Category: HIPAA News

Cyber insurance policies could help pay for the expense of losses due to ransomware attacks, however, these policies are harder to lay claim to. Insurance companies are tightening up their prerequisites for getting policies and a lot of insurance companies are putting restrictions on underwriting sums. Premiums are likewise rising, making policies too expensive for a lot of healthcare providers, when insurance may even be acquired. There have been more negative news this week for healthcare companies that cannot get cyber insurance, since the Ohio Supreme Court has lately decided that ransomware attacks are not tantamount to physical damage, meaning claims against property insurance plans are not possible.

This decision concludes the 3-year court case between the insurance provider, Owners Insurance Company, and medical billing software company, EMOI. EMOI encountered a ransomware attack last September 2019 and paid the $35,000 ransom demand to recover files access to its files. EMOI additionally bought upgrades to its security facilities to stop more attacks. The ransomware group gave the data decryption keys and the majority of files were retrieved; nevertheless, the automated phone call system cannot be decrypted and needed to be replaced.

EMOI filed a claim with its property insurance plan seeking to recuperate the losses, however, the claim was declined. EMOI subsequently filed a lawsuit against Owners since the insurance policy included direct physical damage to digital files. Owners stated that the ransomware attack didn’t have a physical aspect, thus it was not covered by the insurance plan, and the policy doesn’t include losses due to ransomware.

Last November 2021, an Ohio Appellate Court decided in support of EMOI and permitted a claim against the insurance provider for dealing with EMOI in bad faith, by not completely considering the different types of damage that could happen to media like software programs; nevertheless, all seven justices of the Ohio Supreme Court took Owners’ side and released a summary judgment dropping the EMOI legal case.

EMOI had contended that computer software program is categorized under “media” that could be destroyed. Although the software program is non-physical, the insurance policy must still cover the losses even if the hardware is not damaged. The Supreme Court justices were not convinced by that point, deciding that the phrase “direct physical loss of or damage to” is to mean direct physical damage to its media.

Although the phrase “computer software” is included in the meaning of “media”, the justices decided that computer software was just included insofar as the software program is included in covered media, and that covered media indicates the media has a physical presence. Because there was no direct physical loss or physical damage to the protected media that contain the computer software, the policy does not cover the losses. Additionally, computer software can’t have a direct physical loss or physical damage since it doesn’t have a physical presence.

A summary of data breaches that were just reported to the HHS’ Office for Civil Rights and state attorneys general.

Blue Shield of California

Blue Shield of California has commenced informing selected health plan members concerning a privacy violation by one of its staff members. The employee emailed a spreadsheet comprising plan members’ names, phone numbers, Social Security numbers, addresses, email addresses, and/or Taxpayer ID numbers from his/her work account to a personal email address on June 17, 2022. Privacy Officer David Keystone of Blue Shield of California stated it discovered the privacy breach on October 30, 2022, and the staff member was assessed and advised to remove the email and any spreadsheet copy.

Because of the incident, Blue Shield of California strengthened its system detection tools to stop other impermissible disclosures of PHI. As a safety measure against identity theft, affected people were provided free one-year access to a credit monitoring and identity theft protection service.

The number of persons impacted is not yet certain.

Pediatrics West & Allergy West

Pediatrics West & Allergy West located in Massachusetts have advised 1,364 patients about the unauthorized access to their PHI that was saved on its system. The provider discovered the breach on October 17, 2022 and the forensic investigation affirmed that unauthorized access took place between August 19, 2021, and August 15, 2022. The data records on the system involved names, contact data, dates of birth, demographic data, diagnosis and treatment information, prescription details, medical record numbers, dates of service, provider names,
and/or health insurance details. Pediatrics West mentioned it has enforced extra safety measures and technical security steps to further safeguard and keep an eye on its IT infrastructure.

Medstar Mobile Healthcare

The emergency and nonemergency ambulance service of Medstar Mobile Healthcare operating in Tarrant County, TX lately publicized that it encountered a cyberattack resulting in the potential compromise of patient information. Suspicious network activity was seen on October 20, 2022, and it was eventually established that an unauthorized third party had obtained access to sections of the network that saved patient data. It cannot be determined if the files were accessed or exfiltrated. The analysis of the files indicated they largely included non-financial billing data only; nonetheless, several persons additionally had their complete name, date of birth, contact details, and limited medical details revealed. The incident investigation is continuing.

The number of affected individuals stays uncertain.

Mailing Error at The Louis A. Johnson VA Medical Center

The Louis A. Johnson Veterans’ Administration Medical Center based in West Virginia has just reported a privacy breach regarding the PHI of 736 people. There was a mistake in a mailing to veterans making the full Social Security numbers visible on the letters. Affected veterans were informed via mail and were given complimentary access to credit monitoring services. The VA has furthermore made a work group to take a look at the mailing processes to check likely vulnerabilities, and more managers will be employed to steer clear of identical difficulties down the road.

The primary care service provider, Health Specialists of Central Florida Inc. (HSCF), based in Orlando, FL paid the HHS’ Office for Civil Rights a $20,000 financial penalty to resolve a HIPAA Right of Access violation.

On November 22, 2019, OCR started an investigation after receiving a complaint from a lady who was not furnished with a copy of her departed father’s health records. The preliminary written request was submitted on August 29, 2019. She provided HSCF with an Authorization for Release of Medical Record Information form together with a photocopy of the original Letters of Administration. After several requests and about 5 months, HSCF provided all of the needed health records. The entire set of information was obtained by the lady on January 27, 2020.

As per the HIPAA Right of Access, healthcare companies must provide a copy of the requested health records within 30 days of getting the request. In particular instances, there may be a 30-day extension. OCR established that the late provision of the requested documents violated the HIPAA Right of Access. Besides having to pay a $20,000 financial penalty, HSCF decided to carry out the following corrective action plan:

creating, implementing, and sustaining HIPAA Privacy Rule guidelines and procedures regarding the HIPAA Right of Access
disseminating those guidelines and procedures to employees
giving training about those guidelines and procedures.

HSCF is going to be supervised by OCR for a two-year period starting on the day of the negotiation.

A person’s right to access their health data is one of the foundations of HIPAA, and it is taken seriously by OCR. OCR will keep on ensuring that health plans and health care providers are serious to adhere to the regulation. The report of the HHA echoes the value of accessing data and that covered entities are doing something to enforce the procedures and employees are training to make sure that they are carrying out almost all they can to assist patients’ access.

OCR started the HIPAA Right of Access enforcement in the fall of 2019. After that, healthcare providers already paid $2,423,650 to settle HIPAA Right of Access violations within 42 enforcement activities. The fines vary from $3,500 up to $240,000.

