Category: HIPAA News

Right after President Joseph R. Biden declared an emergency in the State of Texas, Acting Secretary Norris Cochran of the Department of Health and Human Services also announced a public health emergency because of the impact of the winter storm in Texas.

In accordance with Section 1135(b)(7) of the Social Security Act, the HHS Secretary declared a limited waiver of sanctions and fines that may result from non-compliance with some HIPAA Privacy Rule provisions.

For the duration of the waiver, the sanctions and penalties won’t be enforced for non-compliance with these requirements of the HIPAA Privacy Rule:

• 45 C.F.R. § 164.510(a) – the requirement to get a patient’s consent to talk to family members of friends;
• 45 C.F.R. § 164.510(b) – the requirement to respect the request of a patient to be taken from the facility directory;
• 45 C.F.R. § 164.520 – the requirement to send out a notification of privacy practices;
• 45 C.F.R. § 164.522(a) – the patient’s right to ask for privacy limitations;
• 45 C.F.R. § 164.522(b) – the patient’s right to ask for private communications.

On February 19, 2021, the waiver is going to be enforced and is going to be retroactive to February 11, 2021.

The waiver is just applicable to hospitals in the location where the public health emergency is declared and to hospitals that carried out their disaster protocols at that time that the waiver became effective. The waiver is in effect for about 72 hours since a hospital executed its disaster protocol.

As soon as the Presidential or Secretarial proclamation ends, hospitals need to then abide by the earlier mentioned provisions of the HIPAA Privacy Rule or suffer sanctions and penalties. That is applicable to patients that remain under the hospital’s care, even when the 72-hour period has not passed.

More information regarding the HIPAA waiver and HIPAA Privacy and Disclosures during Emergency cases is available in the HHS HIPAA Bulletin.

The Department of Health and Human Services’ Office for Civil Rights (OCR) is going ahead with its program to end non-compliance with the HIPAA Right of Access. OCR revealed its fifteenth settlement deal that dealt with a HIPAA Right of Access enforcement action.

Renown Health, a non-profit healthcare network in Northern Nevada, consented to pay $75,000 as a financial penalty for its HIPAA case with OCR to be able to resolve its potential violation of the HIPAA Right of Access.

OCR began investigating Renown Health after a patient reported a complaint because she did not receive a digital copy of her protected health information (PHI). In January 2019, the patient placed her request to Renown Health with an instruction to give her medical and billing data to her attorney. No record was received after waiting for more than a month. Therefore, the patient submitted her complaint to OCR. Renown Health provided the required information only on December 27, 2019, approximately one year after filing the initial request.

As per the HIPAA Privacy Rule (45 C.F.R. § 164.524), healthcare records should be delivered to the asking party within 30 days of filing the request. OCR determined that Renown Health violated the Privacy Rule for waiting too long to provide the requested information.

Apart from having to pay the financial penalty, Renown Health is going to carry out a corrective action plan. It is required to create, keep, and update, as necessary, the provider’s written guidelines and procedures making certain that they follow the HIPAA Right of Access. Staff members should undergo training with regards to the guidelines and procedures. A sanctions policy ought to be enacted when workers do not stick to the guidelines and procedures. Renown Health will be supervised by OCR for two years to make sure of the HIPAA Right of Access compliance.

Having access to patient health records is a vital HIPAA right. Medical care companies are accountable to the law to give patients prompt access to their medical records.

The aforementioned settlement is the third announced by OCR in 2021. The first two prior settlements involved Banner Health and Excellus Health Plan. The former paid a $200,000 settlement for violating the HIPAA Right of Access, while the latter paid $5,100,000 as the penalty for multiple HIPAA violations that brought about a data breach in 2015 affecting 9,358,891 records.

The HHS’ Office for Civil Rights (OCR) has penalized Sharp HealthCare $70,000 for not being able to deliver prompt access to a patient’s health records. This is the 16th financial penalty issued by OCR in association with the HIPAA Right of Access enforcement initiative that began in the latter part of 2019.

OCR got a patient complaint on June 11, 2019 that stated Sharp Healthcare, also known as Sharp Rees-Stealy Medical Centers (SRMC), was unable to give him a copy of his health records in 30 days as the HIPAA Privacy Rule requires.

The patient explained that he made a written request on April 2, 2019 yet did not receive the requested records even after over 2 months. OCR looked into the complaint and offered technical support to SRMC regarding the HIPAA Right of Access provision of the HIPAA Privacy Rule and the need to deliver medical records to a third party when asked for by a patient. OCR marked the complaint as resolved on June 25, 2019.

OCR received a second complaint from the same patient submitted on August 19, 2019 because the requested medical records were not yet received. The complainant eventually got the required medical records on October 15, 2019, after over 6 months since the patient first requested the records.

OCR affirmed that not delivering the requested records within the prescribed time violated 45 C.F.R. § 164.524 and the HIPAA violation called for finance charges. If the provider gave the records on time after getting technical support, a financial penalty might have been averted.

Besides spending $70,000 on penalty, Sharp HealthCare has consented to follow a corrective action plan with OCR’s close supervision for compliance in a period of 2 years. The corrective action plan calls for Sharp HealthCare to create, keep, and update, as required, policies and guidelines that cover patient requests for copies of their medical information. Employees must have training regarding the people’s right to access their own PHI.

In a statement concerning the most recent settlement, Acting OCR Director Robinsue Frohboese stated that patients have the right to prompt access to their medical information. OCR designed the Right of Access Initiative to implement and protect this vital right.

The Biden government has chosen Micky Tripathi to take the position of National Coordinator for Health IT of the Department of Health and Human Services’ Office.

