors that satisfy the description of a business associate as per the HIPAA Policies for good faith uses of WBSAs for booking COVID-19 vaccination schedules.

Though penalties will not be issued, OCR encourages using acceptable safeguards to protect the privacy of individuals and the protection of ePHI. It means the ePHI gathered and inputted into the WBSA must be restricted to the minimum required information, encryption technology ought to be employed in case available, and all privacy configurations ought to be enabled. That includes modifying the calendar display to hide names or just display initials. If a vendor saves ePHI, the storage must only be short-term and ePHI must be destroyed no later than 30 days after the scheduled appointment. The WBSA vendor must be directed not to expose any ePHI in a manner that is not in line with the HIPAA Rules.

These sensible safety measures are advised by OCR, although not implementing the suggested reasonable safeguards won’t, in itself, mean a covered health care provider or its business associate failed to act in good faith in view of this Notification.

Bad faith uses that are not covered by the notification are listed below:

  • Use of a WBSA where the vendor does not allow its usage for managing healthcare services.
  • Utilizing the WBSA for arranging appointments apart from COVID-19 vaccinations.
  • Employing a solution that does not feature access controls to restrict access to ePHI to permitted people.
  • Screening persons for COVID-19 prior to personal healthcare appointments.
    Using public-facing WBSAs.

OCR is utilizing all available ways to make the administration of COVID-19 vaccines efficient and safe to all people as much as possible.

Vulnerabilities Discovered in Innokas Yhtymä Oy Vital Signs Monitors

There are two medium-severity vulnerabilities discovered in Innokas Yhtymä Oy vital signs monitors that permit hackers to modify communications between downstream devices and to disable certain functions of the monitors. The vulnerabilities have an impact on all versions of VC150 patient monitors with software version earlier than version 1.7.15.

Affected patient monitors contain a cross-site scripting (XSS) vulnerability that permits the injection of a web script or HTML by means of the filename parameter to change several administrative web interface endpoints. The vulnerability is caused by incorrect neutralization of input at the time of web page creation. The vulnerability is monitored as CVE-2020-27262 with an assigned severity score of 4.6 out of 10.

The second vulnerability, monitored as CVE-2020-27260, is caused by incorrect neutralization of special components in the output utilized by downstream elements. HL7 v2.x injection vulnerabilities enable attackers in close proximity and have a linked barcode reader to input HL7 v2.x segments into HL7 v2.x messages through a variety of expected parameters. This vulnerability was given a severity score of 5.3 out of 10.

The people credited with the identification of the vulnerabilities were: Julian Suleder, Birk Kauer, and Nils Emmerich of ERNW Research GmbH; and Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH.

Innokas Yhtymä Oy already issued a computer software update to fix the vulnerabilities and advises the use of software version 1.7.15b or newer versions only. To date, there are no reported incidents of vulnerabilities exploitation in the wild.

It is additionally recommended to follow the following network best practices:

  • Segment networks
  • Use VLANs
  • Isolate patient monitors
  • Implement physical restrictions to prevent the unauthorized access of patient monitors
  • Clinical personnel must report any instances of unauthorized persons trying to sign in or tinker with the patient monitors

New Capabilities to CC&C Platform Added With TigerConnect’s Acquisition of Critical Alert

TigerConnect is going to have a variety of new features added to its clinical communication and collaboration program after the purchase of Critical Alert, a healthcare middleware provider. This is the second big purchase by TigerConnect in Santa Monica, CA in 2020, after purchasing Call Scheduler last fall.

Critical Alert provides hospitals and health systems with a cloud-based and mobile business-quality middleware. Hospitals make use of the middleware solutions for management of nurse call, alarm and events, clinical workflow analysis and medical device interoperability. Besides the selection of middleware solutions, Critical Alert delivers conventional nurse call equipment to over 200 hospitals all over North America.

The purchase will lead to the incorporation of the suite of middleware products with the TigerConnect system and will include many new functionality and power a broad range of alert styles and alarm management improvements. The incorporation of the middleware is estimated to be finished in Q1 of 2021.

Critical Alert middleware seamlessly works with clinical systems to send alarms, activities, and values and offers virtualized nurse call which includes contextual patient information to enable nurses to choose with requests to prioritize. By means of centralized response to of nurse call notifications and the supervision of workflows and tasks, there is lesser noise and clinical disruptions and better responsiveness.

Real-time Location Systems (RTLS) integrations aid to enhance caregiver efficiency and simplify workflows and allow real-time monitoring of personnel location and time expended on assignments. These integrations offer information about resource planning, workflow efficiency, and continuing process development endeavours.

The integration of Critical Alert with TigerConnect will permit quick integrations with smart bed alerts for efficient fall deterrence and enhanced patient security. When the safe bed setting is jeopardized, alerts will be delivered instantly to mobile devices permitting nurses to easily respond.

By means of an incorporation with the TigerFlow care team collaboration solution, notifications will be wisely sent to the appropriate caregivers, controlling unwanted noise and enhancing performance. The context supplied with these notifications assists nurses to prioritize properly. Critical Alert additionally provides innovative analytics that give ideas regarding patient conduct and assist with the optimization of employee work load.

With the integration of Critical Alert middleware into the TigerConnect platform, it gives more value to clients and aids to relieve the stress on nurses especially at this time when nurse burnout is quite prevalent. The enhancements on efficiency and effectiveness will probably benefit hospitals, especially considering the present shortage on nurses.

The acquisition of Critical Alert is very strategic and it is a natural development of TigerConnect’s already-powerful collaboration system, according to TigerConnect CEO and co-founder Brad Brooks. Now, all the nurses that use TigerConnect, these new functionalites will send real-time, contextual data to their mobile units or desktop so they could work more intelligently, prioritize actions, and successfully coordinate care using just one platform every day for business messaging.

Critical Alert CEO John Elms is going to join the team of TigerConnect as Chief Product Officer/ Elms and will have a crucial role in combining the technologies of two companies and will direct future product developments. VP Wil Lukens of Critical Alert Sales will likewise join TigerConnect and will be the General Manager of Critical Alert’s traditional Nurse Call hardware section and will proceed with operations using the same standalone business unit name.

The merging of the two companies is perfect timing, according to John Elms. Together, the company will be able to resolve a few of the serious challenges that nurses face such as alarm fatigue, resource optimization and action prioritization.