Amazon made an announcement that it is going to end support for third-party HIPAA-covered skills for its Alexa products, meaning developers won’t be able to make Alexa skills that gather information protected by the Health Insurance Portability and Accountability Act (HIPAA).

Amazon released its HIPAA-compliant Alexa function in April 2019, with skills included for patients of Boston Children’s Hospital, Atrium Health, Cigna, Livongo, Swedish Health Connect, and Express Scripts. The HIPAA compliance support is supposed to enable healthcare providers to use Alexa skills that gathered HIPAA-protected information and could send that data in a HIPAA-compliant manner. The decision to end that support is now going to take effect. HIPAA-covered skills are now included in the Alexa Smart Properties for Healthcare business devices, and those Alexa skills may only be created together with first-party support.

Amazon reviews its experiences on a regular basis to make sure it is providing services that will please its consumers. It is investing to a great extent in creating healthcare experiences together with first and third-party product developers, such as Alexa Smart Properties for Healthcare.

Amazon has already sent a letter to all third-party product developers advising them that it is ending the support for Alexa 3P HIPAA-covered skills this week and has instructed them to delete their HIPAA-covered skills from the skills store. Any skill that is not removed from the store by the developer will be deleted automatically on December 9, 2022, and the usage of that skill is going to be restricted. Any protected health information (PHI) linked to that skill will be erased and if any person tries to utilize a HIPAA-covered skill after it has been restricted, they will get a note that the skill is not supported. Amazon has stated that it is not going to directly notify users of the skills that support is stopping.

The stopping of third-party HIPAA-covered skills support doesn’t mean that Amazon is restricting all healthcare-associated Alexa skills. Just those Alexa skills that collect PHI will be restricted. Any healthcare-associated Alexa skill that does not collect information covered by HIPAA won’t be affected.

The HHS’ Office for Civil Rights has issued an announcement stating that adding third-party tracking technologies on websites, web programs, and mobile apps without signing a business associate agreement (BAA) violates HIPAA in case the tracking technology gathers and transfers individually identifiable health data. Despite having a BAA, using tracking technology could still mean HIPAA violation.

The announcement was given after discovering at the beginning of this year the extensive use of the Meta Pixel tracking code on the websites of hospitals and the transfer of data to Meta, which include sensitive patient information. An investigation by The Markup and STATT exposed these privacy breaches involving the use of Meta Pixel on the websites of a third of the top 100 U.S. hospitals. In 7 cases, the code was put in password-protected patient websites. The study was restricted to the top 100 hospitals, therefore most likely hundreds of hospitals have utilized the code and have unknowingly transmitted sensitive information to Meta/Facebook without a signed business associate agreement and without getting patient permission.

After the report was published, healthcare companies faced a number of lawsuits because of these impermissible disclosures. A number of plaintiffs said the data exposed on the healthcare providers’ websites was transmitted to Meta and was utilized to show them targeted ads associated with their health conditions. The news shocked healthcare companies, prompting investigations and the latest data breach notifications; nonetheless, even with the prevalent usage of the tracking code, only a few hospitals and health centers have submitted breach reports and have issued notifications to date. The announcement from the HHS will probably cause a number of breach notifications as companies learn that the usage of Meta Pixel and different tracking codes point to a HIPAA violation.

What are Tracking Technologies?

Tracking technologies are generally snippets of code that are put on websites, web programs, and mobile apps for monitoring user activity, typically for determining the activities of end users while utilizing websites and checking their on-site activities. The data gathered by these technologies may be reviewed and utilized to enhance the services offered by the websites and apps and improve the user experience, which is beneficial to patients. Although using this code has advantages for people because the HIPAA-covered entity gets useful information, there is a big possibility of causing harm, as the data gathered via these technologies is often sent to the vendor.

For example, when a female patient booked an appointment on a healthcare provider’s website to consult a pregnancy issue, the tracking technology on the website could transmit the information to the vendor, and eventually share it with other third parties. That data can be given to authorities or other third parties. Data shared by a person on a website or web app may be transmitted to a third party and be employed for fraudulence, identity theft, extortion, harassment, or to disseminate false information.

In a lot of instances, these tracking technologies are put on websites and apps without the users’ awareness, and it is frequently uncertain how any shared data will be utilized by a vendor and to whom it will be transmitted. Tracking technologies usually employ cookies and web beacons that enable the tracking of persons online, enabling the collection of even more data about them to create complete profiles. If tracking codes are used in web apps, they can gather device-associated data, such as demographic data which is linked to a distinct identifier for that unit to identify a user.

Tracking Technologies Should Comply With HIPAA

The HIPAA does not prohibit using tracking technologies, however, the HIPAA Rules are applicable when using third-party tracking technologies:

• in case the tracking technology gathers individually identifiable data that is covered by HIPAA if the information is transmitted to a third party, whether to the tracking technology vendor or another third-party
• in case the tracking technology gathers any identifiers, they are categorized as protected health information (PHI) since the information links the person to the regulated entity, showing the person has gotten or will get medical care services or benefits from the covered entity, and that pertains to the person’s past, present, or future health care or payment for medical care.

There is an increased possibility of an impermissible PHI disclosure when tracking code is used on patient websites or any other webpages that demand authentication since these webpages normally have PHI access. In case the tracking code is put on these pages, it should be set up in a way that ensures the code uses and discloses PHI according to the HIPAA Privacy Rule, and that any data gathered is according to the HIPAA Security Rule.  The same rule should be followed when using tracking technologies in a HIPAA-covered entity’s mobile applications when it gathers and sends PHI. OCR states that only mobile applications used by healthcare companies are under HIPAA. HIPAA is not applicable to third-party applications that individuals voluntarily download, even when the applications gather and transfer health data.

The OCR announcement states that when tracking technologies are employed, the code provider, such as Google (Google Analytics) and Meta Platforms (Meta Pixel), would be categorized as a business associate and should have a business associate agreement (BAA) signed together with the HIPAA-covered entity prior to adding the code to a web page or application. The BAA should state the vendor’s responsibilities regarding the PHI and define the allowed uses and disclosures of that data. In case the vendor does not have a signed BAA, the PHI provided to the vendor is illegal, thus the code should not be used or should be set up in a way that PHI is not collected or transmitted. OCR additionally stated that when a vendor claims that they will remove any identifiable information before keeping or utilizing the transferred information, the vendor still needs a signed BAA and only if the disclosure is permitted by the HIPAA Privacy Rule.

Other possible HIPAA violations could happen. When any PHI is shared with a vendor, it should be consistent with the company’s privacy policy and be stated in their Notice of Privacy Practices. It is not enough to merely mention the use of tracking technology in a notice of privacy practices. Aside from a BAA, any PHI disclosure of PHI for a purpose not specifically allowed by the HIPAA Privacy Rule needs authorization from a patient, stating their consent to share that data. Website banners that ask a website guest to agree to cookies and the usage of web tracking technologies is not considered valid HIPAA authorization.