Tripathi is going to head the Office of the National Coordinator for Health IT with its responsibility of coordinating work to embark on advanced health information technology to make the sharing of health information secure. The ONC is at present overseeing the work of giving Americans immediate access to their health data through their mobile phones and is utilizing the 21st Century Cures Act provisions to increase health IT interoperability and restrict information blocking.

Tripathi is a seasoned expert in secure health information exchange and understands the existing interoperability issues in the healthcare field. Prior to becoming an ONC member, Tripathi was formerly the chief alliance official at Arcadia, a healthcare analytics and software business. He was responsible for making partnerships to enhance healthcare utilizing revolutionary IT technology.

Tripathi was similarly the manager of strategy and management consulting firm Boston Consulting Group (BCG), the first president and CEO of the Indiana Health Information Exchange, the CEO of the Massachusetts eHealth Collaborative, and was a board member of the Datica, HL7 FHIR Foundation, Sequoia Project, the CommonWell Health Alliance and the CARIN Alliance.

Arcadia CEO Sean Carroll mentioned that Micky was a well-known leader on healthcare interoperability and possesses a vision for the importance of immediate sharing of the appropriate information to deliver the best healthcare while lessening expenses. Tripathi is truly most suitable for this very critical mission. Donald Rucker, M.D. held this position over the past 4 years.

The HHS has furthermore affirmed the appointment of Robinsue Frohboese as the current Acting Director of the HHS’ Office for Civil Rights, the main enforcer of HIPAA compliance. Frohboese was previously the primary deputy director of OCR and became an acting director to replace March Bell, who obtained the position last January 15, 2020 following the stepping down of past OCR Director Roger Severino from the position.

Frohboese has had a vital part in many civil rights projects and in OCR’s enforcement of the HIPAA Privacy Rule.

Prior to getting the position as OCR’s primary deputy director, Frohboese had been working for 17 years with the Special Litigation Section of the Civil Rights Division of the U.S. Department of Justice. He was the first Senior Trial Attorney and then had become the Deputy Chief.

A lawsuit was filed against Easy Healthcare Corp. based in Burr Ridge, IL because of the alleged disclosure of sensitive user data with third-party companies situated in China.

Easy Healthcare Corp is the programmer of Premom, a well-known smartphone fertility app for monitoring users’ ovulation cycles to know the days they are most fertile. The legal action states that a variety of sensitive user information was shared with at least three Chinese firms without getting users’ permission. Because the data is kept on servers in China, the lawsuit claims sensitive data could possibly be accessed or taken by the Chinese government.

The data sent to the Chinese organizations consists of sensitive healthcare details, geolocation information, user and advertiser IDs, device activity data, and device hardware identifiers. Considering that the identifiers don’t change, merging them with the information where it was found would permit data collectors to re-create app users’ activities.

Identifiers given to the Chinese organizations consist of MAC addresses or Wi-Fi media access controls, which are specific identifiers for network interface controllers; MAC/BSSID addresses of routers, which details geographical location; and SSID (Service Set IDs) of routers, which offer Wi-Fi networks data. It is additionally possible for the information to be collected about users’ interests, health, religion, political perspectives, and other sensitive information.

The lawsuit states user data was shared with Jiguang (Aurora Mobile Ltd), Umeng, and UMSNS, which provide activity analysis, precision marketing, financial risk management, and location-based analysis services to their customers.

Based on the legal action, the Premom privacy policy says that it will not share or sell your personal data to data brokers, marketing platforms, or data resellers, therefore the distribution of the information is in direct violation of those policies. Although the privacy policy does express that non-identifiable user data may be gathered, users are advised that the information would not be shared with third parties without user authorization.

The plaintiff found out that her personal information was disclosed to the three Chinese firms for three years without her permission or knowledge. She states Easy Healthcare deceived her as she was not told that her information would be given to the Chinese entities. The lawsuit likewise claims Easy Healthcare shared the data to get money and that the company was misrepresenting its data-sharing policies. The lawsuit likewise claims user data is logged each time users unlock or use their phone, even when they aren’t using the application, which breaches Google Play’s developer policies.

The lawsuit was filed a couple of months following a bipartisan group of senators wrote to the Federal Trade Commission (FTC) to ask for scrutiny of the data security and privacy policies of the Premom app, after discovering the unauthorized information sharing by International Digital Accountability Council.

The legal action was filed in the US Northern District Court of Illinois, Eastern Division and wants class-action status and damages for application users. The lawsuit additionally requires Easy Healthcare to stop sharing user data with organizations without first acquiring authorization from app end users. Easy Healthcare has denied any wrongdoing.

Premom is not the only health application found to be sharing user information without acquiring informed permission from software users. The FTC recently settled a data privacy and security case with Flo Health in January 2021 for misrepresenting privacy practices for its fertility app and shared user data with a data analytics firm without authorization. Flo Health was instructed to evaluate and modify its privacy policies and acquire permission from app users prior to sharing their information.

Last January 28, 2021, democratic senators presented the Public Health Emergency Privacy Act to secure the privacy of Americans and make sure there are information security measures implemented to safeguard COVID-19 related health information obtained for public health uses.

Sens. Richard Blumenthal, D-Conn., Mark Warner, D-Va., and U.S. representatives Suzan DelBene, D-WA, Jan Schakowsky, D-IL., and Anna Eshoo, D-CA., introduced the Public Health Emergency Privacy Act. The Act calls for solid and enforceable privacy and information security rights in order to establish health information.

Sen. Blumenthal mentioned that technologies such as contact tracing, home screening, and online appointment scheduling are absolutely vital to prevent the propagation of this disease, however, Americans are rightly cautious about the safety of their sensitive health information. Legal safety measures that secure consumer privacy could not match up with technology, and that affecting the struggle against COVID-19.

