Tag Archives: HIPAA

HHS Proposes Changes to HIPAA Privacy Rule

As is often the case when the feds do something, there is probably at least one thing that is good in this notice of proposed rulemaking and probably others that are less good.

The HIPAA privacy rule is designed to protect the privacy of patient data, but other than stopping providers from selling your health information to the media, they already share it with most of the healthcare ecosystem anyway.

The only way to REDUCE (but not eliminate) the sharing of healthcare information is to pay cash and not make an insurance claim. Other than the rich, no one does this.

The Republican administration claims that this change will offer more flexibility for disclosures in cases such as opioid overdoses and Covid-19, but of course, these changes are not limited to that.

Among the changes they propose are:

  • Strengthening individuals’ rights to inspect their PHI in person, which includes allowing individuals to take notes or use other personal resources to view and capture images of their PHI.
  • Shortening covered entities’ required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension).
  • Clarifying the form and format required for responding to individuals’ requests for their PHI.
  • Requiring covered entities to inform individuals that they retain their right to obtain or to direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy.
  • Reducing the identity-verification burden on individuals exercising their access rights.
  • Creating a pathway for individuals to direct the sharing of PHI in an EHR among covered health care providers and health plans by requiring covered healthcare providers and health plans to submit an individual’s access request to another healthcare provider and to receive in return the requested electronic copies of the individual’s PHI in an EHR.
  • Requiring covered healthcare providers and health plans to respond to certain records requests received from other covered healthcare providers and health plans when directed by individuals pursuant to the right of access.
  • Limiting the individual right of access to direct the transmission of PHI to a third party to electronic copies of PHI in an EHR – specifying when electronic PHI must be provided to the individual at no charge.
  • Amending the permissible fee structure for responding to requests to direct records to a third party, and requiring covered entities to post estimated fee schedules on their websites for access and for disclosures with an individual’s valid authorization, and, upon request, to provide individualized estimates of fees for an individual’s request for copies of PHI and itemized bills for completed requests.
  • The updated regs would also clarify the scope of permitted uses and disclosures for individual-level care coordination and case management, according to OCR – creating an exception to the “minimum necessary” standard. It would “relieve covered entities of the minimum necessary requirement for uses by, disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management activities with respect to an individual, regardless of whether such activities constitute treatment or health care operations,” according to the proposed rule-making.

The goal, they say, is to allow your doctor to disclose your personal health information the the authorities (like social services) , community based organizations (whatever they are) and other similar third party providers without having to ask your permission.

Among other changes, OCR would replace the privacy standard that permits HIPAA-covered entities to make some uses and disclosures of PHI based on “professional judgment” with a standard permitting such uses or disclosures based on that entity’s “good faith belief that the use or disclosure is in the best interests of the individual,” according to the proposed rule.

But not to worry – you can sue your doctor, spend 5 years going through the court system and spend tens of thousands of dollars if you think your doctor didn’t have an (undefined term) “good faith belief”. How do you PROVE a lack of a belief in a doctor’s head?

There are probably some legitimate changes to be made to HIPAA. I am not sure that this is the list that I would propose. It seems like mostly it is designed to loosen restrictions on what the healthcare community can do with your digital health information without asking your permission or even telling you that they are doing it.

You can probably figure out what I think of these changes. Credit: Health Care IT News

Weekly Security News for the Week Ending March 20, 2020

Senate Kicks the Can Down The Road Again With FISA Renewal

Last week it looked like Congress was going to renew the parts of the Foreign Intelligence Surveillance Act that DID EXPIRE last weekend.  But Congress being Congress, they didn’t.  On Monday the Senate agreed to kick the can down the  road for 77  days.  Now the House has to agree.  In the meantime, I am not sure what the NSA is doing about those expired provisions and they only plan to kick the can down the road on two of the three expired provisions.  In fairness, Trump wants to reign in the Intelligence Community since he doesn’t trust them and never has.  This could work to the advantage of the privacy advocates.  Source: Reuters

Covid-19 Web Site President Said Google Would Bring Online Monday is Online But Not Like he Said

Google/Alphabet subsidiary Verily launched its Project Baseline Coronavirus website, but it is not national, it only covers two counties in the San Francisco Bay area.  It was supposed to allow people to make appointments to get tested, but the few slots that were available filled up instantly.  Only people living in those two counties are even allowed to use the site.