Actions that HIPAA-Regulated Entities Must Undertake Right Away

HIPAA-covered entities must read the bulletin very carefully to ensure they fully grasp the application of HIPAA to tracking technologies. They must additionally perform an evaluation of any tracking technologies that they add on their web pages, web programs, or mobile applications to make sure the use of the technologies is HIPAA compliant. When they are not yet evaluated, website tracking technologies should be added to a HIPAA-covered entity’s risk evaluation and risk management procedures.

It is essential to mention that a tracking technology vendor is categorized as a business associate as per HIPAA, even when there’s no BAA. Consequently, any disclosures to that vendor are categorized as impermissible PHI disclosure when there’s no BAA in place. The HIPAA-covered entity may be issued fines and other sanctions when PHI is sent with no signed BAA.

In case the review indicated that a HIPAA-regulated entity used tracking technologies in a HIPAA non-compliant way now or in the past, the HIPAA Breach Notification Rule is applicable. The entity must send notifications to OCR and those who had their PHI impermissibly disclosed.

CommonSpirit Health has updated its October 2022 ransomware attack and affirmed that the threat actors responsible for the attack viewed files that contain patient data.

CommonSpirit Health detected the attack on October 2, 2022, and took immediate action to protect its network. The attack disrupted its healthcare services because systems were taken off the internet to limit the impact of the incident. Nevertheless, the incident did not affect patient care, clinic, and associated systems at Virginia Mason Medical Center, Dignity Health, Centura Health and TriHealth facilities. The forensic investigation affirmed that the threat actors accessed its network from September 16, 2022, to October 3, 2022.

CommonSpirit Health has already confirmed that the threat actors acquired access to sections of its network that contain files with the protected health information (PHI) of patients from Franciscan Medical Group and Franciscan Health located in Washington state. Patients that received healthcare services from these hospitals were also affected:

• St. Anne Hospital (previously Highline Hospital)
• St. Michael Medical Center (previously Harrison Hospital)
• St. Anthony Hospital
• St. Elizabeth Hospital
• St. Clare Hospital
• St. Joseph Hospital
• St. Francis Hospital

Those facilities are currently recognized collectively as Virginia Mason Franciscan Health, which is CommonSpirit Health’s affiliate.

ComnmonSpirit Health has stated that the impacted files included the following data of patients along with their loved ones and caregivers: names, telephone numbers, dates of birth, addresses, and unique internal patient identifiers. To date, there is no proof found that indicates attempted or actual misuse of the information kept on its systems.

CommonSpirit Health stated most of the EHRs throughout the CommonSpirit Health system and patient portals are already accessible online. The analysis of impacted files is still in progress and the number of affected individuals is not yet confirmed. CommonSpirit Health has advised patients to review their account statements for correctness and to report any services or transactions that were not charged to their healthcare provider or insurance company.

Nowadays, it is typical to file class action lawsuits because of a healthcare data breach. Although sensitive healthcare data theft can certainly create a lot of trouble for a data breach victim, the plaintiffs need to allege they have sustained an injury as a direct consequence of the breach in order for a lawsuit to stand in court. Last October, the District of Massachusetts dropped a class action lawsuit against Injured Workers’ Pharmacy, LLC, because the plaintiffs and class members did not show an injury in fact enough to have Article III standing.

Injured Workers’ Pharmacy is a pharmaceutical home delivery service provider. In May 2021, it found out that unauthorized individuals accessed parts of its system and potentially viewed or acquired the personally identifiable information (PII) of over 75,000 of its clients.

On behalf of Alexsis WebbMarsclette Charley, the lawsuit – Webb v. Injured Workers’ Pharmacy, LLC – was filed. Allegedly, the pharmacy failed to enforce proper data security procedures and committed unjust enrichment, breach of implied contract, and other charges. Webb and other persons likewise impacted by the breach claimed they had sustained an injury because of the data breach such as loss of sleep, anxiety, stress, and fear, and had expended a lot of time and effort checking their financial accounts and safeguarding themselves versus identity theft and fraudulence. Charley claimed she had consumed many hours handling the IRS as a result of a bogus tax return that was submitted in her name. The plaintiffs additionally claimed that because their personally identifiable information was accessible on the dark web, they had sustained harm to and diminution of the value of their PII, which costs around $1,000.

IWP wanted to disregard the lawsuit for insufficiency of standing because the plaintiffs didn’t assert a claim, and the lawsuit didn’t claim any tangible and specified injuries that are actual or certain. The District of Massachusetts decided and refused the factual accusations of the complaint since the plaintiffs didn’t allege they had sustained any particular harm due to the data breach.

The only claimed injury was the substantial time and effort that was expended checking accounts and dealing with the IRS since there weren’t any claims of financial loss, misuse of data, or even claims of theft of the plaintiffs’ PII. Although Charley got a bogus tax return submitted under her name, the court decided that there was no admissible allegation that linked the bogus tax return to the data breach. Concerning the assertion of diminution of the plaintiffs’ PII value, the court stated it was not clear how the decrease of PII black market value can cause an injury to the plaintiffs.

The Supreme Court had earlier decided that in a lawsuit for damages, the simple risk of future injury, could not confirm Article II standing, with the District of Massachusetts decision that [Plaintiffs] cannot establish standing simply by imposing harm on themselves based upon… theoretical future harm.

The Stern Cardiovascular Foundation (SCF) has lately reported that it encountered a data security incident last September 6, 2022, resulting in an interruption to some parts of its computer system. The healthcare provider based in Germantown, TN stated it strongly responded to the occurrence and called in third-party technical professionals to help in responding to the breach, mitigating and investigating the attack.

SCF had quickly re-established access to all computer networks and no patient service was disrupted. On September 13, 2022, SCF found out that the people responsible for the attack initially acquired access to its networks on September 4, 2022, and got access to the system up to September 6. In that time period, they might have accessed and/or extracted information, which includes the personal and health information of patients and other persons linked to SFC.

The incident investigation is in progress, however, there is no evidence that suggests gaining access to the electronic medical record system. At this point, it is not yet confirmed how many persons were impacted or the specific types of data that might have been exposed. The breach submitted to the HHS’ Office for Civil Rights indicated that 501 persons were impacted – a placeholder until the confirmation of the full scope of the data breach. SFC stated it was working with external cybersecurity specialists to address the attack and strengthen its defenses.

Patients Notified About the University Medical Center of Southern Nevada Insider Data Breach

University Medical Center (UMC) of Southern Nevada has lately notified 1,861 patients that an ex-employee has obtained access to their medical records without legit work reason. UMC discovered the HIPAA breach while reviewing medical record access in September 2022.