The Public Health Emergency Privacy Act is going to make certain that tight privacy protections are put in place so that any health information gathered for public health purposes will just be employed to accomplish the public health reason for which it was gathered.

The Public Health Emergency Privacy Act confines the usage of the information gathered for public health reasons to public health uses, forbids the usage of the information for discriminatory, unconnected, or invasive purposes, and inhibits government agencies that are not part of public health services from misusing the information.

The Act calls for the application of data security and data integrity protection to secure health information, for the data gathered to be limited to the minimum required data to accomplish the purpose for which it is gathered, and mandates tech companies to delete the data as soon as the public health emergency has concluded.

Americans’ voting rights are safeguarded by not conditioning the right to vote on any health condition or usage of contact tracing applications. The Act will likewise provide Americans control over public health efforts by ensuring transparency and demanding opt-in authorization. The Act additionally demands regular reports on the effect of digital collection resources on civil rights.

The Public Health Emergency Privacy Act won’t replace the prerequisites of the Privacy Act of 1974, the HIPAA, or federal and state medical record retention and health data privacy rules.

According to Sen. Warner, having strong privacy protections for COVID health information becomes more important with the ongoing vaccination efforts and firms get started tinkering with things such as ‘immunity passports’ to protect access to facilities and services. Without the appropriate health privacy laws, it’s possible that privacy violations and discriminatory usage of health information could turn out to be common in medical care and public health.

This isn’t the first proposal of this type of legislation. An identical bill was presented in 2020, however, it did not earn the support of congress.

Baptist Health’s Bethesda Hospital located in Boynton Beach, FL has terminated a worker because of impermissibly accessing the protected health information (PHI) of a patient and modifying a home health order that was used to give home care services to a patient.

The hospital discovered the HIPAA breach on December 1, 2020 and conducted an internal investigation. The employee involved in the breach ended up being dismissed. The hospital already informed law enforcement about the incident.

The investigation showed that the former employee also accessed other patient records from June 1, 2019 to December 2, 2020. The types of data possibly accessed included names, birth dates, addresses, medical insurance details, Social Security numbers, and clinical records.

All affected persons received notification and offers of free identity theft protection and credit monitoring services. Baptist Health is looking for more ways to protect patients’ PHI and avoid the same breaches later on.

The HHS’ Office for Civil Rights’ website has not listed the incident yet so the number of patients affected is presently uncertain.

Montefiore Medical Center TerminatesTerminates Employee for Unauthorized Access of Medical Records

Montefiore Medical Center located in New York found out that an unauthorized worker accessed the PHI of patients in a span of 5 months last 2020. Upon becoming aware of the unauthorized access, Montefiore quickly blocked the employee from accessing the electronic medical record system and started an investigation to know the magnitude of the HIPAA violation.

Following the comprehensive investigation, the medical center terminated the employee and reported the breach to law enforcement for probable criminal prosecution. The former employee viewed types of information that varied from one patient to another and may have included first and last names, birth dates, addresses, medical record numbers, the last four numbers of Social Security numbers, and clinical data like examination results, consultation histories, and diagnoses.

There is no reason given regarding the person’s motive for accessing the information. There is also no evidence found that suggests the use of patient data for identity theft or fraudulence. Montefiore Medical Center already notified all affected patients and offered them free identity theft protection services.

This is Montefiore Medical Center’s second incident that involved inappropriate access of medical records in the last 5 months. The first was in September 2020 when the medical center reported the theft of approximately 4,000 patients’ PHI by a former employee from January 2018 to July 2020.

The U.S. Department of Health and Human Services has made $20 million readily available to make data sharing between health information exchanges (HIEs) and immunization information systems better.

The funding was from the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) fund that President Trump signed on March 27, 2020 to help vaccination initiatives to combat the COVID-19 pandemic.

The funds expand the Office of the National Coordinator for Health Information Technology (ONC)’s Strengthening the Technical Advancement and Readiness of Public Health Agencies via Health Information Exchange (STAR HIE) Program and can support communities in their health information sharing regarding COVID-19 vaccinations.

Public health agencies could get extra help to monitor and recognize persons who have not yet gotten a second dose of the COVID-19 vaccine. The extra money will help physicians identify and get in touch with high-risk individuals who have not acquired their first vaccination.

The added investment will be allocated countrywide and will be utilized to support communities that have been hit hard by COVID-19. The HHS will additionally be giving funding to the Association of State and Territorial Health Officials (ASTHO) as well as the Colorado Regional Health Information Organization (CORHIO) to boost HIE immunization collaborations.

These CARES Act funds are going to help doctors better get access to information of their patients from their community immunization registries by utilizing the sources of their local health information exchanges. Using this collaborative work, public health departments and physicians will be ready to more effectively give immunizations to at-risk patients, fully grasp undesirable events, and better monitor long lasting health outcomes as more Americans receive immunizations.

The success of vaccination programs depends on properly identifying patients and making sure patients get two doses of the appropriate vaccine. That means hospitals, pharmacists, and public health authorities must have access to patient information and vaccine data. Good data exchange and patient matching can likewise help to provide insights into the efficiency of the vaccines and monitoring long term health outcomes. STAR HIE has plans to present statistics to determine vaccination outcomes.

There are roughly 100 HIEs in the US which reach about 92% of Americans. There are 63 immunization information systems in the United States, one for each state, 8 in territories, and five in cities. The immunization information systems have funds, partly from the Centers for Disease Control and Prevention’s National Center for Immunization and Respiratory Diseases (NCIRD).