Google says that they are working on a nationwide INFORMATION ONLY site and it will be released sometime in the future.  Source: Bleeping Computer

Open Source Vulnerabilities Surge in 2019

Some people say that open source software is more secure.

Reality is a little different than that.

In 2019 DISCLOSED open source vulnerabilities surged from 4,000 to 6,000 last year.  The good news is that the open source community is good about fixing the vulnerabilities once they are found.  85% of the vulnerabilities  have a fix once they are responsibly disclosed.

Bottom line, make sure that you have an effective open source software patching program to keep your company safe. Source: Help Net Security

U.S. Census Figures Coronavirus Will Be Over in Two Weeks

The Census, that every 10 year event, was supposed to start this week.  But there is kind of an issue.  I think there is some kind of virus going around.  Part of how the Census works is that Census workers go around collecting information from people.  Given the current situation, (a) Census workers are probably not going to be willing to risk their health for a few bucks, (b) people that they visit are likely not going to let them in the door or (c) some other less than nice thing might happen.

So what did the geniuses at the Census  bureau decide to do?  They decided that they are going to send out Census workers in 13 days on April 1st. WHAT, EXACTLY, DO THEY EXPECT TO BE DIFFERENT IN 13 DAYS?

Ya gotta wonder about those folks in Washington.  Source: Reuters

OCR Lifts Penalties For Telehealth Use During Covid-19

Its all hands on deck.  HIPAA has a number of provisions that allow a healthcare provider to bypass certain HIPAA rules.  A pandemic is not one of those options.  Of course since the Feds make the rules, they can change them.  In light of the current situation, HHS says that they will not penalize Covered Entities for using telehealth providers who are not fully HIPAA compliant.  They are not saying using those providers is legal;  they are just saying, given the circumstances, they are not going to go after providers who do so.  This will allow providers to use apps like Facetime or Google Chat to diagnose patients instead making them come into the office and potentially infect dozens of other people.  It seems like a reasonable trade off.  Source: HealthIT Security

Colorado Healthcare Provider Fined $111,000 For HIPAA Violations

It seems that the US Department of Health and Human Services Office of Civil Rights is increasing enforcement actions against health care providers and their vendors (known as business associates).  While one might have suspected that enforcement actions would be down under this administration, in fact, the opposite is true and fines are up.

In this case, the Pagosa Springs (Colorado) Medical Center paid $111,000 plus for failing to terminate the access of a former employee to a patient calendar program.

The calendar only contained information on 557 patients, so this is not a massive breach.

They also did not obtain a signed Business Associate Agreement from Google, who’s software they were using.

The former employee accessed (but didn’t appear to do anything evil with the data) the data twice, two months apart.

The medical center had to enter into a corrective action program that included a number of items including improved policies, training and other items.

OCR Director Roger Severino said that enforcement will increase under his watch.

Evidence of this is that this is the third enforcement action in the last month.

On December 4th, a Florida based physicians group paid a $500,000 fine for various HIPAA violations.

A week prior to that, OCR settled with a Hartford based practice for $125,000 for impermissible disclosure of protected health information.

Putting this all together, it would seem to lend some credence to OCR’s claim that enforcements are up.

In the first case, only 557 records were involved.  That translates to a fine of $200 per record disclosed.

In addition, to fine someone for not having a BAA with a company like Google indicates that they definitely want people to obey the process, without regard to there being significant risk (on the part of Google).  After all, Google probably has as good a security as the best medical practices.

The HIPAA compliance process is complex and even daunting, but failing to follow it can be expensive.