The investigation affirmed that the worker got access to patient files on the electronic medical record system from May 19, 2021 to September 22, 2022. The records included demographic, clinical, and insurance data. UMC stated that the person is not employed by UMC and there was no proof was found that indicates the copying, misuse, or disclosure of any information. Policies were updated as needed to avoid the same incidents later on. Employees also received additional training.

PrimeCare Medical Impacted by CorrectCare Integrated Health Data Breach

PrimeCare Medical based in Pennsylvania provides inmates of correctional facilities with healthcare services. It has reported that some of its patients were impacted by a breach that happened at CorrectCare Integrated Health, its third-party administrator. A web server misconfiguration led to the exposure online of two file directories that contained patient information like full names, dates of birth, Social Security numbers, DOC IDs, and some health data, like CPT codes and diagnosis.

PrimeCare Medical detected the breached files on July 6, 2022 and secured them in 9 hours. Unauthorized individuals may have accessed the exposed files from January 2022. Third-party specialists were helping CorrectCare strengthen the protection of its systems to keep client data secured.

PrimeCare Medical states the PHI of 22,254 persons was compromised. Those people got healthcare services from July 1, 2018 to July 7, 2022.

A physician-owned company offering administrative services to anesthesiology companies in New York is facing multiple class action lawsuits because of a cyberattack and data breach, which has impacted about 24 entities. The incident led to the exposure and possible theft of over 450,000 patients’ protected health information (PHI).

The Department of Health and Human Services’ Office for Civil Rights began receiving data breach reports from Anesthesiology companies in September 2022. The notification letters sent to patients mentioned the occurrence of a data breach at their anesthesia management services provider but without giving the name of the company.

Based on the notification letters, the management services provider discovered the cyberattack around July 11, 2022, or July 15, 2022. The affected companies used two templates with varied dates. The forensic investigation confirmed the attackers got access to areas of its system that held the PHI of patients, such as names, birth dates, driver’s license numbers, Social Security numbers, financial account details, medical insurance policy numbers, Medicaid/Medicare IDs, medical record numbers, and medical data, which includes diagnosis and treatment details.

The management firm Somnia Inc is currently facing around five complaints that were filed in the U.S. District for Southern New York because of the data breach. Allegedly, Somnia was negligent for not implementing proper safety measures to protect the integrity, confidentiality, and availability of patient data. It did not comply with FTC rules and HIPAA Regulations and hadn’t adopted industry requirements for data security.

A few of the lawsuits likewise complain about how the breach was reported, that is, failing to bring up the name of Somnia Inc. in the notification letters. Also, in certain instances, to completely make known precisely what data was exposed. One lawsuit alleged that Somnia Inc. only reported the breach as impacting 1,326 patients, when the fact is there were over 400,000 individuals that were affected by the breach. Somnia is attempting to entirely escape any and all accountability for the security breach and is utilizing its local tactics to hide the identity of the accountable entity and to downplay the seriousness of the data breach.

The lawsuits claim people impacted by the breach currently face a sudden and increased risk of identity theft and fraud due to the disregard of Somnia, and want class-action status, compensation for loss, injunctive relief, sufficient credit monitoring and identity theft protection services, and a court order that calls for Somnia to employ better security procedures to make sure patient data is adequately secured.

Security awareness training is an important component of any security tactic; nevertheless, one area where it’s having a minimal impact is enhancing password hygiene. Workers can be trained to know what a strong password is and how it must be made, however even if the theory is known it isn’t being practiced. Workers may know the value of following good cyber hygiene with regard to passwords, however making strong, unique passwords for each account is hard, and recalling those passwords is almost not possible.

Every year, LastPass does its Psychology of Passwords survey. This year, there were 3,750 professional respondents, who were asked about how they create passwords for their individual and work accounts. The survey showed there was a high degree of confidence in current password management practices, however, in a lot of instances, there was a false perception of safety because good password hygiene wasn’t always followed.

The greatest disconnect concerns Gen Z, which had the highest level of confidence in their password management practices, but the lowest scores for password hygiene. Gen Z participants were the most likely to identify password problems, for example using the same passwords on several accounts, however, this age group used the same passwords 69% of the time. On the whole, 62% of survey participants confessed to nearly always or mostly utilizing similar passwords or variants of them for their accounts.

The survey revealed that 65% of the participants had obtained some kind of cybersecurity awareness training and 79% stated their education was good. On the whole, 89% of participants stated they are aware that utilizing the same password or variants of it was a security threat, however, only 12% stated they make use of a unique password for every account. When questioned about modifications to their password practices after getting security awareness training, merely 31% of participants stated they adjusted their password habits and stopped using the same password for several accounts, and merely 25% of participants began utilizing a password manager.

The majority of respondents utilized a risk-based strategy when making passwords. 69% said they use stronger passwords for fiscal accounts and 52% said they utilize more complicated passwords for their email accounts. Comfort is preferred over safety for other accounts. 35% used stronger passwords for their health data, 32% for social media accounts, 18% for business or online shopping accounts, and 14% for streaming service accounts, for example, Netflix. 13% of participants stated they make passwords in the same manner, no matter what account the password is for. Just 33% of respondents mentioned they use stronger passwords for their accounts at work.

One way that employers could enhance password security is to give their staff a password manager. A password manager will recommend strong, unique passwords randomly, will save them safely in an encrypted space, and will autofill forms when required so there’s no need to remember passwords. To motivate employees to utilize a password manager, employers can give an account to employees to be used at work and for personal purposes and to emphasize its advantages during security awareness training sessions. The Bitwarden Password Decisions survey released last October showed that 71% of respondents are likely to utilize a password manager when it is provided by the company for personal use. Only 5% said they will probably not use it.

This latest research shows that even if approximately 66% of respondents are equipped with some cybersecurity education, it’s not being practiced for different reasons. If both individuals and businesses would use a password manager, accounts can be kept safe and secure.

St. Luke’s Health has just informed 16,906 patients about the exposure of some of their protected health information (PHI) because of a security breach that happened at its consulting services vendor. On November 5, 2021, an unauthorized individual accessed the email accounts of two Adelanto Healthcare Ventures (AHCV) employees.

AHCV launched an investigation of the security incident, which at first stated no patient data were exposed; nevertheless, a succeeding review revealed that the data of some St. Luke’s Health patients were included in the email accounts. The attackers may have accessed or obtained the information. The compromised data included names, birth dates, addresses, Social Security numbers, dates of service, Medicaid numbers, medical record numbers, and a few clinical data, for example, treatment and diagnosis codes. AHCV notified St. Luke’s Health concerning the breach on September 1, 2022

Based on the breach notification letters posted on St. Luke’s Health website, no report was received that indicates the misuse of any patient data; nevertheless, as a preventative measure, AHCV is giving impacted persons free identity theft and credit monitoring services.