The Department of Health and Human Services’ Office for Civil Rights has announced that it will exercise enforcement discretion and will not issue financial fines on HIPAA-covered entities or business associates in case of violations of the HIPAA Rules connected with the good faith use of online or web-based scheduling applications (WBSAs) for making individual sessions for COVID-19 vaccinations.

The notice of enforcement discretion covers the use of WBSAs for the limited role of booking individual visits for COVID-19 shots for the duration of the COVID-19 public health emergency. The notification is in force right away, is retroactive to December 11, 2020, and will continue to be in effect throughout the COVID-19 national public health emergency.

A WBSA is a non-public facing internet or web-based app that enables individual meetings to be booked in connection with large scale COVID-19 vaccination. The goal of a WBSA is to permit covered healthcare companies to quickly timetable huge numbers of appointments for COVID-19 vaccinations.

A WBSA, and the information created, obtained, kept, or transmitted by the WBSA, will just be accessible to the intended parties, such as the healthcare organization or pharmacy giving the vaccinations, an authorized person booking sessions, or a WBSA staff member that must have access to the solution and/or records for delivering technical assistance.

The notice of enforcement discretion will not apply to an appointment scheduling program that connects directly to electronic health record (EHR) systems.

A WBSA may not fulfill all specifications of the HIPAA Guidelines and would consequently not be allowed for use in association with electronic protected health information (ePHI) under standard situations. It is additionally probable that the vendor of a WBSA may not know that their application is being utilized by healthcare organizations in correlation with ePHI, which would hence categorize the vendor as a business associate under HIPAA.

Although the notice of enforcement discretion is in force, OCR is not going to charge penalties against HIPAA covered entities, their business associates, and WBSA vendors that satisfy the description of a business associate as per the HIPAA Policies for good faith uses of WBSAs for booking COVID-19 vaccination schedules.

Though penalties will not be issued, OCR encourages using acceptable safeguards to protect the privacy of individuals and the protection of ePHI. It means the ePHI gathered and inputted into the WBSA must be restricted to the minimum required information, encryption technology ought to be employed in case available, and all privacy configurations ought to be enabled. That includes modifying the calendar display to hide names or just display initials. If a vendor saves ePHI, the storage must only be short-term and ePHI must be destroyed no later than 30 days after the scheduled appointment. The WBSA vendor must be directed not to expose any ePHI in a manner that is not in line with the HIPAA Rules.

These sensible safety measures are advised by OCR, although not implementing the suggested reasonable safeguards won’t, in itself, mean a covered health care provider or its business associate failed to act in good faith in view of this Notification.

Bad faith uses that are not covered by the notification are listed below:

• Use of a WBSA where the vendor does not allow its usage for managing healthcare services.
• Utilizing the WBSA for arranging appointments apart from COVID-19 vaccinations.
• Employing a solution that does not feature access controls to restrict access to ePHI to permitted people.
• Screening persons for COVID-19 prior to personal healthcare appointments.
  Using public-facing WBSAs.

OCR is utilizing all available ways to make the administration of COVID-19 vaccines efficient and safe to all people as much as possible.

There are two medium-severity vulnerabilities discovered in Innokas Yhtymä Oy vital signs monitors that permit hackers to modify communications between downstream devices and to disable certain functions of the monitors. The vulnerabilities have an impact on all versions of VC150 patient monitors with software version earlier than version 1.7.15.

Affected patient monitors contain a cross-site scripting (XSS) vulnerability that permits the injection of a web script or HTML by means of the filename parameter to change several administrative web interface endpoints. The vulnerability is caused by incorrect neutralization of input at the time of web page creation. The vulnerability is monitored as CVE-2020-27262 with an assigned severity score of 4.6 out of 10.

The second vulnerability, monitored as CVE-2020-27260, is caused by incorrect neutralization of special components in the output utilized by downstream elements. HL7 v2.x injection vulnerabilities enable attackers in close proximity and have a linked barcode reader to input HL7 v2.x segments into HL7 v2.x messages through a variety of expected parameters. This vulnerability was given a severity score of 5.3 out of 10.

The people credited with the identification of the vulnerabilities were: Julian Suleder, Birk Kauer, and Nils Emmerich of ERNW Research GmbH; and Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH.

Innokas Yhtymä Oy already issued a computer software update to fix the vulnerabilities and advises the use of software version 1.7.15b or newer versions only. To date, there are no reported incidents of vulnerabilities exploitation in the wild.

It is additionally recommended to follow the following network best practices:

• Segment networks
• Use VLANs
• Isolate patient monitors
• Implement physical restrictions to prevent the unauthorized access of patient monitors
• Clinical personnel must report any instances of unauthorized persons trying to sign in or tinker with the patient monitors

TigerConnect is going to have a variety of new features added to its clinical communication and collaboration program after the purchase of Critical Alert, a healthcare middleware provider. This is the second big purchase by TigerConnect in Santa Monica, CA in 2020, after purchasing Call Scheduler last fall.

Critical Alert provides hospitals and health systems with a cloud-based and mobile business-quality middleware. Hospitals make use of the middleware solutions for management of nurse call, alarm and events, clinical workflow analysis and medical device interoperability. Besides the selection of middleware solutions, Critical Alert delivers conventional nurse call equipment to over 200 hospitals all over North America.

The purchase will lead to the incorporation of the suite of middleware products with the TigerConnect system and will include many new functionality and power a broad range of alert styles and alarm management improvements. The incorporation of the middleware is estimated to be finished in Q1 of 2021.

Critical Alert middleware seamlessly works with clinical systems to send alarms, activities, and values and offers virtualized nurse call which includes contextual patient information to enable nurses to choose with requests to prioritize. By means of centralized response to of nurse call notifications and the supervision of workflows and tasks, there is lesser noise and clinical disruptions and better responsiveness.