It also appears that the Office of Civil Rights has a very long memory as one of these fines was for something that happened 7 years ago, in 2011.

Our recommendation is to follow the process and document what you have done.  Though that can be painful, so is writing a check to the government for $100,000 or even $500,000.

Information for this post came from Health IT Security.

 

 

HIPAA Privacy Rules and High Tech Services

Health IT Security wrote an article beating up Amazon on it’s HIPAA compliance process.  The article was not favorable and also interesting.

The issue that they are talking about was a medic-alert style bracelet that someone bought on Amazon.  After this person bought it, the vendor put a picture of it, with the lady’s name, birth date and medical condition on it in an ad on Amazon.  The customer found out about it when her physician called her saying he had seen it.

When the buyer contacted Amazon, she was told they would investigate.  She later received an email from Amazon saying that they would not release the outcome of the investigation.

So the lady reached out to her local NBC TV affiliate.  It is amazing what a little bad PR can do.  The TV station contacted the Amazon vendor and they apologized and said they would fix the problem.  The TV station confirmed that the offending material was removed.

But this post is not about health jewelry.

It is to clear up a possible misunderstanding on the part of the average consumer.

While Amazon may yet get into trouble for not understanding and complying with HIPAA, this is not a HIPAA issue.

For consumers that use apps and other tech products there is an important lesson here.

Amazon does *NOT* have a HIPAA problem.

In fact, as of today, Amazon’s web site does not need to be HIPAA compliant because they are neither a covered entity nor a business associate under the terms of HIPAA.  Covered entities include organizations like doctors, hospitals and insurance companies.  Business associates are companies that handle HIPAA type information on behalf of one or more covered entity.

That means that they have no HIPAA requirement to protect your personal information.

They *MAY* have a requirement to protect it under state law in your state, but they also may not.  This depends on the particular law in your state.  In this case they may be in more trouble for publishing her birth date (which may be covered under her state’s privacy law) than her medical condition.

It does mean that they have no requirement to protect your healthcare information under Federal law because other than HIPAA, which does not apply here, there is no Federal law requiring anyone to protect your healthcare information that I am aware of.

This also includes Apple, Google and any app that is available on either the Apple or Android stores.  Apple and Google are likely covered entities because of the way their employee health insurance plans work, but that is completely separate from iphones, android phones and apps.

So, if one of those apps collects information from a hospital for you, for example, and makes it available to you, they can certainly use the diagnosis, for example, that you have diabetes to show you ads for diabetes medicine or supplies.

It is also possible (although I think this may be pretty dicey) that they could sell your healthcare data.  Depending on the state that you live in, healthcare data may not be protected AT ALL under the state’s privacy laws.  This is likely because legislators are usually lawyers and lawyers rarely understand tech and often don’t understand privacy and they think that your healthcare data is protected under HIPAA.  it is, but only under certain circumstances.  The net effect is that it MAY BE perfectly legal to sell your health care information.

If anyone thinks differently, please post a reply and I will publish it.

Information for this post came from Health IT Security.

 

Email Breach at Oxygen Equipment Maker Affects 30,000

Oxygen equipment maker Inogen announced that information on 30,000 customers was hacked as an attacker compromised the credentials of an employee.

In the grand scheme of breaches, this one barely registers.  Yes, HIPAA protected information was taken (and Health and Human Services may come after them in say 2021, but it is another example of totally preventable self inflicted wounds.

OK, now that I have sufficiently beaten them up, lets look at what they did wrong.

The company is publicly traded so they need to be SOX compliant.  They should have a Board advising them on issues like cybersecurity, but likely not.  Totally silent on the issue.

The breach went from January 2 to March 14 – certainly not the longest breach, but certainly not the shortest.  I know of an incident recently where a company received indicators of a breach at 6:30 AM one day and had contained and mitigated the breach before 9:00 AM the same day and they are looking to shorten that window.  What kind of monitoring and alerting did Inogen have?  Over two months for the hacker to do the dastardly deed?  Obviously, not good enough.