Presently, St. Luke’s Health is just getting back up from a ransomware attack over a month ago on CommonSpirit Health, its parent company. CommonSpirit Health is still dealing with company operation disruptions due to the attack. However, the MyChart patient portal has been restored and companies can already access the electronic health records of patients.

Cyberattack and Data Breach at Tift Regional Health System

Tift Regional Health System (TRHS) located in Tifton, GA, has lately reported the compromise of its systems and the potential access and theft of some patients’ PHI by the attackers. The unauthorized network access happened around August 16, 2022. Immediate action was undertaken to keep its systems secure. TRHS launched an investigation to find out the nature and extent of the attack.

TRHS mentioned that even if the files on its systems were not encrypted, there was no reported access to its electronic medical record system. Still, the forensic investigation cannot exclude the possibility of unauthorized access and theft of patient data files. The following types of information are found in the files on the breached section of the network: patient ID numbers, Social Security numbers, driver’s license numbers, medical data, treatment data, diagnosis data, medical insurance details, and birth dates.

TRHS stated it is going over its current guidelines and procedures concerning cybersecurity and extra safety measures are being assessed to avoid this type of occurrence later on. The breach report submitted to the HHS’ Office for Civil Rights indicated that 500 persons were affected. That number is frequently utilized as a placeholder until everything about the breach is understood.

Health and Welfare Benefit Plan Member Data Exposed Due to Wenco Management Breach

The PHI of 20,526 workers of Wenco Management, LLC, was compromised and possibly stolen by unauthorized persons. Wenco Management manages Wendy’s fast-food chain. The employees affected by the breach were Health and Welfare Benefit Plan members.

Wenco Management discovered the breach last August 21, 2022. After securing its systems, it launched a forensic investigation to find out the nature and extent of the breach. It was confirmed that an unauthorized person got access to its network and possibly viewed and stole employee files that contained names, plan selection data, and Social Security numbers. The breach happened on the same day Wenco Management discovered and blocked it. Impacted persons were provided free credit monitoring services. Wenco Management stated it is improving the safety of its systems to avoid more data breaches down the road.

 

CorrectCare Integrated Health, a medical claims processor, recently informed its clients about the accidental exposure of the protected health information (PHI) of some patients online and unauthorized persons may have accessed them. CorrectCare discovered on July 6, 2022 the misconfiguration of two file directories on its web server. Anyone online could access these file directories without the need for authentication.

The data breach impacted patients served by Health Net Federal Services (HNFS) in California and Mediko, Inc. in Virginia. HNFS is a business associate of the California Department of Corrections and Rehabilitation (CDCR) / California Correctional Health Care Services (CCHCS), while Mediko is Virginia’s biggest provider of medical care services to persons in correctional facilities. Approximately 80,000 persons imprisoned in facilities managed by the Louisiana Department of Public Safety and Corrections were also affected by the data breach.

CorrectCare stated that it secured the web server 9 hours after discovering the wrong configuration. The forensic investigation affirmed the exposure of the files starting January 22, 2022. The data of persons treated from January 1, 2012 to July 7, 2022 were exposed.

The information included in the exposed file directories were: names, birth dates, inmate numbers, and some health data, such as CPT codes, diagnosis codes, treatment companies, dates of treatment, and, the Social Security numbers for some persons.

Hacking Incident at Regions Hospital

Regions Hospital based in St. Paul, MN recently reported that unauthorized people acquired access to the PHI of 978 patients. It is believed that the attacker’s objective in accessing its secure system is not to steal patient information but to steal payments from a health insurance provider.

Nevertheless, because a file on the network was viewed and it contained patient data, such as first and last names and Social Security numbers, Regions Hospital decided to notify the affected individuals by mail. The hospital also offered the patients membership to an identity theft protection service for 12 months.

The College of Healthcare Information Management Executives (CHIME) has lately offered responses to the Federal Trade Commission (FTC) about its Advance Notice of Proposed Rulemaking (ANPR) on the Trade Regulation Rule on Commercial Surveillance and Data Security. It has advised the FTC to make health apps and data brokers responsible for unlawful health data disclosures and unjust or misleading data practices.

On August 22, 2022, the ANPR was posted in the Federal Register seeking feedback from healthcare sector stakeholders, particularly about whether or not the Commission ought to implement new trade regulation rules or other regulatory options regarding the ways in which businesses gather, aggregate, secure, utilize, analyze, and keep consumer information, and also transmit, share, sell, or perhaps generate income from that information in ways, which are unjust or misleading.

CHIME has shown extensive support for the actions suggested by the FTC in view of the incidence of commercial surveillance and data practices that are doing harm to individuals, particularly regarding health information because of the degree to which mobile gadgets and health applications are now used to gather, process, and transfer health information. HIPAA typically does not cover mobile applications, therefore the information gathered, processed, and disclosed via those applications is not covered by the HIPAA Privacy and Security Rules, and the health information gathered is usually offered to data brokers.

CHIME lauded the initiatives of the FTC to secure consumer health data. and for the explanation of its authority that is covered by the Health Breach Notification Rule. The September 2021 Policy Statement On Breaches by Health Apps and Other Connected Devices states that personal health records vendors and associated entities must send notifications to FTC and consumers when there are breaches of unsecured identifiable health data and that the violations may be issued civil penalties.

An explanation was necessary because the Health Breach Notification Rule was given more than 10 years ago and was never enacted by the FTC, specifically considering the degree to which health information is being kept by entities that aren’t expected to be compliant with HIPAA. CHIME mentioned an IQVIA Institute for Human Data Science approximate that there are currently about 350,000 publicly accessible health applications and indicates the volume of the health information kept or transmitted by these applications can now go over the volume of data kept by HIPAA-covered entities.

CHIME is very supportive of new trade regulation guidelines to make use of the FTC’s present authority to safeguard consumers. It is urging the FTC to move into this space by using and enforcing the obvious, concise, and current authority as per the Health Breach Notification Rule to make non-HIPAA covered third-parties (namely, PHR and PHR-related entities’ vendors) accountable when they unlawfully disclose – deliberately or not – covered data. CHIME is convinced the FTC’s enforcement actions will help secure consumers’ health information and will inspire businesses with PHRs and PHR-associated entities to reinforce their information security practices.

The FTC has stated that the Health Breach Notification Rule is not applicable to HIPAA-covered entities and entities that behave exclusively as HIPAA-business associates, however, CHIME stated its members would appreciate the explanation concerning the possible upcoming proposed rule on Commercial Surveillance and Data Security, the FTC’s current authority as per the Health Breach Notification Rule, and information kept by HIPAA covered entities (CEs) which aren’t covered by HIPAA (i.e. de-identified data).”