Real-time Location Systems (RTLS) integrations aid to enhance caregiver efficiency and simplify workflows and allow real-time monitoring of personnel location and time expended on assignments. These integrations offer information about resource planning, workflow efficiency, and continuing process development endeavours.

The integration of Critical Alert with TigerConnect will permit quick integrations with smart bed alerts for efficient fall deterrence and enhanced patient security. When the safe bed setting is jeopardized, alerts will be delivered instantly to mobile devices permitting nurses to easily respond.

By means of an incorporation with the TigerFlow care team collaboration solution, notifications will be wisely sent to the appropriate caregivers, controlling unwanted noise and enhancing performance. The context supplied with these notifications assists nurses to prioritize properly. Critical Alert additionally provides innovative analytics that give ideas regarding patient conduct and assist with the optimization of employee work load.

With the integration of Critical Alert middleware into the TigerConnect platform, it gives more value to clients and aids to relieve the stress on nurses especially at this time when nurse burnout is quite prevalent. The enhancements on efficiency and effectiveness will probably benefit hospitals, especially considering the present shortage on nurses.

The acquisition of Critical Alert is very strategic and it is a natural development of TigerConnect’s already-powerful collaboration system, according to TigerConnect CEO and co-founder Brad Brooks. Now, all the nurses that use TigerConnect, these new functionalites will send real-time, contextual data to their mobile units or desktop so they could work more intelligently, prioritize actions, and successfully coordinate care using just one platform every day for business messaging.

Critical Alert CEO John Elms is going to join the team of TigerConnect as Chief Product Officer/ Elms and will have a crucial role in combining the technologies of two companies and will direct future product developments. VP Wil Lukens of Critical Alert Sales will likewise join TigerConnect and will be the General Manager of Critical Alert’s traditional Nurse Call hardware section and will proceed with operations using the same standalone business unit name.

The merging of the two companies is perfect timing, according to John Elms. Together, the company will be able to resolve a few of the serious challenges that nurses face such as alarm fatigue, resource optimization and action prioritization.

Northwestern Memorial Hospital in Chicago found out that an old temporary employee may have viewed the medical records of selected patients without proper authorization while doing work at the hospital.

The hospital detected unauthorized data access on December 2, 2020. An analysis of access logs revealed the staff accessed patient information without a work-connected purpose for doing so from October 27, 2020 to December 2, 2020. The data probably accessed only included names of patients, addresses, and treatment details. The person did not get access to financial data or Social Security numbers.

Northwestern Memorial Hospital gave a report regarding the privacy breach stating that the data of 682 patients might have been viewed and said that the non-permanent staff is not working at the hospital any longer. It is not clear why the information was accessed. The hospital is notifying all affected patients about the privacy breach through the mail and has reported the incident to the appropriate authorities.

Potential Breach of Patient Information at Athens Optometrist

Five Points Eye Care located in Athens, GA has learned that an unauthorized individual acquired access to its network and possibly viewed/obtained patient data. The breach happened on October 27, 2020 and was identified and remediated the same day.

The breach just impacted the email system that contained communication routed to the optometrist from other treating physicians. The information in the email messages included names, birth dates, Social Security numbers, addresses, prescription drugs, and treatment plans. A forensic investigation established that the unauthorized individual did not access any other data.

Five Points Eye Care reported the security breach to law enforcement, mailed notifications to affected individuals, and offered free credit monitoring services for one year.

Apex Laboratory Encountered a DoppelPaymer Ransomware Attack

In July 2020, Apex Laboratory, a home laboratory services provider in New York and South Florida, encountered a DoppelPaymer ransomware attack. The DoppelPaymer ransomware gang uploaded thousands of records recently to its data leak site. Many of the information contained the protected health information (PHI) of patients and sensitive employee information.

Databreaches.net reports that after getting in touch with Apex Laboratory concerning the data breach, the dumped information was deleted from the DoppelPaymer leak website. Apex Laboratory posted a breach notice on its website on December 31, 2020 confirming that it experienced a ransomware attack on July 25, 2020, but the encrypted information was restored on July 27, 2020.

It is presumed that the data uploaded to the leak site was obtained in the July cyberattack. Apex Laboratory stated that after getting notification regarding the dumped files, it took steps immediately to make sure the attackers deleted the data files from the leak website. The dumped records are believed to have patient names, dates of birth, lab test results, and the phone numbers and Social Security numbers of some patients. The breach investigation is in progress and the provider will mail breach notification letters to victims in a couple of days.

The Department of Health and Human Services’ Office for Civil Rights (OCR) has reached a settlement with Peter Wrobel, M.D., P.C., also known as Elite Primary Care, over a HIPAA Right of Access compliance violation.

Elite Primary Care in Georgia provides primary health services. OCR started a compliance investigation after receiving a complaint from one of its patients on April 22, 2019. Allegedly, he had been refused access to his medical records. On May 2, 2019, OCR got in touch with the provider and offered technical support on the HIPAA Right of Access. OCR instructed the practice to evaluate the specifics of the request and give the requested information if the request satisfied the HIPAA Privacy Rule requirements.

The patient later sent a written request for access to the practice on June 5, 2019. The patient submitted to OCR another complaint on October 9, 2019, since the practice still refused to provide access to the medical records he requested.

On November 21, 2019, Elite Primary Care provided the patient’s health information to his new healthcare company and also gave the patient his copy of the information on May 8, 2020.

Because of the delayed provision of the requested records to the patient, OCR judged that the practice violated the HIPAA Right of Access (45 C.F.R. § 164.524).