The stolen emails contained name, address, phone number, email address, date of birth, date of death, Medicare ID number, insurance information and type of equipment.  What is that doing in email?  That belongs inside a secure application or web portal.  Not only is this a HIPAA violation before the breach, it is a privacy breach after the event.  The company is based in California, so the Attorney General may be rattling their cage as well.

The worker’s credentials were compromised and then the attacker logged in. From another country.  Two factor authentication would have neutered the attack and, failing that, conditional access geo-fencing would have stopped the attacker cold.  Where was their CISO?  Do they even have one?

One thing they did right – they disclosed the breach in their latest SEC filings. In light of the SEC’s new cybersecurity transparency rules, that is probably a very smart move (to disclose).  One less party out to sue them.

In the SEC filing the company said they hired a forensics firm and made users change their passwords.  Definitely impressive (not).

They have also turned on two factor authentication.  A little late, but better late than never.

Oh, yeah, they have started training.  Nice.  Would have been nicer years ago.

One challenge is the founders are a few young kids who did not, until this, have many battle scars.

I am guessing they are getting those scars now.

Finally, they say in the SEC filing that they have insurance but it may not cover the costs.  Cyber insurance is good, but you better have enough and the right options.  Depending on what lawsuits happen and what regulators (such as Cali and HHS) go after them, this could cost them a couple of million or more.  Depending on what coverage they have, they could be writing all or part of that check themselves.

As a side note, Airway Oxygen, likely a competitor, told HHS last June that they had a breach affecting 500,000 customers.

Cardionet paid a fine to HHS last year of $2.5 million.  That is just the fine and doesn’t cover any other costs.  With a fine like that, Inogen’s total costs could be in the $3-$5 million range.  If they have a $1 million cyber policy, they will be writing a large check.

Other companies could learn from their lessons.  The learning part is free.  OR, they can wait until their story is in the news.  That can be a tad more expensive!

Information for this post came from Careers Info Security.

The Times They Are A Changin

In spite of all of the data breaches that we see on an almost daily basis, we have seen time and again that the courts have dismissed lawsuits for a variety of reasons.  In many cases, the reason is called lack of standing.

Under U.S. Federal law, standing is based on Article III of the U.S. Constitution.  Article III requires you have injury in fact to your own legal interests, in other words, you have suffered some sort of actual harm.  That only applies to lawsuits filed in Federal court.  This is one reason why credit card companies credit you for fraudulent charges,  No lost money, no harm, no ability to sue.

But judges have been loosening the definition of actual harm over the last few years in light of all of the breaches.

Now the Connecticut State Supreme Court has ruled that there is a DUTY of confidentiality between doctor and patient and patients may sue in cases of unauthorized disclosure of protected health information or PHI.

In this case, the plaintiff was pregnant and asked the doctor not to release information to the father of the child, whom the plaintiff was no longer in relationship with.

The practice received a subpoena and in response mailed a copy of the patient’s medical records to the court.

Only problem is, that wasn’t what the subpoena told the doctor to do.  All it said was that the custodian of the records had to appear before the attorney who requested the subpoena.

HIPAA, which governs the disclosure of medical records, says that records may be disclosed in the case of a subpoena, but only if the patient has received adequate notice or a qualified protective order has been issued.

The doctor did none of these things.

Other state courts are also wrestling with these issues.

So now, at least in Connecticut, patients have an expectation of privacy in their medical records and if doctors and hospitals don’t take that expectation seriously enough, patients do have the ability to sue.

It seems to be that the courts are chipping away at this standing conversation, understanding that people are actually being harmed, even if it is not in a measurable, financial way.

While the Connecticut Supreme Court ruling is not binding in any other states, that does not mean that judges won’t be looking at that ruling.

An important note here – this lawsuit is not based on a breach or a hack.  This was based on an inappropriate action of a staff member in the doctor’s office.  It seems unlikely that if the disclosure was due to a breach that the answer from the court would have been any different, but of course, we don not know.

Information for this post came from Health IT Security.