A lot of Americans are not sure when health data is covered by HIPAA and when it is not, for example when health information is obtained via health apps. CHIME has required clear, transparent communication with consumers regarding how their data is being utilized, monetized and protected and it states this is going to be crucial in future rulemaking.

CHIME feels it’s time for the FTC to do something against PHR and PHR-associated entities’ vendors that have slack information protection, or are blatantly ignoring the legislation, and for notices and penalties to be given as per the current authority given to FTC by the Health Breach Notification Rule. CHIME has additionally required the FTC to do a lot more to avoid data breaches and the selling of consumer health information prior to it happening, by implementing real-world and strict privacy and security defenses on organizations to better secure consumer information.

CHIME likewise advises the FTC to be sure consumers know precisely how their information will be employed before making use of any company’s technology, and recommended questions that ought to be questioned regarding health apps which must be thought about in upcoming rulemaking.

A sales representative from a pharmaceutical company has admitted to a conspiracy committing healthcare fraud and wrongfully sharing and getting patients’ protected health information (PHI) in a complex healthcare fraud scheme that involves criminal HIPAA violations.

42-year-old Keith Ritson of Bayville, New Jersey is an ex-pharmaceutical sales agent who marketed compound prescription drugs and other medicines from 2014 to 2016. Compound prescription drugs are specialty medicines that a pharmacist mixes to fulfill the requirements of specific patients. Usually, these are prescribed when a patient cannot take standard medicines for a particular medical ailment, because of an allergy for example. Though not FDA-approved, a physician can legally prescribe compound prescription drugs after determining that standard medicines are not suitable for a specific patient.

Ritson found out that selected health insurance programs that have pharmacy benefit management services paid for compound prescription drugs issued by Central Rexall Drugs, Inc, a Louisiana pharmacy. The pharmacy benefits manager pays the prescription drug claims and then bills the state of New Jersey and other insurance companies for the paid amounts. Ritson together with his conspirators found a number of insurance providers would repay thousands of dollars monthly for several compound prescription drugs. So, Ritson would get a share of the money the pharmacy gets from the pharmacy benefits administrator for arranging any prescription medications.

Those who belong to insurance programs that paid for the compound medications would be hired to get the medicines, even though they weren’t medically required, and Ritson himself likewise obtained the medicines. Ritson got the patients from the clinical practice of Dr. Frank Alario. Dr. Alario admitted his part in this healthcare fraud scheme at the beginning of October.

Ritson wasn’t related to Alario’s medical practice, hence, was not authorized to view or get the PHI of the patients of Dr. Alario. However, Dr. Alario gave Ritson access to his clinic and patient files to see which patients got insurance policies that would pay for the medications. Afterward, Ritson would tag patients to let Dr. Alario know the patients that can be prescribed with compound medications. In certain cases, Ritson was there while Dr. Alario examined the patient, so the patients got the feeling that he was an employee or affiliated with the medical practice.

Ritson utilized patient data to complete prescription forms and Dr. Alario would subsequently approve the prescriptions. Ritson gets a commission on those compound prescription medications. On October 19, 2022, Ritson professed to one count of conspiring to wrongfully disclose and acquire the PHI of patients and one count of conspiracy to commit health care fraud. His sentencing will be on Feb. 7, 2023. For the healthcare fraud count, he will face a maximum of 10 years in prison and a $250,000 penalty. For the criminal HIPAA violation, he will face a maximum of one year in prison and a $50,000 penalty. For his role in this healthcare fraud scheme, Dr. Alario faces a maximum of one year in prison and a $50,000 penalty.

Other people involved in this healthcare fraud are three Central Rexall Drugs executives: 60-year-old Trent Brockmeier of Pigeon Forge, Tennessee; 43-year-old Christopher Kyle Johnston of Mandeville, Louisiana; and 54-year-old Christopher Casseri of Baton Rouge, Louisiana They will face charges for their part in the scheme in a 24-count indictment which includes healthcare and wire fraud. 39-year-old Hayley Taff of Hammond, Louisiana, a pharmacy employee, also pleaded guilty to conspiracy to commit healthcare fraud and will face his sentence on March 13, 2023.

Keystone Health based in Chambersburg, PA lately reported that it encountered a cyberattack last August 19, 2022, which resulted in a temporary interruption to its computer networks. Steps had been promptly undertaken to reestablish the security of its programs and stop continuing unauthorized access. A third-party cybersecurity company investigated the breach to find out how the attackers acquired access to its networks and the extent of the data breach.

The forensic investigation showed that the attackers first acquired access to its networks on July 28, 2022. Their network access was blocked on August 19. The attackers were able to access files that included the following patients’ protected health information (PHI): names, clinical data, and Social Security numbers. A complete analysis of those files showed they comprised the data of 235,237 individuals.

Keystone Health notified law enforcement concerning the cyberattack and notified all impacted persons through the mail. Eligible patients received offers of free credit monitoring services. Keystone Health mentioned it is implementing extra security procedures to stop more occurrences of this type, and workers were given further security awareness training.

Lifespire Services Gives Latest News on February 2022 Cyberattack

Lifespire Services based in New York, a company offering services to individuals with developmental handicaps, has given the latest news about a security incident that was initially reported in April 2022. The reported incident was discovered on February 8, 2022, which disrupted its computer systems. A digital forensics firm helped Lifespire to confirm that unauthorized persons accessed its systems from January 14, 2022 to February 8, 2022, and may have viewed patient data at that time.

The extensive analysis that was done on all files in the affected areas of its system was completed on October 7, 2022. Lifespire affirmed that the PHI of 15,375 individuals was exposed. The exposed PHI included names, addresses, birth dates, Social Security numbers, passport numbers, driver’s license numbers, bank account details, credit card data, medical diagnosis/treatment details, Medicaid/Medicare numbers, and medical insurance data.

Lifespire stated it did not know of any cases of patient data misuse. Nevertheless, it offered the impacted persons free membership to credit monitoring and identity protection services. Because of the data breach, the company’s guidelines and procedures associated with network security were also updated.

Lifespire took several weeks or months to investigate the data breaches and analyze impacted files. Notifications about the attack had been issued to patients in April, even if the analysis of files is not yet completed. The HIPAA Breach Notification Rule requires the immediate issuance of notification and it is helpful for patients to know about the incident so they can take the necessary steps to safeguard themselves against improper use of their data. A lot of healthcare companies delay the announcement of the breach until the review of files is done. That could take a few months after and patient data may have already been stolen.