Under the conditions of the settlement, Elite Primary Care is going to pay a $36,000 financial penalty and undertake a corrective action plan which includes creating, enforcing, maintaining, and updating, as required, its written policies and guidelines associated with the HIPAA Right of Access condition of the HIPAA Privacy Rule. As soon as OCR has checked those policies and guidelines, pertinent members of its staff will be given proper training.

The practice agreed to the settlement without admission of liability. OCR is going to supervise Elite Primary Care for two years to make sure that it follows the required compliance.

This is OCR’s 13th settlement announcement under the HIPAA Right of Access enforcement initiative and the 19th HIPAA financial penalty issued in 2020.

OCR established the Right of Access Initiative to deal with the numerous instances that patients were denied prompt access to their health records. Health care companies, big or small, should make sure to give prompt access to patients’ health records, and for a fair fee, according to OCR Director Roger Severino.

Atlantic.net based in Orlando, FL made announcements about major changes that will considerably enhance performance, make certain of more accurate billing, and will aid the company provide better overall customer support.

The HIPAA-compliant hosting provider now offers the Ubersmith business management software suite to its clients. This innovative back-office software package makes it possible to use over 50 various programs on subscription, customer support, billing, and device management to be merged into just one system. Business procedures that took 7-14 days in the past can now be done in one day.

Simplifying internal processes will make sure customer support concerns can be handled a lot more quickly. The new system made it possible for Atlantic.net to cut the time in half to resolve support issues and to improve the billing for customers’ overall usage by 55%. Employees now simply need training on one system, instead of many different systems. That would save many hours and streamline products and resources. The removal of repetitive systems and enhancement in operational proficiency will give a net positive effect on the growth of revenue.

The Ubersmith system’s quick to customize integrated software program can manage subscription payment, infrastructure management, order management, and ticketing. The modular software program is very flexible and may be extended and built-in with software utilized by other areas of the business by using the Ubersmith-supplied API and software development kit.

Atlantic uses Ubersmith APIs to merge with other systems used to manage payments, accounting, security certificates domain registration, and more. Ubersmith is presently adding Salesforce so that Atlantic.net could connect its sales, prospecting activities, and customer quotes in one system.

The full integration of the Ubersmith software program will allow Atlantic.net to attain high levels of operational performance, worker productivity, and provide a better quality of customer support.

Atlantic.Net has completed an outstanding job at using the functionalities provided in Ubersmith’s business management, operations and infrastructure software program. Ubersmith is happy to be a part of the Atlantic business’ growth and expansion in the field of cloud services and hosting.

A phishing attack on Tufts Health Plan led to the exposure of the protected health information (PHI) of 60,545 members’ of EyeMed, a vision benefits management company.

EyeMed discovered the phishing attack on July 1, 2020, but the phishing attack happened in June 2020. On the day of discovering the breach, the firm terminated access to the breached account. In September 2020, EyeMed advised Tufts Health Plan regarding the breach.

The following types of protected health information were included in the compromised email account: Names, birth dates, email addresses, physical addresses, phone numbers, birth or marriage certificates,government ID or driver’s license numbers, vision insurance account/identification numbers, Medicaid or Medicare numbers, and health insurance account numbers. The medical diagnoses and issues, partial or full social security numbers and/or financial information,  treatment details, and/or passport numbers were compromised for some people.

EyeMed offered the affected persons a complimentary membership to credit monitoring and identity protection services for two years.
.

Security Incident Affects Tennessee Proton Radiation Therapy Centers

Two proton radiation therapy centers located in Tennessee encountered a security incident that affected MTPC, LLC in Nashville and Proton Therapy Center, LLC in Knoxville. The incident transpired in the early morning of October 28, 2020.

The attack resulted in continued disturbance to a number of clinical and financial processes, nevertheless, the centers continued to deliver safe and effective patient services. Action is underway to counteract the attack. At this time, the centers adopted the established back-up procedures such as offline recording techniques.

So far, there is no evidence found that indicates the copying, access and misuse of patient or employee details.

Liv-On Family Care Center Patients Notified of PHI Theft

Liv-On Family Care Center located in St. Paul, MN is sending a notification to 1,580 patients concerning the theft of computer equipment that contains their PHI during a burglary on October 25, 2020.

The burglars stole computers, laptops, and tablets that comprised info such as patients’ names, dates of birth, addresses, health records, social security numbers, and other data. The devices were password-protected, however not encrypted, therefore it may be possible to access the PHI. The center already reported the break-in to the police, however, there are no stolen computer gadgets recovered yet.

More Than 3,500 Presbyterian Health Plan Members Affected By Mailing Error

Presbyterian Health Plan based in Albuquerque, NM is notifying 3,557 plan members concerning a mailing error that caused the misdirection of letters to other health plan members. On October 1, 2020, letters were sent to plan members telling them about recommended health screenings for taking care of their healthcare treatment and offered contact details for care coordination. The letters addressed to patients were delivered to some other addresses of members. The mailing did not have any of the following information: Social Security numbers, financial or credit card data, or any data included in medical systems or any other health data.

President-elect Joe Biden made the decision to give California Attorney General Xavier Becerra the position of Secretary of the Department of Health and Human Services. Becerra’s appointment is still awaiting’ the transition team’s announcement.

Biden is determined to establishing the most diversified administration ever and although there is some development, Biden has been criticized about the number of appointed Latinos thus far. Should the Senate confirm the appointment of Becerra, he will be the Department of Health and Human Services’ very first Latino Secretary. The Congressional Hispanic Caucus has praised the selection of Sec. Becerra.

Becerra supports the Affordable Care Act and served to have this legislation pass through the 2009 and 2010 Congress. The previous Los Angeles area congressman was also the leader of the coalition of Democratic states that protected the Affordable Care Act and opposed efforts by the Trump Administration to overturn it. Becerra is going to be responsible for broadening the Affordable Care Act and will probably immediately recall changes done by the Trump government.

Becerra has partnered with the Louisiana Attorney General to improve the drug Remdesivir’s availability within the state and with a lot of Republican Attorneys General in taking legal action versus opioid makers. His achievements in working together with Republicans helped safeguard the position of Secretary of the HHS. Becerra is going to have the job of supervising the HHS action team’s fight against the coronavirus pandemic, which includes the mass vaccination program that is going to start throughout the United States at the beginning 2021.

Biden has selected Dr. Rochelle Walensky to head the Centers for Disease Control and Prevention. Walensky is recognized at Massachusetts General Hospital as an infectious disease expert with substantial experience in fighting against HIV/AIDS. The current director of the nationwide Institute of Allergy and Infectious Diseases and chief medical consultant on COVID-19, Dr. Anthony Fauci, will continue in those 2 roles.

Biden chose Jeff Zients, President Barack Obama’s then economic advisor, to be the White House coronavirus coordinator. On the other hand, Vivek Murthy, the co-chairman of the coronavirus task force, will take again the Surgeon General position he had’ during the Obama government.

Biden also nominated the Yale School of Medicine professor Dr. Marcella Nunez-Smith to become the COVID-19 Equity Task Force chairperson. Deputy campaign manager Natalie Quillian will take the responsibility of being deputy coordinator of the COVID-19 Response. President Biden will announce the other appointees of his health care team in the next couple of days.

On November 20, 2020, the Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) and Office of Inspector General (OIG) released the final rules to help improve the coordination of care and minimize regulatory obstructions. Both final rules include safe harbor terms that permit hospitals and healthcare delivery systems to contribute cybersecurity technology to physician practices.

The CMS introduced the 627-page final edition of the Modernizing and Clarifying the Physician Self-Referral Regulations, often referred to as Stark Law, and the OIG finalized changes to the 1,049-page Safe Harbors Under the Anti-Kickback Statute and Civil Monetary Penalty Rules Concerning Beneficiary Inducements.

Physician practices frequently have restricted resources, making it hard for them to carry out solutions to deal with cybersecurity threats. Without the required protections, unauthorized individuals can access, steal, delete or encrypt sensitive healthcare data. Threat actors can additionally carry out attacks on small doctor practices and use them to get access to exploited healthcare systems.

When the regulations were first proposed, commenters stressed the value of a safe harbor to enable non-abusive, advantageous arrangements between doctors and other healthcare organizations, such donations of cybersecurity solutions to help protect the healthcare ecosystem. The CMS first suggested the improvements in October 2019 for the Regulatory Sprint to Coordinated Care.

The CMS final rule explains the Stark Law exclusions regarding contributions of electronic health record donations to doctors, broadening the EHR exemption to include cybersecurity software programs and services. One exception was likewise offered for expanding cybersecurity donations that include donations of cybersecurity hardware.

CMS explained that the finalized exemptions offer new freedom for specific arrangements, for example, contributions of cybersecurity technology that secure the integrity of the healthcare ecosystem, whether or not the parties employ a fee-for-service or value-based payment system.

The changes acknowledge the risk of cyberattacks on the healthcare industry and make a secure harbor for cybersecurity technology and services to safeguard cybersecurity-associated hardware, and will make sure that cybersecurity software programs and hardware are available to all healthcare companies of all sizes.

The safe harbor is applicable to, but is not limited to, software security procedures to protect endpoints that permit network access control, an application that offers malware prevention, business continuity application, data protection, and encryption and email traffic control. The exception likewise includes the hardware that is needed and used mainly to implement, preserve or re-establish cybersecurity” and a big range of cybersecurity services like update and maintenance of software and cybersecurity training services. There is no differentiation in the rule between local and web-based cybersecurity solutions.

Under the cybersecurity exception, recipients do not need to contribute to the cost of the donated cybersecurity technology or services. With the EHR exception, the cost required for donations of EHR items or solutions is retained.

HHS said that allowing entities to donate cybersecurity technology and related services to physicians will result in fortifying the entire health care ecosystem.

The final rules are intended to be printed in the federal register on December 2, 2020 and are estimated to take effect starting January 19, 2021.

The HHS’ Office for Civil Rights issued its 18th HIPAA financial penalty of 2020 – the 12th fine issued under its HIPAA Right of Access enforcement initiative.

In 2019, OCR introduced a new effort to make sure people get timely access to their health information, at a fair cost, as mandated by the HIPAA Privacy Rule. This is because healthcare organizations were not generally fully following this crucial HIPAA Privacy Rule provision and some patients were having difficulty getting a copy of their medical files.

The most recent $65,000 financial penalty was charged to the University of Cincinnati Medical Center, LLC (UCMC). It was prompted by a complaint filed to OCR on May 30, 2019 by a patient who requested an electronic copy of health records from UCMC on February 22, 2019 to be sent to her lawyer.

Under the HIPAA Right of Access, medical providers must give copies of medical records, on request, no later than 30 days after receiving the request. 45 C.F.R. § 164.524 additionally says that an individual can have the requested records be sent to a chosen third party, if he or she so wish.

OCR received the complaint more than 13 weeks after the patient submitted a request. OCR intervened and UCMC eventually furnished the lawyer the requested files on August 7, 2019, 5 months after submitting the initial request.

After the investigation of the patient complaint, OCR established UCMC was unable to act on the patient’s request for a copy of her medical records promptly. Therefore, a financial penalty was judged as appropriate.

Besides the financial penalty, UCMC needs to follow a corrective action plan that consists of developing, maintaining, and changing, as needed, written policies and processes to make certain it complies with 45 C.F.R. Part 160 and Subparts A and E of Part 164 of the HIPAA Privacy Rule. OCR will review those policies and implementation is necessary within 30 days of the approval of OCR.