Wisconsin Department of Health Services Reports Accidental Disclosure of PHI via Email

The Wisconsin Department of Health Services (DHS) has just reported that there was an accidental disclosure of protected health information (PHI) through its email. Based on the breach notice, in April 2021, the DHS Children’s Long-Term Support Council received a presentation through email that held protected health information. The presentation was afterward given by the Council to workers working for particular county government agencies. The presentation was published on the DHS website as part of the meeting minutes.

The mistake was discovered on August 8, 2022, and the file was deleted from the meeting minutes and changed to a file that did not allow access to PHI. Steps were additionally done to retrieve all distributed presentation copies. The presentation held the following types of information: first and last names, gender, date of birth, county location, Wisconsin Medicaid member ID number, and Social Security Number of affected Wisconsin Medicaid members.

DHS stated that the breach impacted 12,358 members of Wisconsin Medicaid. The affected individuals have already received notification and an offer of complimentary memberships to a credit monitoring service for 12 months.

Detroit Health Department Announces Unauthorized Exposure of PHI to Third Party

The Detroit Health Department (DHD) has lately announced the unauthorized exposure of clients’ PHI. As per the breach notification, on May 12, 2022, DHD found out that its office had an unauthorized disclosure of data to a third party. The information compromised included names, gender, race, dates of birth, addresses, contact details, marital status, household size, and participation status in some Detroit Health Department programs. DHD mentioned the breach didn’t impact all DHD clients, however, it is still uncertain precisely how many people were impacted. Those persons are now being informed via mail and were instructed on the steps that they may take to be safe against identity theft and fraud.

Zomo Health Reports the Exposure of Plan Member Information Over the Internet

Zomo Health based in Houston, TX, a company offering health management services, just reported that a spreadsheet that contains plan member details was exposed online. On August 5, 2022, Zomo Health found out that anyone can access a spreadsheet on its website. The company immediately blocked access to the spreadsheet. The investigation confirmed that the spreadsheet became accessible starting on January 15, 2022 because of human error. The spreadsheet lists the PHI of 1,359 persons which includes plan member names, birth dates, Social Security numbers, health plan names, email addresses, work addresses, telephone numbers, and data about involvement in health plan incentives.

Zomo Health stated it has remediated the process vulnerability that resulted in the exposure of the spreadsheet. A third-party security organization was hired to evaluate the safety of its technology systems on a continuing basis and improve its security settings. Impacted persons were informed on September 29, 2022.

Anthem has reported the compromise of the protected health information (PHI) of a number of plan members due to a data breach that happened at Choice Health, its vendor. Choice Health was allowed access to the information of plan members in order to carry out its contracted tasks. On August 5, 2022, Anthem found that an unauthorized person had acquired access to its database and extracted files that contain the PHI of plan members, which include names, addresses, birth dates, telephone numbers, email addresses, Medicaid ID numbers, and Medicare ID numbers.

Because of a misconfiguration by a third-party service provider, anyone can access the database online. On May 7, 2022, someone did access and download information. Choice Health stated that it has already secured the database and took steps to enhance its data security procedures to avoid the same occurrences down the road. Multi-factor authentication for accessing the database files has been implemented. Impacted persons were provided free credit monitoring services.

The breach impacted a number of Choice Health customers, such as Humana. Anthem informed the Maine Attorney General concerning the breach and stated that 13,406 AnthemMainHealth members were impacted. The breach additionally impacted some members of Anthem Blue Cross, although the exact number of affected Anthem Blue Cross members is not yet known.

CareOregon Announces Mailing Error in August 2022

The medical insurance company, CareOregon based in Portland, OR, recently reported the impermissible disclosure of some of the PHI of 8,022 of its members because of a mailing error.

The incident, which happened on August 9, 2022, resulted in the sending of marketing letters to the wrong CareOregon member. The data exposed included the name and Medicaid ID number of some CareOregon members. CareOregon mentioned it has put in place extra guidelines and procedures and has given more training to its workers to make sure the same breaches are averted later on.

WellMed Medical Management Alerts Patients Regarding Doctor Soliciting Business

The healthcare delivery firm, WellMed Medical Management based in San Antonio, TX, has cautioned 10,506 patients regarding one of its former doctors that took their records before leaving work with the intent of contacting those patients to urge them to become patients at his new hospital.

The doctor obtained the records from February 6, 2022 to May 17, 2022. The files included demographic data like names, birth dates, mailing addresses, telephone numbers, and email addresses; medical insurance details such as health plan identifier and payer name; and medical data including medical record numbers, names of providers, diagnoses, treatments, prescription drugs, and lab data. There was no theft of financial data, driver’s license numbers, or Social Security numbers.

WellMed stated it did something to stop further contact with the patients and informed the proper authorities concerning the HIPAA breach. WellMed has additionally stated that the documents obtained by the doctor have been retrieved. Because of the incident, WellMed strengthened its current guidelines and procedures and enforced more safety measures to stop identical incidents later on.

The Government Accountability Office (GAO) lately performed an assessment of Medicare telehealth services given over the COVID-19 pandemic. Because a waiver was on hand, access to telehealth and virtual appointments was greatly expanded. The assessment included the use of telehealth services, the way CMS determined and checked risks considering the Medicare waivers, and the way the HHS’ Office for Civil Rights (OCR) modified its implementation of HIPAA compliance with regard to telehealth throughout the COVID-19 public health crisis.

With normal conditions, telehealth services are included in Medicare, however only in restricted instances, for example when patients residing in rural areas don’t get quick access to healthcare services. The growing need for telehealth because of the COVID-19 pandemic found the issuance of waivers by the HHS’ Centers for Medicare and Medicaid Services (CMS) resulted in the expansion of Medicare telehealth services and permitted virtual appointments to be given in a wider selection of situations. OCR also issued a notice of enforcement discretion stating that enforcement actions wouldn’t be carried out against healthcare companies for the honest conduct of telehealth services, regardless if non-public-facing technology was employed that wouldn’t typically be HIPAA compliant.

From April to December 2019, 5 million Medicare telehealth consultations were done. At the same time in 2020, the number went up to 53 million. As per the GAO report, the CMS could not adequately review the quality of care offered to patients by means of telehealth appointments, and there’s concern that patients do not completely know the privacy risks involved, which possibly resulted in the inappropriate disclosure of sensitive health data.

OCR urged covered companies to let patients know about the possible privacy and security issues related to telehealth services; nevertheless, OCR didn’t inform companies about the particular language to utilize when describing those risks nor provide guidance to help companies clarify the risks. Giving such details to companies can help make sure that patients know the possible impact of the privacy and security risks connected with telehealth technology on their protected health information (PHI).

Under standard instances, a healthcare company and a communications platform vendor should sign a business associate agreement; nonetheless, that prerequisite wasn’t implemented throughout the public health crisis. That can possibly raise the risk of disclosing a patient’s PHI without them knowing it. Patients might not know that this change happened because of OCR’s telehealth policy, and the non-protection of their privacy.