The policies must be provided to all people in the workforce and relevant business associates. The policies should be evaluated and updated, as required, at least yearly. Training materials must moreover be produced and provided to OCR for approval, then training must be given to employees concerning the new policies.

UCMC must give OCR the data of all business associates and/or vendors that obtain, provide, bill for, or deny access to copies or check up of records together with copies of business associate agreements, and UCMC need to state all cases where requests for information have been refused. OCR is going to keep track of UCMC closely for 2 years from the date of the resolution agreement to check compliance.

OCR is committed to making sure that patients enjoy their right to access their health data, including the right to direct digital copies to a third party of their choosing. HIPAA covered entities ought to evaluate their policies and training packages to make sure they know and can meet all their HIPAA obligations whenever a patient requests access to his or her data.

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) issued its 11th financial penalty in association with its HIPAA Right of Access enforcement effort to Dr. Rajendra Bhayani. Dr. Bhayani who is a private practitioner in Regal Park, NY with a specialty in otolaryngology consented to pay a $15,000 financial fine to resolve the case and implement a corrective action plan to correct areas of non-compliance identified by OCR at the time of the investigation.

OCR investigated the doctor after receiving a patient complaint in September 2018 claiming that Dr. Bhayani was unable to give her a copy of the requested health records. The patient requested from the otolaryngologist last July 2018, however she did not receive a copy of medical records two months after.

OCR made contact with Dr. Bhayani and offered technical support regarding the HIPAA Right of Access and shelved the patient complaint; then again, OCR got a second complaint from the previous patient in July 2019, which is one year later, saying that she hasn’t gotten her health records. OCR intervened once again and eventually, the patient received her medical records in September 2020, after 26 months of submitting the first request. Under HIPAA, medical providers ought to deliver requested health records within 30 days of getting a request.

OCR saw Dr. Bhayani’s inability to produce the medical records as a breach of the HIPAA Right of Access (45 C.F.R. § 164.524) requirements. He additionally failed to answer the letters given by OCR on August 2, 2019 and October 22, 2019 inquiring about information. Not cooperating with OCR’s inquiry of a complaint was a breach of 45 C.F.R. §160.310(b). OCR made a decision to issue a penalty for the violations. Dr. Bhayani consented to resolve the case without admitting liability.

Physician’s offices, whether big or small, need to deliver requested health records to patients promptly. OCR Director Roger Severino stated that it will keep on putting first the HIPAA Right of Access cases for enforcement until healthcare companies get the message.

Dr. Bhayani likewise ought to follow a corrective action plan. Policies and procedures ought to be re-evaluated to give people access to their PHI in accordance with 45 C.F.R. § 164.524. The policies ought to specify the techniques employed to estimate an acceptable, cost-based charge for giving access. Those guidelines should be sent to OCR for critique, and any adjustments asked for by OCR ought to be enforced in 30 days. Dr. Bhayani likewise should give privacy training to workers concerning protected health information (PHI) access. The training resources ought to be sent to OCR also for assessment and approval.

Every three months, Dr. Bhayani is instructed to give OCR a listing of all access requests, which include the fees charged for providing the requests, in conjunction with information of any requests that were rejected. OCR must obtain reports of any cases of personnel not submitting to access requests.

OCR is going to keep an eye on Dr. Bhayani for two years since the start of the resolution agreement to make certain of continuing compliance with the HIPAA Right of Access.

Lawrence General Hospital in Massachusetts reported a data security incident where unauthorized people likely gained access to some patient information. A security breach was discovered on September 19, 2020 which disturbed its IT systems. The investigation showed that an unauthorized individual got access to its systems from September 9, 2020 to September 19 when the network was protected.

The compromised systems kept patient names, insurance type, internal visit ID numbers, internal patient ID and, some clinical data for very few patients, . The Social Security numbers belonging to 5 patients were likewise probably compromised.

On November 5, 2020, Lawrence General Hospital already sent notifications to affected persons. Lawrence General Hospital additionally said it is enhancing its security systems as prompted by the breach.

Limited Patients’ PHI Exposed at Mary Rutan Hospital Patients Due to Spreadsheet Error

Mary Rutan Hospital located in Bellefontaine, OH uncovered the exposure of a limited amount of patient data as a result of a spreadsheet error. The hospital’s website displayed a link that provided data on Diagnosis Related Groups (DRG) or a patient categorization system that systematizes potential payment to hospitals. Such payments consist of charges connected with inpatient hospital stays.

The website link directed people to a spreadsheet that has several tabs showing limited patient data. Two tabs comprised patient names, birth dates, patient account numbers, dates of service, the purpose for visitation, DRG codes, visit expenses, insurance payment sums, adjusted amounts, and due balances for 1,677 patients. There are no high-risk data contained on the spreadsheet.

There is no information that indicates unauthorized individuals viewed the information. The website link was made inactive on the same day it was identified.

Tri-State Specialists Informs 17,500 Patients Regarding Email Error

Tri-State Specialists, a community of orthopedic surgery clinics located in Iowa, Nebraska, and South Dakota, is informing 17,050 patients regarding an incident that impermissibly disclosed their names and email addresses to a few existing and past patients.

Tri-State Specialists discovered on September 16, 2020 that an employee sent an email with a file attachment that contained patients’ names and email addresses. The file did not have any other patient information. Patients were instructed to watch out for spam emails that might result from the exposure of their email addresses.

Because of the breach incident, Tri-State Specialists have modified policies and procedures associated with the delivery of emails to avoid the same breaches later on. The employees also received re-eduction emphasizing the importance of data privacy.