GAO discussed in the report that there were complaints filed concerning possible violations of HIPAA Privacy and Security Rule regarding telehealth appointments. Patients filed 5 separate complaints about using technology for telehealth consultations that weren’t HIPAA Security Rule compliant. There were 37 filed privacy complaints about concerns like the presence of third parties in visits and cases where companies disclosed PHI without getting patient permission.

GAO has suggested that OCR give more education and outreach to enable companies to clarify the privacy and security threats to patients linked to telehealth to ensure that those threats are completely understood. GAO highlighted the importance of giving patients quick-to-understand data to enable them to thoroughly examine the risks to their personal data and enhanced communication regarding the privacy policies and HIPAA compliance of telehealth vendors to help patients to better comprehend the privacy threats.

OCR agreed with the suggestions and stated it will be giving more guidance to healthcare companies concerning the offer of telehealth services, which includes the guide to make clear the privacy and security threats to patients in simple language.

GAO discovered there was incomplete information on audio-only and video telehealth appointments done from April to December 2020. This was confirmed to be because of the insufficiency of correct billing codes employed by insurance providers to monitor telehealth and virtual consultations and to determine when telehealth services were provided to beneficiaries in their residences.

GAO advised the CMS to create an extra billing modifier to permit the appropriate monitoring of audio-only office appointments, to require companies to utilize service codes that show when Medicare telehealth services are given to beneficiaries in their residences, and for the CMS Administrator to thoroughly evaluate the quality of Medicare services, which include audio-only services, sent utilizing telehealth throughout the public health crisis.

The HHS’ Office for Civil Rights (OCR) has decided to resolve three investigations of dental practices for likely HIPAA Right of Access violations. The three investigations were begun after patients complained concerning the inability of their dental practices to offer them on-time access to their medical records, as one of the investigations included an accusation of charging an overpriced fee for a copy of health records.

A patient of Great Expressions Dental Center of Georgia, P.C. (GEDC-GA) submitted a complaint at the OCR last November 2020 after the Georgia-based dental and orthodontics company informed her that a copy of her health records will only be given after she pays a $170 copying charge. The HIPAA Right of Access grants healthcare institutions to bill patients for giving a copy of their medical records, however, the costs ought to be fair and cost-based.

OCR’s investigation results show that the patient didn’t receive a copy of her files until February 2021, which is 15 months following the preliminary request. OCR likewise confirmed that GEDC-GA’s practice of reviewing copying costs led to the patient being billed a cost that wasn’t fair and cost-based. GEDC-GA decided to resolve the case and spent on an $80,000 penalty and put in place a good corrective action plan to deal with the violation of the HIPAA Right of Access.

An investigation of Family Dental Care, P.C. based in Chicago-IL started after a patient filed a complaint on August 8, 2020 saying that the dental practce failed to give her a complete copy of her healthcare records. The former patient sent a request for all her information in May 2020, however, only parts of those files were made available. The patient didn’t get her complete records until October 2020, above 5 months after the first request was filed. OCR confirmed there was an inability to give prompt access to the required medical records, which breached the HIPAA Right of Access. Family Dental Care opted to negotiate the case by paying a $30,000 dine and enforced a corrective action plan to handle the non-compliance.

OCR got a complaint on October 26, 2020 from patient of B. Steven L. Hardy, D.D.S., LTD (dba Paradise Family Dental located in Las Vegas, NV). The patient claimed to have asked for a copy of her and her small kid’s healthcare information on a number of instances, nevertheless, the records were not given. The requests were submitted from April 11, 2020, to December 4, 2020, yet the files were not given until December 31, 2020, 8 months right after the preliminary submission of the request. OCR established the late provision of the records breached the HIPAA Right of Access. Paradise decided to resolve the case and spent a $25,000 financial fine and carried out a corrective action plan to deal with the violation.

OCR Director Melanie Fontes Rainer mentioned that the enforcement action regarding the 3 right of access violations emphasizes why dental practices of any size need to adhere to the HIPAA Rules. Patients get an essential right protected by HIPAA to obtain their asked-for health records, generally, in a period of 30 days. When companies comply, there will be fewer patients to submit a complaint with OCR regarding their medical records requisition.

The HHS’ Office for Civil Rights (OCR) has a new Director, Melanie Fontes Rainer, who was sworn in by the Department of Health and Human Services Director Xavier Becerra. Fontes Rainer is going to head the department’s enforcement of HIPAA compliance and federal civil rights. He will lead the department’s policy and tactical projects.

Fontes Rainer formerly worked as Acting Director, in place of Lisa J. Pino who quit the position in July 2022 after 11 months. Before becoming a part of OCR, Fontes Rainer worked as Secretary Becerra’s Counselor and offered strategy guidance on concerns related to patient privacy, civil rights, reproductive health, competition in healthcare, the Affordable Care Act (ACA), equity, and the private insurance industry. In that position, she headed the enforcement of the No Surprises Act, which made medical billing transparent helping consumers to save money. Fontes Rainer led the White House Task Force on Reproductive Healthcare Access, and recently gave the Secretary and the Administration advice on dealing with the Supreme Court judgment on Dobbs v. Jackson Women’s Health Organization. Fontes Rainer was likewise designated by the Secretary on the White House Competition Council, spearheading cross-cutting Department work and a whole-of-Government strategy on competition, price transparency, and costs to help U.S. consumers.

Before Fontes Rainer became a member of the Biden-Harris Administration, she had the following roles:

• She worked as Special Assistant to the California Department of Justice Attorney General and Chief Health Care Advisor. As Special Assistant
• She headed a national team to conserve the Affordable Care Act and secure healthcare insurance for over 133 million people in America.
• She helped create the Health Care Rights and Access, which is a new office dedicated to proactively developing laws related to health care civil rights, competition, consumer protection, and privacy.
• She worked in the U.S. Senate as a Senior Aide and Women’s Policy Director to Chair Patty Murray on the Health, Education, Labor and Pensions and the Budget Committees
• She assisted in passing a number of transformative health care legislation, such as the Every Student Succeeds Act, the 21st Century Cures Act, and the Justice for Victims of Trafficking Act
• She headed the Senate in the work involving the Affordable Care Act, gender equity, and reproductive rights.

Melanie has dedicated her whole professional career to serving the public and worked tirelessly to ensure that medical care is accessible to everyone and reasonably priced, regardless of who you are or where you live. As a longtime senior aide, Melanie will protect and impose the medical care and civil rights of every citizen across the country. Melanie’s dedication and expertise are essential to carrying out the priorities in health and human services of the Biden-Harris Administration.